Skip to content

Authentication

Authentication primitives for JWT tokens and encryption.

Overview

The auth module provides core authentication functionality that can be used by any service in the Imbi ecosystem:

  • JWT Tokens: Access and refresh token creation/verification
  • Token Encryption: Fernet encryption for sensitive data at rest

JWT Tokens

from imbi_common.auth import core

# Create an access token
access_token = core.create_access_token(
    subject="user@example.com",
    extra_claims={"role": "admin"}
)

# Create a refresh token
refresh_token = core.create_refresh_token(
    subject="user@example.com"
)

# Verify and decode a token
try:
    payload = core.verify_token(access_token)
    user_id = payload["sub"]
    role = payload.get("role")
except Exception as e:
    print(f"Invalid token: {e}")

Token Encryption

from imbi_common.auth import encryption

# Encrypt sensitive data (e.g., OAuth tokens)
encrypted = encryption.encrypt_token("sensitive_oauth_token")

# Decrypt
decrypted = encryption.decrypt_token(encrypted)

API Reference

Core Functions

create_access_token 

create_access_token(
    subject: str,
    extra_claims: dict[str, Any] | None = None,
    auth_settings: Auth | None = None,
) -> str

Create JWT access token.

Parameters:

Name Type Description Default
subject str

Subject (user identifier) to encode in token

 required
extra_claims dict[str, Any] | None

Optional additional claims to include

 None
auth_settings Auth | None

Optional auth settings for JWT configuration (uses singleton if not provided)

 None

Returns:

Type Description
str

JWT token string
Source code in src/imbi_common/auth/core.py 
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
def create_access_token(
    subject: str,
    extra_claims: dict[str, typing.Any] | None = None,
    auth_settings: settings.Auth | None = None,
) -> str:
    """Create JWT access token.

    Args:
        subject: Subject (user identifier) to encode in token
        extra_claims: Optional additional claims to include
        auth_settings: Optional auth settings for JWT configuration
            (uses singleton if not provided)

    Returns:
        JWT token string

    """
    if auth_settings is None:
        auth_settings = settings.get_auth_settings()

    jti = secrets.token_urlsafe(16)
    now = datetime.datetime.now(datetime.UTC)
    expires = now + datetime.timedelta(
        seconds=auth_settings.access_token_expire_seconds
    )

    claims = {
        'sub': subject,
        'jti': jti,
        'type': 'access',
        'iat': now,
        'exp': expires,
        **(extra_claims or {}),
    }

    token: str = jwt.encode(
        claims, auth_settings.jwt_secret, algorithm=auth_settings.jwt_algorithm
    )
    return token

create_refresh_token 

create_refresh_token(
    subject: str,
    extra_claims: dict[str, Any] | None = None,
    auth_settings: Auth | None = None,
) -> str

Create JWT refresh token.

Parameters:

Name Type Description Default
subject str

Subject (user identifier) to encode in token

 required
extra_claims dict[str, Any] | None

Optional additional claims to include

 None
auth_settings Auth | None

Optional auth settings for JWT configuration (uses singleton if not provided)

 None

Returns:

Type Description
str

JWT token string
Source code in src/imbi_common/auth/core.py 
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
def create_refresh_token(
    subject: str,
    extra_claims: dict[str, typing.Any] | None = None,
    auth_settings: settings.Auth | None = None,
) -> str:
    """Create JWT refresh token.

    Args:
        subject: Subject (user identifier) to encode in token
        extra_claims: Optional additional claims to include
        auth_settings: Optional auth settings for JWT configuration
            (uses singleton if not provided)

    Returns:
        JWT token string

    """
    if auth_settings is None:
        auth_settings = settings.get_auth_settings()

    jti = secrets.token_urlsafe(16)
    now = datetime.datetime.now(datetime.UTC)
    expires = now + datetime.timedelta(
        seconds=auth_settings.refresh_token_expire_seconds
    )

    claims = {
        'sub': subject,
        'jti': jti,
        'type': 'refresh',
        'iat': now,
        'exp': expires,
        **(extra_claims or {}),
    }

    token: str = jwt.encode(
        claims, auth_settings.jwt_secret, algorithm=auth_settings.jwt_algorithm
    )
    return token

verify_token 

verify_token(
    token: str, auth_settings: Auth | None = None
) -> dict[str, typing.Any]

Decode and validate JWT token.

Parameters:

Name Type Description Default
token str

JWT token string to decode

 required
auth_settings Auth | None

Optional auth settings for JWT configuration (uses singleton if not provided)

 None

Returns:

Type Description
dict[str, Any]

Decoded token claims

Raises:

Type Description
ExpiredSignatureError

If token has expired
InvalidTokenError

If token is invalid
Source code in src/imbi_common/auth/core.py 
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
def verify_token(
    token: str, auth_settings: settings.Auth | None = None
) -> dict[str, typing.Any]:
    """Decode and validate JWT token.

    Args:
        token: JWT token string to decode
        auth_settings: Optional auth settings for JWT configuration
            (uses singleton if not provided)

    Returns:
        Decoded token claims

    Raises:
        jwt.ExpiredSignatureError: If token has expired
        jwt.InvalidTokenError: If token is invalid

    """
    if auth_settings is None:
        auth_settings = settings.get_auth_settings()

    decoded: dict[str, typing.Any] = jwt.decode(
        token,
        auth_settings.jwt_secret,
        algorithms=[auth_settings.jwt_algorithm],
        options={'require': ['sub', 'jti', 'type', 'exp']},
    )
    return decoded

Encryption Functions

TokenEncryption 

TokenEncryption(encryption_key: str)

Handles encryption/decryption of sensitive tokens using Fernet.

This class follows the singleton pattern to ensure a single encryption instance is used throughout the application lifecycle.

Example

encryptor = TokenEncryption.get_instance() encrypted = encryptor.encrypt('my-secret-token') decrypted = encryptor.decrypt(encrypted) assert decrypted == 'my-secret-token'

Initialize with base64-encoded Fernet key.

Parameters:

Name Type Description Default
encryption_key str

Base64-encoded Fernet encryption key

 required

Raises:

Type Description
ValueError

If encryption key format is invalid
Source code in src/imbi_common/auth/encryption.py 
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
def __init__(self, encryption_key: str) -> None:
    """Initialize with base64-encoded Fernet key.

    Args:
        encryption_key: Base64-encoded Fernet encryption key

    Raises:
        ValueError: If encryption key format is invalid
    """
    try:
        key_bytes = encryption_key.encode('ascii')
        self._fernet = fernet.Fernet(key_bytes)
    except Exception as err:
        LOGGER.error('Invalid encryption key format: %s', err)
        raise ValueError('Invalid encryption key') from err

decrypt 

decrypt(ciphertext: str | None) -> str | None

Decrypt a token string.

Parameters:

Name Type Description Default
ciphertext str | None

Base64-encoded encrypted token, or None

 required

Returns:

Type Description
str | None

Decrypted plaintext token, or None if input is None or decryption fails
Note

Returns None instead of raising exception on decryption failure to handle corrupted/invalid ciphertext gracefully. Handles both new format (Fernet base64) and legacy format (double base64 encoding) for backward compatibility.

Source code in src/imbi_common/auth/encryption.py 
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
def decrypt(self, ciphertext: str | None) -> str | None:
    """Decrypt a token string.

    Args:
        ciphertext: Base64-encoded encrypted token, or None

    Returns:
        Decrypted plaintext token, or None if input is None
            or decryption fails

    Note:
        Returns None instead of raising exception on decryption failure
        to handle corrupted/invalid ciphertext gracefully.
        Handles both new format (Fernet base64) and legacy format
        (double base64 encoding) for backward compatibility.
    """
    if ciphertext is None:
        return None

    try:
        # Try new format first (Fernet base64 only)
        encrypted_bytes = ciphertext.encode('ascii')
        plaintext_bytes: bytes = self._fernet.decrypt(encrypted_bytes)
        return plaintext_bytes.decode('utf-8')
    except fernet.InvalidToken:
        # Try legacy format (double base64 encoding)
        try:
            encrypted_bytes = base64.urlsafe_b64decode(
                ciphertext.encode('ascii')
            )
            plaintext_bytes = self._fernet.decrypt(encrypted_bytes)
            return plaintext_bytes.decode('utf-8')
        except (
            fernet.InvalidToken,
            binascii.Error,
            ValueError,
            UnicodeDecodeError,
        ):
            # All decryption attempts failed - invalid or corrupted
            LOGGER.warning(
                'Failed to decrypt token - invalid or corrupted ciphertext'
            )
            return None
    except (binascii.Error, ValueError, UnicodeDecodeError):
        # Handle decryption errors (base64 decode, unicode errors)
        LOGGER.warning(
            'Failed to decrypt token - invalid or corrupted ciphertext'
        )
        return None

encrypt 

encrypt(plaintext: str | None) -> str | None

Encrypt a token string.

Parameters:

Name Type Description Default
plaintext str | None

Token string to encrypt, or None

 required

Returns:

Type Description
str | None

Base64-encoded encrypted token, or None if input is None

Raises:

Type Description
Exception

If encryption fails
Source code in src/imbi_common/auth/encryption.py 
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
def encrypt(self, plaintext: str | None) -> str | None:
    """Encrypt a token string.

    Args:
        plaintext: Token string to encrypt, or None

    Returns:
        Base64-encoded encrypted token, or None if input is None

    Raises:
        Exception: If encryption fails
    """
    if plaintext is None:
        return None

    try:
        encrypted_bytes: bytes = self._fernet.encrypt(
            plaintext.encode('utf-8')
        )
        # Fernet already returns base64-encoded bytes, just decode to str
        return encrypted_bytes.decode('ascii')
    except Exception as err:
        LOGGER.exception('Encryption failed: %s', err)
        raise

get_instance classmethod 

get_instance() -> TokenEncryption

Get singleton instance of TokenEncryption.

Returns:

Name Type Description
TokenEncryption TokenEncryption

The singleton instance

Raises:

Type Description
RuntimeError

If encryption key not configured in settings
Source code in src/imbi_common/auth/encryption.py 
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
@classmethod
def get_instance(cls) -> 'TokenEncryption':
    """Get singleton instance of TokenEncryption.

    Returns:
        TokenEncryption: The singleton instance

    Raises:
        RuntimeError: If encryption key not configured in settings
    """
    if cls._instance is None:
        auth_settings = settings.get_auth_settings()
        if not auth_settings.encryption_key:
            raise RuntimeError('Encryption key not configured')
        cls._instance = cls(auth_settings.encryption_key)
    return cls._instance

reset_instance classmethod 

reset_instance() -> None

Reset singleton instance (for testing).

This method is primarily used in test suites to reset the singleton state between tests.

Source code in src/imbi_common/auth/encryption.py 
72
73
74
75
76
77
78
79
@classmethod
def reset_instance(cls) -> None:
    """Reset singleton instance (for testing).

    This method is primarily used in test suites to reset the singleton
    state between tests.
    """
    cls._instance = None

get_fernet 

get_fernet(
    auth_settings: Auth | None = None,
) -> fernet.Fernet

Get Fernet instance for encryption/decryption.

Parameters:

Name Type Description Default
auth_settings Auth | None

Optional auth settings (uses singleton if not provided)

 None

Returns:

Type Description
Fernet

Fernet instance configured with encryption key
Source code in src/imbi_common/auth/encryption.py 
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
def get_fernet(auth_settings: settings.Auth | None = None) -> fernet.Fernet:
    """Get Fernet instance for encryption/decryption.

    Args:
        auth_settings: Optional auth settings (uses singleton if not provided)

    Returns:
        Fernet instance configured with encryption key

    """
    if auth_settings is None:
        auth_settings = settings.get_auth_settings()

    if not auth_settings.encryption_key:
        # This should not happen since Auth now auto-generates encryption_key
        auth_settings.encryption_key = fernet.Fernet.generate_key().decode(
            'ascii'
        )

    return fernet.Fernet(auth_settings.encryption_key.encode('ascii'))

encrypt_token 

encrypt_token(
    plaintext: str, auth_settings: Auth | None = None
) -> str

Encrypt a token string.

Parameters:

Name Type Description Default
plaintext str

Token string to encrypt

 required
auth_settings Auth | None

Optional auth settings (creates default if not provided)

 None

Returns:

Type Description
str

Base64-encoded encrypted token
Source code in src/imbi_common/auth/encryption.py 
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
def encrypt_token(
    plaintext: str, auth_settings: settings.Auth | None = None
) -> str:
    """Encrypt a token string.

    Args:
        plaintext: Token string to encrypt
        auth_settings: Optional auth settings (creates default if not provided)

    Returns:
        Base64-encoded encrypted token

    """
    f = get_fernet(auth_settings)
    encrypted_bytes: bytes = f.encrypt(plaintext.encode('utf-8'))
    return encrypted_bytes.decode('ascii')

decrypt_token 

decrypt_token(
    ciphertext: str, auth_settings: Auth | None = None
) -> str

Decrypt a token string.

Parameters:

Name Type Description Default
ciphertext str

Base64-encoded encrypted token

 required
auth_settings Auth | None

Optional auth settings (creates default if not provided)

 None

Returns:

Type Description
str

Decrypted plaintext token

Raises:

Type Description
Exception

If decryption fails
Source code in src/imbi_common/auth/encryption.py 
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
def decrypt_token(
    ciphertext: str, auth_settings: settings.Auth | None = None
) -> str:
    """Decrypt a token string.

    Args:
        ciphertext: Base64-encoded encrypted token
        auth_settings: Optional auth settings (creates default if not provided)

    Returns:
        Decrypted plaintext token

    Raises:
        Exception: If decryption fails

    """
    f = get_fernet(auth_settings)
    plaintext_bytes: bytes = f.decrypt(ciphertext.encode('ascii'))
    return plaintext_bytes.decode('utf-8')