atlassian · dbaxa · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/atlassian_jwt_auth/contrib/django/__init__.py b/atlassian_jwt_auth/contrib/django/__init__.py
diff --git a/atlassian_jwt_auth/contrib/django/decorators.py b/atlassian_jwt_auth/contrib/django/decorators.py
diff --git a/atlassian_jwt_auth/contrib/django/middleware.py b/atlassian_jwt_auth/contrib/django/middleware.py
diff --git a/atlassian_jwt_auth/contrib/flask_app/__init__.py b/atlassian_jwt_auth/contrib/flask_app/__init__.py
diff --git a/atlassian_jwt_auth/contrib/flask_app/decorators.py b/atlassian_jwt_auth/contrib/flask_app/decorators.py
diff --git a/atlassian_jwt_auth/contrib/server/__init__.py b/atlassian_jwt_auth/contrib/server/__init__.py
diff --git a/atlassian_jwt_auth/frameworks/django/__init__.py b/atlassian_jwt_auth/frameworks/django/__init__.py
@@ -1,4 +1,10 @@
-from .decorators import restrict_asap, with_asap
+from .decorators import requires_asap, restrict_asap, with_asap
 from .middleware import OldStyleASAPMiddleware, asap_middleware
 
-__all__ = ["restrict_asap", "with_asap", "OldStyleASAPMiddleware", "asap_middleware"]
+__all__ = [
+    "restrict_asap",
+    "with_asap",
+    "requires_asap",
+    "OldStyleASAPMiddleware",
+    "asap_middleware",
+]
diff --git a/atlassian_jwt_auth/frameworks/django/decorators.py b/atlassian_jwt_auth/frameworks/django/decorators.py
@@ -63,3 +63,20 @@ def restrict_asap(
         required,
         subject_should_match_issuer=None,
     )
+
+
+def requires_asap(
+    issuers: Optional[Iterable[str]] = None,
+    subject_should_match_issuer: Optional[bool] = None,
+    func: Optional[Callable] = None,
+) -> Callable:
+    """Decorator for Django endpoints to require ASAP
+
+    :param list issuers: *required The 'iss' claims that this endpoint is from.
+    """
+    return with_asap(
+        func=func,
+        required=True,
+        issuers=issuers,
+        subject_should_match_issuer=subject_should_match_issuer,
+    )
diff --git a/atlassian_jwt_auth/frameworks/django/tests/test_django.py b/atlassian_jwt_auth/frameworks/django/tests/test_django.py
@@ -196,18 +196,6 @@ def test_request_decorated_issuer_is_allowed(self):
             retriever_key="whitelist/key01",
         )
 
-    # TODO: modify JWTAuthSigner to allow non-issuer subjects and update the
-    # decorated subject test cases
-    def test_request_non_decorated_subject_is_rejected(self):
-        self.check_response(
-            "restricted_subject",
-            "Forbidden",
-            403,
-            issuer="whitelist",
-            key_id="whitelist/key01",
-            retriever_key="whitelist/key01",
-        )
-
     def test_request_using_settings_only_is_allowed(self):
         self.check_response("unneeded", "two")
 

diff --git a/atlassian_jwt_auth/frameworks/django/tests/urls.py b/atlassian_jwt_auth/frameworks/django/tests/urls.py
@@ -29,9 +29,4 @@
         views.restricted_issuer_view,
         name="restricted_issuer",
     ),
-    path(
-        "asap/restricted_subject",
-        views.restricted_subject_view,
-        name="restricted_subject",
-    ),
 ]
diff --git a/atlassian_jwt_auth/frameworks/django/tests/views.py b/atlassian_jwt_auth/frameworks/django/tests/views.py
@@ -1,7 +1,6 @@
 from django.http import HttpResponse
 
-from atlassian_jwt_auth.contrib.django.decorators import requires_asap, validate_asap
-from atlassian_jwt_auth.frameworks.django import restrict_asap, with_asap
+from atlassian_jwt_auth.frameworks.django import requires_asap, restrict_asap, with_asap
 
 
 @with_asap(issuers=["client-app"])
@@ -52,8 +51,3 @@ def unneeded_view(request):
 @restrict_asap(issuers=["whitelist"])
 def restricted_issuer_view(request):
     return HttpResponse("three")
-
-
-@validate_asap(subjects=["client-app"])
-def restricted_subject_view(request):
-    return HttpResponse("four")
diff --git a/atlassian_jwt_auth/frameworks/flask/__init__.py b/atlassian_jwt_auth/frameworks/flask/__init__.py
@@ -1,3 +1,3 @@
-from .decorators import with_asap
+from .decorators import requires_asap, with_asap
 
-__all__ = ["with_asap"]
+__all__ = ["with_asap", "requires_asap"]
diff --git a/atlassian_jwt_auth/frameworks/flask/decorators.py b/atlassian_jwt_auth/frameworks/flask/decorators.py
@@ -32,3 +32,21 @@ def with_asap(
     return _with_asap(
         func, FlaskBackend(), issuers, required, subject_should_match_issuer
     )
+
+
+def requires_asap(
+    f: Callable,
+    issuers: Optional[Iterable[str]] = None,
+    subject_should_match_issuer: Optional[bool] = None,
+) -> Callable:
+    """
+    Wrapper for Flask endpoints to make them require asap authentication to
+    access.
+    """
+
+    return with_asap(
+        func=f,
+        required=True,
+        issuers=issuers,
+        subject_should_match_issuer=subject_should_match_issuer,
+    )
diff --git a/atlassian_jwt_auth/frameworks/flask/tests/test_flask.py b/atlassian_jwt_auth/frameworks/flask/tests/test_flask.py
@@ -2,9 +2,8 @@
 
 from flask import Flask
 
-from atlassian_jwt_auth.contrib.flask_app import requires_asap
 from atlassian_jwt_auth.contrib.tests.utils import get_static_retriever_class
-from atlassian_jwt_auth.frameworks.flask import with_asap
+from atlassian_jwt_auth.frameworks.flask import requires_asap, with_asap
 from atlassian_jwt_auth.tests import utils
 from atlassian_jwt_auth.tests.utils import (
     create_token,

diff --git a/atlassian_jwt_auth/signer.py b/atlassian_jwt_auth/signer.py
@@ -6,6 +6,7 @@
 import jwt
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
+from jwt.types import Options
 
 from atlassian_jwt_auth import algorithms, key
 from atlassian_jwt_auth.key import BasePrivateKeyRetriever, KeyIdentifier
@@ -116,8 +117,9 @@ def can_reuse_token(self, existing_token, claims) -> bool:
         """
         if existing_token is None:
             return False
+
         existing_claims = jwt.decode(
-            existing_token, options={"verify_signature": False}
+            existing_token, options=Options(verify_signature=False)
         )
         existing_lifetime = int(existing_claims["exp"]) - int(existing_claims["iat"])
         this_lifetime = (claims["exp"] - claims["iat"]).total_seconds()

diff --git a/atlassian_jwt_auth/verifier.py b/atlassian_jwt_auth/verifier.py
@@ -10,6 +10,7 @@
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
 from jwt import PyJWK
 from jwt.exceptions import InvalidAlgorithmError
+from jwt.types import Options
 
 from atlassian_jwt_auth import KeyIdentifier, algorithms, exceptions, key
 from atlassian_jwt_auth.key import BasePublicKeyRetriever
@@ -96,12 +97,12 @@ def _decode_jwt(
         leeway: int = 0,
     ) -> Dict[Any, Any]:
         """Decode JWT and check if it's valid"""
-        options = {
-            "verify_signature": True,
-            "require": ["exp", "iat"],
-            "require_exp": True,
-            "require_iat": True,
-        }
+        options: Options = Options(
+            verify_signature=True,
+            require=["exp", "iat"],
+            verify_exp=True,
+            verify_iat=True,
+        )
 
         claims = jwt.decode(
             a_jwt,

diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
-PyJWT>=2.4.0,<3.0.0
+PyJWT>=2.11.0,<3.0.0
 PyJWT[crypto]>=2.4.0,<3.0.0
 requests>=2.8.1,<3.0.0
 CacheControl
diff --git a/setup.py b/setup.py
@@ -2,7 +2,7 @@
 from setuptools import setup
 
 setup(
-    setup_requires=["pbr<7.0.0"],
+    setup_requires=["pbr<8.0.0"],
     pbr=True,
     platforms=["any"],
     zip_safe=False,