^h*SrSSKrSSKrSSKJrJr SSKJr SSKJ r SSK J r SSK J r SSKJr SS KJr SS KJrJrJr SS KJr "S S 5rg)z Supports using JWT's for authenticating into the proxy. Currently only supports admin. JWT token must have 'litellm_proxy_admin' in scope. N)Optionalcast)x509)default_backend) serialization)verbose_proxy_logger) DualCache) HTTPHandler) JWKKeyValue JWTKeyItemLiteLLM_JWTAuth) PrismaClientc \rSrSr%Sr\\\S'\\S'S#Sjr S$S\\S\S\ S \ SS4 S jjr S \ 4S jrS \S\4SjrS \S\\ S\\ 4SjrS\4SjrS\4SjrS \S\\ S\\ 4SjrS%S\\S\4SjjrS \S\\ S\\ 4SjrS \S\\ S\\ 4SjrS \S\\ S\\ 4SjrS \S\4SjrS\\ S\4SjrS\S\\ S\\4SjrS\ S\4Sjr S \ S\4S jr!S!r"S"r#g)& JWTHandlerz - treat the sub id passed in as the user id - return an error if id making request doesn't exist in proxy user table - track spend against the user id - if role="litellm_proxy_user" -> allow making calls + info. Can not edit budgets prisma_clientuser_api_key_cachereturnNc0[5UlSUlg)Nr)r http_handlerleewayselfs W/home/james-whalen/.local/lib/python3.13/site-packages/litellm/proxy/auth/handle_jwt.py__init__JWTHandler.__init__#s(M litellm_jwtauthrc4XlX lX0lX@lgN)rrrr)rrrrrs rupdate_environmentJWTHandler.update_environment)s+"4. rtokenc@URS5n[U5S:H$)N.)splitlen)rr#partss ris_jwtJWTHandler.is_jwt5s C 5zQrscopesc:URRU;agg)NTF)radmin_jwt_scope)rr,s ris_adminJWTHandler.is_admin9s    / /6 9r default_valuecURRbXRRnU$SnU$![a UnU$f=fr )rend_user_id_jwt_fieldKeyErrorrr#r1user_ids rget_end_user_idJWTHandler.get_end_user_id>s] $##99E 4 4 J JK  $#G $/88 AAc4URRcgg)z@ Returns: - True: if 'team_id_jwt_field' is set - False: if not FT)rteam_id_jwt_fieldrs ris_required_team_idJWTHandler.is_required_team_idJs    1 1 9rcURRb*[URR[5(agg)zh Returns: - True: if 'user_allowed_email_domain' is set - False: if 'user_allowed_email_domain' is None TF)ruser_allowed_email_domain isinstancestrrs ris_enforced_email_domain#JWTHandler.is_enforced_email_domainTs=    9 9 E*  : :CK K rcURRbXRRnU$URRbURRnU$SnU$![a UnU$f=fr )rr;team_id_defaultr4)rr#r1team_ids r get_team_idJWTHandler.get_team_idas $##55A 4 4 F FG %%55A..>>  $#G $s/A'-A'"A'' A76A7valid_user_emailc:USLagURR$)z_ Returns: - True: if 'user_id_upsert' is set AND valid_user_email is not False - False: if not F)ruser_id_upsert)rrIs ris_upsert_user_idJWTHandler.is_upsert_user_idms! u $##222rcURRbXRRnU$UnU$![a UnU$f=fr )ruser_id_jwt_fieldr4r5s r get_user_idJWTHandler.get_user_idws] $##55A 4 4 F FG ( $#G $r9cURRbXRRnU$SnU$![a UnU$f=fr )ruser_email_jwt_fieldr4)rr#r1 user_emails rget_user_emailJWTHandler.get_user_emails` '##88D"#7#7#L#LM "  '&J 'r9cURRbXRRnU$SnU$![a UnU$f=fr )rorg_id_jwt_fieldr4)rr#r1org_ids r get_org_idJWTHandler.get_org_ids] ###44@33DDE    #"F  #r9c[US[5(aUSR5nU$[US[5(aUSnU$[ S[ US5S35e![ a /nU$f=f)NscopezUnmapped scope type - z. Supported types - list, str.)r@rAr'list Exceptiontyper4)rr#r,s r get_scopesJWTHandler.get_scopess %.#..w--/ E'ND11w  ,T%.-A,BB`a F  s+A)A)A)) A98A9kidc @# [R"S5nUc [S5eURR S5IShvN nUcUR R U5IShvN nUR5nSU;aUR5SnOUnURRSUURRS9IShvN OUnURXaS9nUc [SUSUS US [U535e[[U5$NNNM7f) NJWT_PUBLIC_KEY_URLz,Missing JWT Public Key URL from environment.litellm_jwt_auth_keyskeys)keyvaluettl)rgrcz"No matching public key found. kid=z , keys_url=z, cached_keys=z , len(keys)=)osgetenvr_rasync_get_cachergetjsonasync_set_cacherpublic_key_ttl parse_keysr(rdict)rrckeys_url cached_keysresponse response_jsonrg public_keys rget_public_keyJWTHandler.get_public_keys;9912  JK K 33CC #    !..228<$%%488E4+@C+G3;! &%D$''Q E4(C/3;!!W Y]c4((!ggeT2G"GO"3--+!$JrrTcURRcgURS5SnX RR:Xagg)NT@F)rr?r')rrT email_domains ris_allowed_domainJWTHandler.is_allowed_domainsD    9 9 A!'',R0 //II Irc # /SQn[R"S5nSnUcSS0nSSKnSSKJn UR U5n[ R"SU5 URSS5nURUS 9IShvN n U b[U [5(a0n S U ;aU S U S 'SU ;aU SU S'S U ;aU S U S 'S U ;aU S U S 'UR[R"U 55n URUU UUUUR S 9n U $U b[U [&5(a[(R*"U R-5[/55nUR15R3[4R6R8[4R:R<5nURUUUUUS9n U $[%S5eGNS!UR"a [%S5e[$an [%S['U 535eSn A ff=f!UR"a [%S5e[$an [%S['U 535eSn A ff=f7f)N)RS256RS384RS512PS256PS384PS512 JWT_AUDIENCE verify_audFr) RSAAlgorithmz header: %src)rcktyne) algorithmsoptionsaudiencerz Token ExpiredzValidation fails: )rrrzInvalid JWT Submitted)rkrljwtjwt.algorithmsrget_unverified_headerrdebugrnryr@rsfrom_jwkrodumpsdecoderExpiredSignatureErrorr_rArload_pem_x509_certificateencoderrx public_bytesrEncodingPEM PublicFormatSubjectPublicKeyInfo)rr#rrdecode_optionsrrheaderrcrxjwkpublic_key_rsapayloadrcertrhs rauth_jwtJWTHandler.auth_jwtshL 99^,  *E2N/**51""<8jj%..3.77  !jT&B&BC "'.E  "'.E j %c?Cj %c?C)224::c?CN ?**")*%;; % # :s(C(C ?55%%'): oo'44!**..!..CC **)%* %/00y86,, 100 ?"4SVH =>> ?0,, 100 ?"4SVH =>> ?s\A:I<G=A;I9GI2BH I$H6H  HI$I9IIIcT# URR5IShvN gN7fr )rclosers rrJWTHandler.close<s%%'''s (&()rrrrr)rN)rr )$__name__ __module__ __qualname____firstlineno____doc__rr__annotations__r rr intr!rAr*r^boolr/rsr7r<rBrGrLrPrUrZraryr r rrrrr__static_attributes__rrrrsL))!!   - & )     Ct  *23-  # T $   hsm QT 3(4.3D3hsmQT   *23-  # Xc]xPS}   & &$&B{#8JCW2CDP1CP1DP1d(rr)rrorktypingrr cryptographyrcryptography.hazmat.backendsrcryptography.hazmat.primitivesrlitellm._loggingrlitellm.caching.cachingr 'litellm.llms.custom_httpx.httpx_handlerr litellm.proxy._typesr r r litellm.proxy.utilsrrrrrrs< !881-?II,e(e(r