Edx-drf-extensions

--------------------

Fixed
~~~~~
* Fixes exceptional case where JwtAuthentication should not CSRF protect a request that has both a JWT token in the authorization header and a JWT cookie, since the cookie should be ignored.

Changed
~~~~~~~
* Updated one of the values of the custom attribute jwt_auth_result from 'skipped' to 'n/a'.

--------------------

Removed
~~~~~~~

* Removed unused direct dependency on ``six``.
* Removed unused direct dependency on ``python-dateutil``.


Fixed
~~~~~
* Fixed Django 40 middleware deprecation warning

--------------------

Added
~~~~~

* Added capability to forgive JWT cookie authentication failures as a replacement for the now deprecated ``USE-JWT-COOKIE`` header. See DEPR https://github.com/openedx/edx-drf-extensions/issues/371.
* For now, this capability must be enabled using the ``ENABLE_FORGIVING_JWT_COOKIES`` toggle.
* Added temporary custom attributes ``is_forgiving_jwt_cookies_enabled`` and ``use_jwt_cookie_requested`` to help with this deprecation.
* Added custom attributes ``has_jwt_cookie`` and ``jwt_auth_result`` for JWT authentication observability.

Changed
~~~~~~~

* Two features that were gated on the presence of the ``USE-JWT-COOKIE`` header will now be gated on the presence of a JWT cookie instead, regardless of the state of the new ``ENABLE_FORGIVING_JWT_COOKIES`` toggle. The new behavior should be nearly equivalent in most cases, and should cause no issues in the exceptional cases. The two features include CSRF protection for JWT cookies, and the setting of the request user when ``ENABLE_SET_REQUEST_USER_FOR_JWT_COOKIE`` is enabled.

--------------------

Removed
~~~~~~~

* Removed dependency on ``pyjwkest``. Uses existing PyJWT dependency instead.

**Warning:** This change causes edx-drf-extensions to become a bit more strict about how it handles unexpected whitespace inside of Base64-encoded keys. For example, the following JSON is hard-wrapped inside a YAML single-quoted string, and edx-drf-extensions will start failing to load this in version 8.8.0::

JWT_PUBLIC_SIGNING_JWK_SET: '{
"keys": [
{
"e": "AQAB",
"kid": "prod-key-001",
"kty": "RSA",
"n": "VGhpcyBpcyBqdXN0IHNvbWUgZGVtb25zdHJhd
GlvbiB0ZXh0IHJhdGhlciB0aGFuIGFjdHVhbCBrZ
XkgbWF0ZXJpYWwuICAK"
}
]
}'

Newlines are ignored within Base64, but are illegal inside JSON strings. However, the YAML parser actually replaces the newlines with single spaces due to the single-quoting, so the JSON will actually contain a modulus (``n``) value with two spaces breaking up the Base64. Spaces are in turn not allowed in Base64. Due to interactions between various Base64 parsers, URL-safe encoding, and how padding is handled by the Python base64 standard library, this will be read as intended by pyjwkest but not by PyJWT. This is not a bug, just a difference in how malformed inputs are handled.

The safe way to encode this JSON is without hard wrapping::

JWT_PUBLIC_SIGNING_JWK_SET: |
{
"keys": [
{
"e": "AQAB",
"kid": "prod-key-001",
"kty": "RSA",
"n": "VGhpcyBpcyBqdXN0IHNvbWUgZGVtb25zdHJhdGlvbiB0ZXh0IHJhdGhlciB0aGFuIGFjdHVhbCBrZXkgbWF0ZXJpYWwuICAK"
}
]
}

Before upgrading to version 8.8.0, ensure your keys are properly encoded with no whitespace of any sort inside of runs of Base64.

--------------------

Added
~~~~~

* Add ``edx_drf_extensions_version`` to help with rollout of changes in this library across services.

Removed
~~~~~~~

* Removed exception case for ``InvalidTokenError`` that was never invoked.

--------------------

Added
~~~~~

* Added ``jwt_auth_check_symmetric_key``, ``jwt_auth_asymmetric_verified``, ``jwt_auth_symmetric_verified``, and ``jwt_auth_verification_failed`` custom attributes to aid in deprecation and removal of symmetric keys.
* Added ``jwt_auth_issuer`` and ``jwt_auth_issuer_verification`` custom attributes.

Changed
~~~~~~~

* Changed ``jwt_auth_verify_keys_count`` custom attribute to aid in key rotations, to instead be ``jwt_auth_verify_asymmetric_keys_count`` and ``jwt_auth_verify_all_keys_count``. The latter count is only used in the case that the token can't be verified with the asymmetric keys alone.