Summary
datetime.datetime.utcnow() is deprecated since Python 3.12 and will be removed in a future release. It returns a naive datetime with no timezone info, which means JWT exp comparisons rely on implicit UTC assumptions that can silently break with certain PyJWT versions or OS timezone configs.
Background
PyJWT 2.x performs exp validation against datetime.now(tz=timezone.utc). Passing a naive utcnow() into exp works today due to internal coercion, but the deprecation warning indicates this path is not guaranteed. Using a timezone-aware datetime is the correct, forward-compatible approach.
Affected Areas
web/app.py line 119 — datetime.datetime.utcnow() in Login.post()web/tests/test_app.py lines 54 and 62 — same pattern in make_valid_token() and make_expired_token()
Recommended Fix
# Before
from datetime import datetime, timedelta
exp = datetime.utcnow() + timedelta(hours=1)
# After
from datetime import datetime, timedelta, timezone
exp = datetime.now(timezone.utc) + timedelta(hours=1)
Apply the same change in both test helpers.
Acceptance Criteria
Complexity Estimate
XS — two-line change in app.py, two-line change in test_app.py.
Priority
Medium — no immediate runtime failure, but correctness risk grows with Python version upgrades.
Auto-identified by workspace issue-logger
Category: CVE / security vulnerability
Complexity: XS
Repository: DewaldOosthuizen/python_rest_tutorial
Summary
datetime.datetime.utcnow()is deprecated since Python 3.12 and will be removed in a future release. It returns a naive datetime with no timezone info, which means JWTexpcomparisons rely on implicit UTC assumptions that can silently break with certain PyJWT versions or OS timezone configs.Background
PyJWT 2.x performs
expvalidation againstdatetime.now(tz=timezone.utc). Passing a naiveutcnow()intoexpworks today due to internal coercion, but the deprecation warning indicates this path is not guaranteed. Using a timezone-aware datetime is the correct, forward-compatible approach.Affected Areas
web/app.pyline 119 —datetime.datetime.utcnow()inLogin.post()web/tests/test_app.pylines 54 and 62 — same pattern inmake_valid_token()andmake_expired_token()Recommended Fix
Apply the same change in both test helpers.
Acceptance Criteria
datetime.utcnow()replaced inapp.pyandtest_app.pyDeprecationWarningemitted when runningpytestComplexity Estimate
XS — two-line change in
app.py, two-line change intest_app.py.Priority
Medium — no immediate runtime failure, but correctness risk grows with Python version upgrades.
Auto-identified by workspace issue-logger
Category: CVE / security vulnerability
Complexity: XS
Repository: DewaldOosthuizen/python_rest_tutorial