JSON Web Token (JWT) Authorization for Python's Requests

JSON Web Tokens are “a compact URL-safe means of representing claims to be transferred between two parties.” The “claims” are assertions about what’s going on, and they’re cryptographically signed, either with a shared secret between client and server or using public key cryptography.

One place they’re being used is in Mozilla’s BadgeKit API. There, clients of the API have a shared secret with the server. That secret is used to sign a statement of the HTTP path, method, and request body (for POST and PUT requests). Assuming nothing important happens in the other HTTP headers, this means that an evesdropper can only replay the exact HTTP request that the real client made. This makes it better than simply including unchanging credentials, because once the credentials are sniffed from the network, they can be reused to make any request to the server.

Unfortunately, JSON Web Tokens are fiddly to assemble. There is a good implementation for Python called PyJWT (PyPI). However, to use it with Kenneth Reitz’s immortal work, requests, one must write a custom authentication plugin. Well, I’ve done that! Yay! The code is on GitHub, and on PyPI as requests-jwt. The documentation is on Read the Docs.

import requests
from requests_jwt import JWTAuth, payload_method

auth = JWTAuth('superSekr3t')
auth.add_field(payload_method)
# ... other claims/payloads
resp = requests.get('http://auth-required.example.com/', auth=auth)

This is part of my current work with Dr. Daniel Hickey, bringing digital badges (which are more interesting than they sound) to online courses hosted with Open edX.

Matlab xUnit DocTest transfers ownership

At a previous job, I worked a lot with Matlab. This was in 2010, before Matlab had any testing tools included, and the best testing tool was Steve Eddins’ Matlab xUnit package.

I loved (and love) the Python doctest module: it’s both a clever hack and a very useful tool. I decided to make a version of it for Matlab.

Matlab isn’t the kind of language that lets you really control the namespace of the code that is running. Python, for instance, has a nearly empty namespace by default when you run code in a separate file. R has similar capabilities, although (for me) they are clunkier to use. But, unless you explicitly make some code a function, Matlab runs it more like a script, sharing the namespace of whatever code calls it. This makes ‘doctest’ a tricky concept to implement - either you have to manipulate the documentation strings into functions, or else control the available variables very carefully.

I chose the latter route, ending up with this hilarious test-running method. I wrote it normally, and then renamed all the variables, from example_var to DOCTEST__example_var. So, the test code isn’t actually isolated, but at least it should never modify the test-running function’s state accidentally. I think, given the limitations of the language, that’s the best I could do. And it was useful. And check out the doctest on that method! Heheheh.

Anyway, the reason this comes up today is that I haven’t worked at a job with a Matlab license for several years. And GNU Octave, while probably useful for number crunching, lacks a lot of Matlab’s finer points, including its classdef classes. So I basically haven’t worked on it at all for 3 years.

But hey good news, Open Source! Mr Paul Sexton has offered to take over maintainership! I accept. That’s nice. He’s already made some changes that make the code runnable on modern Matlab versions, showing the value of having a maintainer who can at least run the code. I’m glad, and excited to see where he takes the project! Even if it’s just keeping it runnable, I expect that a few people will benefit. Good!

As an aside, I’m on the lookout for my next numeric language. I’ve had success with NumPy and Pandas, but I’ve also heard nice things about Julia. I was thinking about making doctests my first practice project in Julia, but actually, Julia doesn’t even support docstrings. Its builtins have text that’s associated with them, that shows up in help("blah"), but there’s currently no way to do that for your own code. That seems really important to me. I’ll probably stick with Python for my next vectorized-math project, though I continue to follow Julia now and then.

A story from my sister

My sister, Miranda Hassett, visited Jerusalem in 1995.

I was bright, curious, and ambitious. I thought I was ready. I thought it was the kind of thing a student like me, a person like me, should do.

Just a few weeks in, her visit turned a very sharp corner.

Playing with d3.js

At one of my jobs, I’m working with d3.js to develop visualizations of scholarly data, such as article citations and co-authorships. I’m not ready to show off that work yet, but I got a bee in my bonnet to make some useless/pretty pictures. The main inspiration was gmunk’s work on TRON - SO NICE. My work obviously does not compare, but it’s been fun to try things with a playful attitude.

Here is one

Here is another

Incidentally, Mike Bostock’s bl.ocks.org is both handy and a cute use of gists.

Finally, the best d3 visualization I’ve seen is this globe with overlaid weather data. Really amazing!

Sports Metaphors: Curling Edition

Be Thou our Skip throughout life’s game, An’ syne we’re sure to win, Tho’ slow the shot and wide the aim, We’ll [sweep] each ither in.

from “Curler’s Grace”

Source (wikipedia)

Sports Metaphors: Shooting Edition

[The gazelle’s legs] are like rifles from which leaps are fired.

– Rainer Maria Rilke