Adding the credentials ensures that tokens associated to non-existing
users, or users with an invalid password, won't be accepted, even if
they were correctly encrypted using the host's keypair.
This adds an additional layer of security in case the host's keypair
gets compromised.
PyJWT is a very brittle and cumbersome dependency that expects several
cryptography libraries to be already installed on the system, and it can
lead to hard-to-debug errors when ported to different systems.
Moreover, it installs the whole `cryptography` package, which is several
MBs in size, takes time to compile, and it requires a Rust compiler to
be present on the target machine.
Platypush will now use the Python-native `rsa` module to handle JWT
tokens.
`UserManager.get_users` should not return a reference to the query
object, since the query object will be invalidated as soon as the
connection is closed.
Instead, it should return directly the list of `User` objects.
- The `declarative_base` instance should be shared
- Database `session_locks` should be stored at module, not instance
level
- Better isolation of scoped sessions
- Enclapsulated `get_session` method in `UserManager`