From 1687d045647d75b01521c8872272d2739f103f34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A1nos=20Kukovecz?= Date: Mon, 8 Jun 2026 15:27:14 +0200 Subject: [PATCH 1/3] fix: Add leeway to JWT token verification Using this leeway, the `now` parameter is not needed anymore, as the sub-1 second is calculated into the leeway. From the documentation, the leeway is: "Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew" --- onekey_client/client.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/onekey_client/client.py b/onekey_client/client.py index 7e0d8a9..bf2cd6c 100644 --- a/onekey_client/client.py +++ b/onekey_client/client.py @@ -1,7 +1,6 @@ import functools import gc import secrets -import time from importlib import resources from importlib.metadata import version from pathlib import Path @@ -266,7 +265,7 @@ def _verify_token( claims_options=claims_options, claims_params={"nonce": nonce}, ) - decoded_token.validate(now=time.time()) + decoded_token.validate(leeway=300) return decoded_token From 930662e34e6bd9e3f07e350e2779141d39c74ca1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A1nos=20Kukovecz?= Date: Mon, 8 Jun 2026 19:28:16 +0200 Subject: [PATCH 2/3] refact: Use ssl context for httpx --- onekey_client/client.py | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/onekey_client/client.py b/onekey_client/client.py index bf2cd6c..cb95b1d 100644 --- a/onekey_client/client.py +++ b/onekey_client/client.py @@ -1,6 +1,7 @@ import functools import gc import secrets +import ssl from importlib import resources from importlib.metadata import version from pathlib import Path @@ -65,18 +66,34 @@ def _setup_httpx_client( ca_bundle: Path | None = None, disable_tls_verify: bool | None = False, ): - headers = {"User-Agent": f"{APP_NAME}/{APP_VERSION}"} - if disable_tls_verify: - return httpx.Client(base_url=api_url, headers=headers, verify=False) # noqa: S501 (TLS certificate validation disabled) + return httpx.Client( + base_url=api_url, + headers={ + "User-Agent": f"{APP_NAME}/{APP_VERSION}", + }, + verify=self._create_ssl_context( + ca_bundle=ca_bundle, disable_tls_verify=disable_tls_verify + ), + ) - if ca_bundle is not None: + def _create_ssl_context( + self, + ca_bundle: Path | None, + disable_tls_verify: bool | None, + ) -> ssl.SSLContext: + context = ssl.create_default_context() + if disable_tls_verify: + context.check_hostname = False + context.verify_mode = ssl.CERT_NONE + elif ca_bundle is not None: ca = ca_bundle.expanduser() if not ca.exists(): raise errors.InvalidCABundle - - return httpx.Client(base_url=api_url, headers=headers, verify=str(ca)) - with resources.path(keys, "ca.pem") as ca: - return httpx.Client(base_url=api_url, headers=headers, verify=str(ca)) + context.load_verify_locations(cafile=ca) + else: + with resources.path(keys, "ca.pem") as ca: + context.load_verify_locations(cafile=ca) + return context def _load_key(self, key_name: str, path: Path | None = None): if path is not None: From df22c3ee3daa80853ef15edc28daa23e9b383d82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A1nos=20Kukovecz?= Date: Mon, 8 Jun 2026 15:29:50 +0200 Subject: [PATCH 3/3] chore: bump version to 2.7.0 --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 5f8d936..9d62637 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "onekey_client" -version = "2.6.0" +version = "2.7.0" description = "ONEKEY API client" authors = [{ name = "ONEKEY", email = "support@onekey.com" }] requires-python = ">=3.10"