Relax pyjwt dependency contraint

[unmonoqueteclea]

In PR #361 pyjwt was pinned to version 2 to avoid future breaking changes with future breaking versions.

However, we lost the support for pyjwt 1.x although djangorestframework-simplejwt knows how
to handle with both pyjwt 1 and 2

Many packages depend on pyjwt 1. Could we relax the dependency constraint to something like
pyjwt>1.7, <3

At least, while many important packages are updated. For instance, apache-airflow has an indirect dependency on pyjwt<2

[Andrew-Chen-Wang]

Yes that is fine. Please open a PR to allow for this change. Unfortunately, as the sole maintainer, I can't approve my own PRs.

[unmonoqueteclea]

Nice, I will do it in a few minutes

[garyburgmann]

this will now cause issues due to:

https://pypi.org/project/PyJWT/2.2.0/

app_1       | Traceback (most recent call last):
app_1       |   File "/srv/drf_ping_auth/drf_ping_auth/views.py", line 94, in post
app_1       |     serializer.is_valid(raise_exception=True)
app_1       |   File "/home/debian/.local/lib/python3.9/site-packages/rest_framework/serializers.py", line 220, in is_valid
app_1       |     self._validated_data = self.run_validation(self.initial_data)
app_1       |   File "/home/debian/.local/lib/python3.9/site-packages/rest_framework/serializers.py", line 422, in run_validation
app_1       |     value = self.validate(value)
app_1       |   File "/home/debian/.local/lib/python3.9/site-packages/rest_framework_simplejwt/serializers.py", line 100, in validate
app_1       |     refresh = RefreshToken(attrs['refresh'])
app_1       |   File "/home/debian/.local/lib/python3.9/site-packages/rest_framework_simplejwt/tokens.py", line 42, in __init__
app_1       |     self.payload = token_backend.decode(token, verify=verify)
app_1       |   File "/home/debian/.local/lib/python3.9/site-packages/rest_framework_simplejwt/backends.py", line 68, in decode
app_1       |     return jwt.decode(
app_1       | TypeError: decode() got an unexpected keyword argument 'verify'

will need to pin:
https://github.com/jazzband/djangorestframework-simplejwt/blob/master/setup.py#L59

'pyjwt>=1.7,<2.2'

until the source code of this repo is setup to handle the new PyJWT==2.2.0 changes

[Andrew-Chen-Wang]

@garyburgmann I believe we can support pyjwt 1.71+ so long as verify=verify is made into an option in the dict in the decode method in backends.py

Someone please make a PR (so that I can approve and push out the change immediately).

[garyburgmann]

@unmonoqueteclea has already opened a pull re: pyjwt 1.71+:

#465

[realsuayip]

+1 many SDK's seem to be still using pyjwt==1.7.1

[Andrew-Chen-Wang]

I will run the test suite on PyJWT 1.7.1 in a week from now (unless someone else would like to). If it is ok, then I will lower the lower bound constraint to 1.7.1 as "unofficial support" as SimpleJWT does not have a CI prepared for 1.7.1.

[Andrew-Chen-Wang]

Hi all. I'm so sorry this took forever. Exams are finally over; #536 should be merged and included in the next release which is hopefully this weekend.