Looking for maintainers (and Thank You to the community!)
davesque opened this issue Β· 55 comments
Hey folks! So Simple JWT has really come a ways in terms of popularity (further than I probably would have imagined). For that, I owe a big "Thank you!" to the community of Django and REST devs that have used and contributed to the project!
However, for a while now I haven't had a lot of time to devote to addressing issues and feature requests. My professional life dominates my schedule and it also hasn't tended to involve much REST API development in recent years. But the library continues to enjoy widespread use. Contributors request/develop features and identify usability/security issues on a daily basis. I don't have enough time in my personal schedule to serve all of the community's needs! But I want to see the project continue to succeed.
For that reason, I'm interested in hearing from any devs that wish to become involved in maintaining this project. I'm particularly interested in hearing from devs who have contributed to this project in the past and/or who can demonstrate experience with similar engineering projects. Significant histories of open source contribution are obviously a plus! If you're located in Boulder, CO (which is in the US), that's also a huge plus. We could potentially meet in person to get acquainted.
Please reply to this issue if you think you match the above criteria! I'm looking forward to hearing from all of you!
@davesque Did you try to move this to JazzBand? This repository is used a lot and was the only maintained JWT package for Django.
Hi there, I'm contributor of Masonite project, and currently I'm using Django-rest-framework-simplejwt on many projects.
We use many open source projects inside of our company and I'll be glad to offer to help maintain it :)
ps. currently I'm using mostly Gitlab as repo of my private projects, so my contribution graph here is being very simple last months :)
@davesque Any progress in getting a maintainer? If not, I'll go and ask JazzBand if they would like to maintain this. I would also be happy to assist in maintenance if JazzBand doesn't work out BUT I can't be alone; basically, I would need someone (maybe multiple people) to help maintain.
I'm interested in being a maintainer!
@Andrew-Chen-Wang I applied to join JazzBand, but haven't received any response yet.
@Andrew-Chen-Wang Actually, I think I might make an open source github org for this. If so, care to be a member?
@davesque Sure, Iβm down. Looking forward to it.
@davesque you can count me in too...
Thanks in advance
Hello here, I can help you if needed for issues triaging for example, or code review.
I'm the creator and maintainer of https://github.com/lesspass/lesspass 3.8k stars
@davesque consider moving the project to @jazzband also dj-rest-auth was moved there and there's a PR to replace rest_framework_jwt with django-rest-framework-simplejwt
So what's the roadmap?
@stunaz Currently, there is a big PR regarding support for HTTP cookies for SPAs. @pauloxnet Apparently, Dave already tried going to Jazzband awhile ago, but there was no response. There's also an "experimental feature" using the TokenUser model that you can play around with. I haven't had the time to consider the security measures of it and its future full-time use, though. Otherwise, there are a couple members in the SImpleJWT org that'll try to update this repo as much as possible and answer as many issues, too.
This library is also under MIT license. Although, we don't have a CONTRIBUTORS.txt, we could spin one up really quickly once someone opens and issue for it.
Considering dj-rest-auth just officially switched to django-rest-framework-simplejwt, JazzBand may be more interested now. I would definitely volunteer some time to be a maintainer (mostly selfish since I want my PR's merged) but I could also try contacting JazzBand to point out how integral this is.
I'm new to using this framework, but would be willing to pitch in as much as I could to help out.
I'm currently using your library on some of my DRF projects, and for sure I'd be glad to collaborate on this project! Do you have any roadmap where we should take a look to get started? I don't have a lot of contributions on open source projects (maybe that's the chance to change it? π), I guess I have one or two contributions of small things, but I've being working with python for a while now, so I guess I can help with something.
Hey guys,
I'm starting on using DRF and I wanted to use some JWT implementation app. From what I see now there is a bit of confusion as per different apps, IΒ΄ve seen that others lost support/maintainers. Any suggestion as per what are currently supported apps that could extend DRF with AUTH / JWT ready to use solutions?
hi @hvitis
I am one of the maintainers and also I personally used this library in production for a few projects i have worked on in the last years...
This is a good and stable package. Also one of the nice benefits I find for it is the refresh_token + access_token and there is no DB involved into this process.
my personal toolkit is DRF + SimpleJWT + Djoser ==> and you have a nice start setup: Authentication & User management working out of the box all together
Feel free to decide for yourself.
@affonsobrian There is no roadmap, but I can list some stuff that would be helpful to many looking to help contribute:
- Easier callable mechanism for any new methods for flexibility (e.g. signals and permission-based authentication #190).
- Better release mechanism. We could utilize a GitHub workflow to have enough people authorize a release (or just Dave rather than 4 members approving) and let another GitHub workflow build and push the package to PyPa.
- Official support for a method for rotating signing keys.
- Docs explaining what this repo is for... and what it shouldn't be for. Security is a touchy thing, and many people are deploying this and forgetting a lot of security measures...
I can also make this unofficial roadmap into a new issue, but that's a starting point :) I don't want this to be too flexible of an app (while I don't contribute in code much since I'm busy, but I still don't want security vulnerabilities or non-secure mindsets to arise).
Hi! Is this invitation still open? I would like to be a maintainer.
ping @davesque
I could volunteer to help as a maintainer if possible. I haven't worked on open source projects in a while so would be a bit slow on the uptake, just a heads up.
Nobody's responding. The project looks dead. That would be unfortunate. If the owner can not maintain it, he should pass it to the people willing to help.
Hi @Andrew-Chen-Wang !
Thanks for responding. @Alig1493 would like also to help. And I would also like to contribute. When you catch time send me more info via email how I can help. Best regards!
@Andrew-Chen-Wang you can assign the SimpleJWT project to JazzBand for maintaining https://jazzband.co
Hi @bnisevic
I believe it's been tried before - perhaps several times. If you'd like to become a maintainer or triage member and help me out answering questions and closing issues, email David (email in his profile).
Hi, I just stumbled across this issue while digging for answers to some questions. I know that @Andrew-Chen-Wang and other maintainers have already tried contacting JazzBand before, but nonetheless I wanted to leave this link from JazzBand's website in case it becomes relevant detail. I may be mistaken, but the gist of it is that there exists a pretty standard procedure for transferring an existing project to JazzBand.
Hope this helps, and thank you to all developers who've helped maintained this wonderful project.
It is wonderful project, but it seams dead now.
There are some missing details in this repo that doesn't conform to Jazzband, but I've been given merge perms so I'm able to merge some PRs. Just gotten busier with college lately, so that's why v5.0.0 is coming a little slow, although I've already merged a couple of PRs already @bnisevic.
Again, if you'd like to help maintain, that'd be great. Please email David (his email's in his GitHub repo or setup.py)
I'm interested in being a maintainer
I also have experience in implementing JWT authentication on our internal web portal (microservices). It also used access + refresh tokens along with database where users were stored, nginx+lua where tokens were verified and Redis where we store vaild tokens for users. It eliminates need to cleanup the database and you can set TTL for the key regarding your lifetime of the token. Access tokens cannot be blacklisted but generally they should be 5 to 30 mins max. Refresh token is saved to redis with TTL of lifetime. In case of refresh we just rotate it (remove old and add new).
Also we had interesting implementation of anonymous users for being able to store some data for not logged in users. These users also require tokens but we do not store them as blacklisting them (logging users out) are useless in this setup.
Also we had implementation about User-Agents and possible misuse of a token (stolen). Token inside it has the user agent and if it stolen and then tried to be reused, you have to have almost exact user-agent, or you can come up with some fingerprints.
And... I would like to participate in the life of this project as I am also using it, had some comments, even forked/copied it once to fix some problem.
Thanks. Looking forward for cooperation.
Hi all, if you're interested in becoming a maintainer, please email David. (It's in the GitHub organization repo). David usually doesn't look at this entire repository's issues; he'll only look at his email if there's some kind of request. Just don't spam it.
We already did email David. And we got no reply.
as a co-maintainer of pyJWT, I would love to be a maintainer of this project.
ERROR: Could not find a version that satisfies the requirement djangorestframeork.simplejwt
Hey all, we've decided to get this to Jazzband if they accept this. Sit tight!
Jazzband web site for people like me who don't know hat Jazzband is https://jazzband.co/
Hey all, we've decided to get this to Jazzband if they accept this. Sit tight!
Nice to hear that! There is hope for this project!
Well I dont get it... jazzband or not, maintainers are still required. jazzband's team will not just pick up the project from here and fix bugs and develop new features from it. I think they might maintain as in keeping the project alive, running against new django releases, do some triages, review some PR. but i doubt they will develop new features nor fixes our long standing issues
@stunaz It's just a way to relinquish control to an organization who can give out permissions and do the job. I'm not exactly a good maintainer, and I've also lost time due to school. If someone can do what I did which was review some PRs BUT ALSO have merge capabilities, I'm for it rather than a stale library.
Agreed with you @Andrew-Chen-Wang. But in the other hand, I see nice people willing to maintain this project like @auvipy , but we dont see no follow-up on this.
instead of moving to jazzband, I would like to maintain it here. but if you still persist, I had to do it after the transfer
If your only motivation is to contribute this project, you can easily join the jazzband and contribute through there.
@auvipy @bnisevic I've already emailed him about you wanting to become a maintainer after I missed his email about the Jazzband news from 4 days ago. I too would like for SimpleJWT to stay in this organization, but it's still up to David, but the response rate from him is low due to work (David's been MIA for 4 months).
If your only motivation is to contribute this project, you can easily join the jazzband and contribute through there.
i already contribute to some jazzband projects.
Hey all, Jazzband founder and roadie here, if you have any questions, please don't hesitate to ask away. There is also #382 now that the transfer has happened. Welcome!
Full disclosure since dj-rest-auth has been mentioned in this ticket, some time ago the project was transferred back to the original author following a discussion around the need for Jazzband projects to move to GitHub Actions from other 3rd party CI systems (original PR with discussion).
I want to contribute to SimpleJWT but i am new to open source. Please guide me.
I want to contribute to SimpleJWT but i am new to open source. Please guide me.
please check the issues
I want to contribute to SimpleJWT but i am new to open source. Please guide me.
@japsimrans13 I'm afraid Jazzband isn't a great place to learn about Open Source, or at least it's not built to provide guided mentorship like you may be looking for.
please check the issues
Hey @auvipy, I think this isn't the right way to provide mentorship to learn about Open Source, especially in a security senstive application like this.
@japsimrans13 refer to our docs if you would like to add a feature or implement an existing issue.
This issue is for maintainership purposes and not contributions. I'm closing this issue since anyone can join Jazzband and help maintain.
I would like to maintain the repository
I can contribute to SimpleJWT . and I have some project with django. @davesque please @SuboFrank
Hi @davesque
I have re-written this project to be compatible with MongoEngine and release it with version 1.0.0. Currently, it supports Simple JWT versions: 4.6 and 4.7
Please visit the Github project's link: https://github.com/ngocngoan/djangorestframework-simplejwt-mongoengine
Hi @davesque
I have re-written this project to be compatible with MongoEngine and release it with version 1.0.0. Currently, it supports Simple JWT versions: 4.6 and 4.7
Please visit the Github project's link: https://github.com/ngocngoan/djangorestframework-simplejwt-mongoengine
While you may have updated some crucial parts, you licensed your code under GPL3. I would assume that most potential users are developing closed source software, therefore it is simply not an appropriate replacement/update to this project.