feat!: allow enabling jwt auth using cubicweb.includes pyramid option

disabled by default, marked as experimental

README.rst

@@ -95,6 +95,13 @@
 Include ``cubicweb_api.auth.routes`` to enable the login and logout routes.
 These routes will use whatever authentication policy is enabled in cubicweb.
 
+``cubicweb.includes = cubicweb_api.auth.jwt``
+'''''''''''''''''''''''''''''''''''''''''''''
+
+Include ``cubicweb_api.auth.jwt`` to enable the JWT cookie authentication policy.
+
+**⚠️ This feature is experimental, do not use in production**
+
 Available Routes
 ----------------
 

cubicweb_api/auth/jwt_auth.py → cubicweb_api/auth/jwt.py

 # Copyright 2015, Wichert Akkerman <wichert@wiggy.net>
-# Copyright 2022 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+# Copyright 2024 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -86,7 +86,8 @@
         return {}
 
 
-def setup_jwt(config: Configurator):
+def includeme(config: Configurator):
+    log.warning("Using experimental JWT authentication. Do not use in production.")
     try:
         policy = create_jwt_policy(
             config, custom_paths={"private_key": "cubicweb.auth.authtkt.session.secret"}

cubicweb_api/auth/routes.py

@@ -20,7 +20,6 @@
 from pyramid.security import remember, forget
 from pyramid.config import Configurator
 
-from cubicweb_api.auth.jwt_auth import setup_jwt
 from cubicweb_api.routes import ApiRoutes, get_route_name, VIEW_DEFAULTS
 from cubicweb_api.util import get_cw_repo
 
@@ -60,8 +59,6 @@
 
 
 def includeme(config: Configurator):
-    setup_jwt(config)
-
     add_view = partial(config.add_view, **VIEW_DEFAULTS)
 
     add_view(

test/test_auth_jwt.py

+# copyright 2024 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+# contact https://www.logilab.fr -- mailto:contact@logilab.fr
+#
+# This program is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Lesser General Public License as published by the Free
+# Software Foundation, either version 2.1 of the License, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+from test.util import ApiBaseTC
+
+
+class AuthJWTDisabledTC(ApiBaseTC):
+    def test_JWT_disabled_default(self):
+        self.login_request()
+
+        jwt_present = False
+        for cookie in self.webapp.cookiejar:
+            if cookie.name == "CW_JWT":
+                jwt_present = True
+
+        self.assertFalse(jwt_present)
+
+
+class AuthJWTEnabledTC(ApiBaseTC):
+    settings = {
+        **ApiBaseTC.settings,
+        "cubicweb.auth.authtkt.session.secret": "test",
+    }
+
+    def includeme(self, config):
+        config.include("cubicweb.pyramid.auth")
+        config.include("cubicweb.pyramid.session")
+        config.include("cubicweb_api.auth.routes")
+        config.include("cubicweb_api.auth.jwt")
+
+    def test_JWT_enabled(self):
+        self.login_request()
+
+        jwt_present = False
+        for cookie in self.webapp.cookiejar:
+            if cookie.name == "CW_JWT":
+                jwt_present = True
+
+        self.assertTrue(jwt_present)

test/util.py

@@ -16,10 +16,6 @@
 
 
 class ApiBaseTC(PyramidCWTest):
-    settings = {
-        **PyramidCWTest.settings,
-        "cubicweb.auth.authtkt.session.secret": "test",
-    }
     custom_headers = {"X-Client-Name": "Pytest"}
 
     def includeme(self, config):