minor tweaks (#46)

carl-alexander-adams · web-flow · commit 84c498f3d282 · 2025-10-05T16:05:12.000-07:00
* cherry-picking some small incidental changes from a larger feature branch to front-run the main MR.

* more details test assertions for token validator

* flake fixes

* test util improvements

* minor code de-dupe in utils

* fix typo
diff --git a/.gitignore b/.gitignore
@@ -16,4 +16,5 @@ site
 *.venv
 venv*
 version-with-buildnum.txt
+.vscode
 __pycache__
diff --git a/pyproject.toml b/pyproject.toml
@@ -106,6 +106,7 @@ build-backend = "setuptools.build_meta"
 source = [
     "planet_auth",
     "planet_auth_utils",
+    "planet_auth_config_injection",
     # "tests",
 ]
 branch = true
diff --git a/src/planet_auth/oidc/multi_validator.py b/src/planet_auth/oidc/multi_validator.py
@@ -286,7 +286,7 @@ def validate_access_token(
         """
 
         if not token:
-            raise InvalidArgumentException(message="Cannot validate empty string as a token")
+            raise InvalidArgumentException(message="Cannot decode empty string as a token")
 
         validator = self._select_validator(token)
         local_validation, remote_validation = self._check_access_token(
diff --git a/src/planet_auth/oidc/token_validator.py b/src/planet_auth/oidc/token_validator.py
@@ -14,7 +14,7 @@
 
 import jwt
 import time
-from typing import Dict, List
+from typing import Any, Dict, List, Tuple
 
 import planet_auth.logging.auth_logger
 from planet_auth.auth_exception import AuthException, InvalidTokenException
@@ -181,7 +181,7 @@ def validate_token(
         """
         # PyJWT should enforce this, but we have unit tests in case...
         if not token_str:
-            raise InvalidArgumentException(message="Cannot validate empty string as a token")
+            raise InvalidArgumentException(message="Cannot decode empty string as a token")
         if not issuer:
             # PyJWT does not seem to raise if the issuer is explicitly None, even when
             # verify_iss was selected.
@@ -257,9 +257,18 @@ def validate_token(
         return validated_claims
 
     @staticmethod
-    def hazmat_unverified_decode(token_str):
-        # WARNING: Treat unverified token claims like toxic waste.
-        #          Nothing can be trusted until the token is verified.
+    @InvalidArgumentException.recast(jwt.exceptions.DecodeError)
+    def hazmat_unverified_decode(token_str) -> Tuple[Dict, Dict, Any]:
+        """
+        Decode a JWT without verifying the signature or any claims.
+
+        !!! Warning
+            Treat unverified token claims with extreme caution.
+            Nothing can be trusted until the token is verified.
+
+        Returns:
+            Returns the decoded JWT header, payload, and signature
+        """
         unverified_complete = jwt.decode_complete(token_str, options={"verify_signature": False})  # nosemgrep
         return unverified_complete["header"], unverified_complete["payload"], unverified_complete["signature"]
 
diff --git a/src/planet_auth/request_authenticator.py b/src/planet_auth/request_authenticator.py
@@ -126,7 +126,7 @@ def update_credential_data(self, new_credential_data: Dict) -> None:
         self._credential.set_data(new_credential_data)
         self._credential.save()  # Clobber old data that may be saved to disk.
         # Clear-out auth material when a new credential is set.
-        # child classes are expected to populate it JIT for auth
+        # Child classes are expected to populate it JIT for auth
         # requests.
         self._token_body = None
 
@@ -135,7 +135,7 @@ def credential(self, refresh_if_needed: bool = False) -> Optional[Credential]:
         Return the current credential.
 
         This may not be the credential the authenticator was constructed with.
-        Request Authenticators are free to refresh credentials depending in the
+        Request Authenticators are free to refresh credentials depending on the
         needs of the implementation.  This may happen upon this request,
         or may happen as a side effect of RequestAuthenticator operations.
         """
diff --git a/src/planet_auth/storage_utils.py b/src/planet_auth/storage_utils.py
@@ -364,14 +364,17 @@ def update_data(self, sparse_update_data):
             new_data = sparse_update_data
         self.set_data(new_data)
 
-    def set_data(self, data):
+    def set_data(self, data, copy_data: bool = True):
         """
         Set the current in memory data. The data will be checked for validity
         before in memory values are set.  Invalid data will result in an exception
         being thrown and no change being made to the in memory object.
         """
         self.check_data(data)
-        self._data = data.copy()
+        if copy_data:
+            self._data = data.copy()
+        else:
+            self._data = data
         self._load_time = int(time.time())
 
     def check_data(self, data):
@@ -459,9 +462,7 @@ def load(self):
             return  # we now allow in memory operation.  Should we raise an error if the current data is invalid?
 
         new_data = self._object_storage_provider.load_obj(self._file_path)
-        self.check_data(new_data)
-        self._data = new_data
-        self._load_time = int(time.time())
+        self.set_data(new_data, copy_data=False)
 
     def lazy_load(self):
         """
diff --git a/tests/test_planet_auth/unit/auth/auth_clients/oidc/test_token_validator.py b/tests/test_planet_auth/unit/auth/auth_clients/oidc/test_token_validator.py
diff --git a/tests/test_planet_auth/unit/auth/util.py b/tests/test_planet_auth/unit/auth/util.py

Original file line number	Diff line number	Diff line change
`@@ -106,6 +106,7 @@ build-backend = "setuptools.build_meta"`
`106`	`106`	`source = [`
`107`	`107`	`"planet_auth",`
`108`	`108`	`"planet_auth_utils",`
	`109`	`+ "planet_auth_config_injection",`
`109`	`110`	`# "tests",`
`110`	`111`	`]`
`111`	`112`	`branch = true`