Fixes #1193: deprecated JWT decode.

[jensens]

• verify as kwarg of decode was already deprecated in PyJWT and was removed in 2.0. Uses now options style to pass this on.
• encode returns a str (Py3!) which can not be decoded again.
• Update to use and require PyJWT 2.1.0.

Note:
After merge, buildout.coredev needs to be updated.
I prepared an separate PR for this: plone/buildout.coredev#735
This is difficult to test with our current Jenkins setup.

[mister-roboto]

@jensens thanks for creating this Pull Request and help improve Plone!

To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass.

Whenever you feel that the pull request is ready to be tested, either start all jenkins jobs pull requests by yourself, or simply add a comment in this pull request stating:

@jenkins-plone-org please run jobs

With this simple comment all the jobs will be started automatically.

Happy hacking!

[wesleybl]

I would put a comment here to remove this pin after release Plone version with coredev PR.

[jensens]

It is needed for Plone 5.2 - which is still supported with Py3 here at master.

[wesleybl]

You won't update the version in the 5.2 branch of coredev? At least for Python 3?

[jensens]

Well, with conditional version sections this would be technically possible.

Since the 8.x series is not part of the release of Plone 5.2 (see https://github.com/plone/buildout.coredev/blob/5.2/versions.cfg#L197 and https://github.com/plone/buildout.coredev/blob/5.2/sources.cfg#L118, it uses the 7.x) I do not think this is possible.

We could add a note to the README which versions/ preconditions are needed for use of the 8 series in Plone 5.2.

[wesleybl]

Anyway, it's weird to say that version 8.x is compatible with Plone 5.2 and it will not be tested on coredev. If any unreleased changes in any package, break the version 8.x, we won't know about it until the Plone version is released.

[tisto]

@jensens @mauritsvanrees I am wondering if we should defer this to the next major release of plone.restapi (9.x). Once plone.volto has seen a first release, we will need to move some things around (e.g. the block behavior needs to move from restapi to plone.volto). The plan is to have stuff ready for the conference, so it won't take so long. What do you think?

[mauritsvanrees]

It looks like the new code from this PR also works with the old PyJWT. At least the tests pass.
So I think we can include this code even in 7.x.x. Just don't touch setup.py.
On PY3, token.decode("utf-8") should still be done, but only if the token is bytes, which PyJWT 1.7.1 gives us.

So that is one option: be a bit smarter in the code so we can support both versions of PyJWT.

Other option is to only merge the current PR when plone.restapi master only targets PY 3, which seems to be what Timo is saying.

I don't really mind either way.

[tisto]

@jensens is there a way we can support both PyJWT versions as @mauritsvanrees suggests?

[mauritsvanrees]

This would still be good to have, fixing a minor pain point and getting rid of an old dependency version.
But this seems like the kind of change we could do in a Plone 6.0 beta.

[jensens]

I rebased the branch.

[tisto]

@jenkins-plone-org please run jobs

[jensens]

@jenkins-plone-org please run jobs

[jensens]

@jenkins-plone-org please run jobs

[jensens]

@jenkins-plone-org please run jobs

[jensens]

Jenkins will always fail here. There no easy way to test a branch on buildout.coredev together with branch on a package. Except on an own branch of the branch of buildout.coredev - I did this here plone/buildout.coredev#737

[jensens]

Except on an own branch of the branch of buildout.coredev

Nope, won't work as well.

[jensens]

Summary:

• all done
• this works only with newer PyJWT
  • without Python 2 support
  • but then also in Plone 5.2
• tests are failing as unless buildout.coredev PyJWT pin is upgraded, it pins the old version.

[mauritsvanrees]

For me, it would be fine to let plone.restapi master use latest pyjwt, as the branch is already for Python 3 only. New minor version. Maybe new major version, but for me it would not be needed.

You changed the versions.cfg here to pin pyjwt = 2.1.0, but this file is currently not used. Maybe base.cfg should extend it. @tisto may know how this is intended.

[tisto]

@jensens Python 3.9 is not officially supported or tested with plone.restapi yet: https://github.com/plone/plone.restapi/blob/master/.github/workflows/tests.yml#L9

[mauritsvanrees]

It is tested in coredev.

[jensens]

Yes, Python 3.9 must work for Plone 6, so running tests with it here is important. I added issue #1345 to not forget about it.

[mauritsvanrees]

Green now.
(Except plone-coredev 6, which can only pass when we update the PyJWT pin there, which we can only do after we merge this PR. Chicken versus egg.)

[mauritsvanrees]

I am tired of waiting on someone to either approve and merge this, or say what needs to change.
So I have made a new PR #1377. It takes the main change of the current PR, but makes it conditional: the code works on both PyJWT version 1 and 2. That change should be easier to make a decision on and merge soon, instead of being in limbo since August.
The cost is an extra dependency (importlib-metadata) on Python 3.7 and lower, but this is likely already pulled in by other packages, and it is already pinned by Plone 5.2 and 6.0. (I could have used pkg_resources, but that is apparently deprecated for this use case.)

[jensens]

solved with bbb #1377