chore(refactor): python-jose is removed from project.optional-dependency.

[Squidtyper]

in security, the tokens' encode and decode now uses pyjwt.

Description

Closes

[provinzkraut]

Thanks @Squidtyper, this is a welcome change!
Am I correct to assume this is motivated by the maintenance status of python-jose?

[Squidtyper]

Yes. We are eliminating the use of python-jose in our own code and we think litestar is better off with pyjwt as well. It's my first time contributing. I see there are some errors.

[cofin]

before merging this, I would like to evaluate this library instead of pyjwt. Both python-jose and pyjwt have gone through periods of inactivity in their history.

[sherbang]

before merging this, I would like to evaluate this library instead of pyjwt. Both python-jose and pyjwt have gone through periods of inactivity in their history.

joserfc and the authlib project as a whole are certainly interesting, but it seems to me that pyjwt is the better option right now.

We can start with Snyk Advisor scores of 79 for joserfc vs 91 for pyjwt which also shows more consistent commit activity for the last 2 years for pyjwt.

Pyjwt is simply a much more popular package right now, which suggests it's more likely to have some longevity, it has far more contributors, and thus far more eyes on it for future security issues.

The authlib project is interesting, in that they've built a small company around the auth code they've built, but looking at the activity graph of their github suggests that they haven't been very active in this for a while, so it may be a dying effort.

However, either of these packages would be an improvement over python-jose, which has unresolved security issues. I suggest that the priority now should be removing python-jose, and not delaying over considering which replacement library is marginally better.

Ref: jpadilla/pyjwt#942

[provinzkraut]

joserfc and the authlib project as a whole are certainly interesting, but it seems to me that pyjwt is the better option right now.

I agree. pyjwt is the de-facto standard and does everything we need here. It being the most popular JWT library also has the benefit that if users are doing something else with JWTs outside what Litestar provides, it's most likely this is the library they'll be using.

[cofin]

However, either of these packages would be an improvement over python-jose, which has unresolved security issues. I suggest that the priority now should be removing python-jose, and not delaying over considering which replacement library is marginally better.

Agree with this.

So that we don't get bogged down without a fix, I'm inclined to go with this change. It can be revisited should there be a need.