Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Manually validate flask-extended-jwt's access token

Tags:

flask

flask-jwt

flask-jwt-extended

I have a SPA app that contains an form with an upload file field. I have a rest API whose endpoints are protected via flask-extended-jwt JWT. To authenticate the REST endpoints I use @jwt_required. I want to authenticate the upload request as well.

Because of the client side I can't add an Authorization Bearer header so I thought to add the access token as a hidden field when submitting the form.

What is the best way to manually validate the JWT access token after I read it from the form?

class Upload(Resource):

def post(self):
    #TODO: check for access token
    access_token = None
    if 'access_token' in request.form and request.form['access_token']:
        access_token = request.form['access_token']
    else:
        message = json.dumps({'message': 'Invalid or missing token', 'success': False})
        return Response(response=message, status=401, mimetype='text/plain')

    if access_token:
        #TODO: validate_token(access_token)

Thank you

like image 850
florin Avatar asked Aug 20 '18 14:08

florin

1 Answers

Author of flask-jwt-extended here. That's a great question. There is currently no supported way to do that in the extension, the grabbing the token from the request and decoding it are tightly coupled together. This would be hard to de-couple because there is a lot of conditional things that are going on when the full decode chain runs. For example, checking the CSRF value only if the request is sent in via a cookie, or differentiating between an access and refresh token for the sake of the blacklisting feature.

A generalized function could be created, it's signature would look something like decode_and_verify_jwt(encoded_token, is_access_token=True, check_csrf=False). However, this would complicate the rest of the code in flask_jwt_extended and be a rather confusing function to use for the general case.

I think in this case it would be easier just to add a fourth lookup in the extension, so you could use something like:

app.config['JWT_TOKEN_LOCATION'] = ['headers', 'forms']
app.config['JWT_FORM_KEY'] = 'access_token'
# Use the rest of the application normally

If you want to make a ticket on the github page so I can track this, I would be happy to work on it.

like image 194
vimalloc Avatar answered Oct 20 '22 12:10

vimalloc
Sign in to Comment

Related questions

modify flask url before routing
Handle 1000 concurrent requests for Flask/Gunicorn web service
Flask Unit Testing and not understanding my fix for "TypeError: a bytes-like object is required, not 'str'"
Axios, POST request to Flask
How to group decorators in Python
Unable to Run Flask on Twisted web server, WSGI application error
How to render a template and send a file simultaneously with flask [duplicate]
same url_prefix for two flask blueprints
Unit testing Flask app running under uwsgi
Apache Flask Error 13, permission denied [duplicate]
Using flask-jwt-extended callbacks with flask-restful and create_app
Python - Google OAuth2 - Wrong number of segments in token
Flask 404 Catch requested url
Flask - Get clicked link info and display on rendered page
Why images can be shown only if they are in `static` folder?
How to run/invoke a flask cli command programmatically?
How to access flask config variables outside application context according to my project structure?
Using proper file structure with SQLAlchemy and how to add data to db
Method similar to 'startswith' in Jinja2/Flask
What is Debugger PIN when I run the flask app python

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!