def test_get_token_ttl(self):
# This is called when using a simplekv backend that supports ttl (such
# as redis or memcached). Because I do not want to require having those
# installed to run the unit tests, I'm going to fiat that the code for
# them works, and manually test the helper methods they call for correctness.
# Test token ttl
with self.app.test_request_context():
token_str = encode_refresh_token('foo',
'secret',
'HS256',
timedelta(minutes=5),
csrf=False)
token = decode_jwt(token_str, 'secret', 'HS256', csrf=False)
time.sleep(2)
token_ttl = _get_token_ttl(token).total_seconds()
self.assertGreater(token_ttl, 296)
self.assertLessEqual(token_ttl, 298)
# Test ttl is 0 if token is already expired
with self.app.test_request_context():
token_str = encode_refresh_token('foo',
'secret',
'HS256',
timedelta(seconds=0),
csrf=False)
token = decode_jwt(token_str, 'secret', 'HS256', csrf=False)
time.sleep(2)
token_ttl = _get_token_ttl(token).total_seconds()
self.assertEqual(token_ttl, 0)
def test_encode_refresh_token(self):
secret = 'super-totally-secret-key'
algorithm = 'HS256'
token_expire_delta = timedelta(minutes=5)
identity_claim = 'sub'
# Check with a fresh token
with self.app.test_request_context():
identity = 'user1'
token = encode_refresh_token(identity,
secret,
algorithm,
token_expire_delta,
csrf=False,
identity_claim=identity_claim)
data = jwt.decode(token, secret, algorithms=[algorithm])
self.assertIn('exp', data)
self.assertIn('iat', data)
self.assertIn('nbf', data)
self.assertIn('jti', data)
self.assertIn('type', data)
self.assertIn(identity_claim, data)
self.assertNotIn('csrf', data)
self.assertEqual(data[identity_claim], identity)
self.assertEqual(data['type'], 'refresh')
self.assertEqual(data['iat'], data['nbf'])
now_ts = calendar.timegm(datetime.utcnow().utctimetuple())
exp_seconds = data['exp'] - now_ts
self.assertLessEqual(exp_seconds, 60 * 5)
self.assertGreater(exp_seconds, 60 * 4)
# Check with a csrf token
identity = 12345 # identity can be anything json serializable
token = encode_refresh_token(identity,
secret,
algorithm,
token_expire_delta,
csrf=True,
identity_claim=identity_claim)
data = jwt.decode(token, secret, algorithms=[algorithm])
self.assertIn('exp', data)
self.assertIn('iat', data)
self.assertIn('nbf', data)
self.assertIn('jti', data)
self.assertIn('type', data)
self.assertIn('csrf', data)
self.assertIn(identity_claim, data)
self.assertEqual(data[identity_claim], identity)
self.assertEqual(data['type'], 'refresh')
self.assertEqual(data['iat'], data['nbf'])
now_ts = calendar.timegm(datetime.utcnow().utctimetuple())
exp_seconds = data['exp'] - now_ts
self.assertLessEqual(exp_seconds, 60 * 5)
self.assertGreater(exp_seconds, 60 * 4)
def _create_refresh_token(self,
identity,
expires_delta=None,
user_claims=None,
headers=None):
if expires_delta is None:
expires_delta = config.refresh_expires
if user_claims is None and config.user_claims_in_refresh_token:
user_claims = self._user_claims_callback(identity)
if headers is None:
headers = self._jwt_additional_header_callback(identity)
refresh_token = encode_refresh_token(
identity=self._user_identity_callback(identity),
secret=self._encode_key_callback(identity),
algorithm=config.algorithm,
expires_delta=expires_delta,
user_claims=user_claims,
csrf=config.csrf_protect,
identity_claim_key=config.identity_claim_key,
user_claims_key=config.user_claims_key,
json_encoder=config.json_encoder,
headers=headers)
return refresh_token
def create_refresh_token(self, identity, expires_delta=None):
"""
Creates a new refresh token
:param identity: The identity of this token. This can be any data that is
json serializable. It can also be an object, in which case
you can use the user_identity_loader to define a function
that will be called to pull a json serializable identity
out of this object. This is useful so you don't need to
query disk twice, once for initially finding the identity
in your login endpoint, and once for setting addition data
in the JWT via the user_claims_loader
:param expires_delta: A datetime.timedelta for how long this token should
last before it expires. If this is None, it will
use the 'JWT_REFRESH_TOKEN_EXPIRES` config value
:return: A new refresh token
"""
if expires_delta is None:
expires_delta = config.refresh_expires
refresh_token = encode_refresh_token(
identity=self._user_identity_callback(identity),
secret=config.encode_key,
algorithm=config.algorithm,
expires_delta=expires_delta,
csrf=config.csrf_protect)
return refresh_token
def create_refresh_token(self, identity):
"""
Creates a new refresh token
:param identity: The identity of this token. This can be any data that is
json serializable. It can also be an object, in which case
you can use the user_identity_loader to define a function
that will be called to pull a json serializable identity
out of this object. This is useful so you don't need to
query disk twice, once for initially finding the identity
in your login endpoint, and once for setting addition data
in the JWT via the user_claims_loader
:return: A new refresh token
"""
refresh_token = encode_refresh_token(
identity=self._user_identity_callback(identity),
secret=config.encode_key,
algorithm=config.algorithm,
expires_delta=config.refresh_expires,
csrf=config.csrf_protect)
# If blacklisting is enabled, store this token in our key-value store
if config.blacklist_enabled:
decoded_token = decode_jwt(refresh_token,
config.decode_key,
config.algorithm,
csrf=config.csrf_protect)
store_token(decoded_token, revoked=False)
return refresh_token
def _create_refresh_token(self, identity, expires_delta=None):
if expires_delta is None:
expires_delta = config.refresh_expires
refresh_token = encode_refresh_token(
identity=self._user_identity_callback(identity),
secret=config.encode_key,
algorithm=config.algorithm,
expires_delta=expires_delta,
csrf=config.csrf_protect,
identity_claim=config.identity_claim)
return refresh_token
def _create_refresh_token(self, identity, expires_delta=None):
if expires_delta is None:
expires_delta = config.refresh_expires
if config.user_claims_in_refresh_token:
user_claims = self._user_claims_callback(identity)
else:
user_claims = None
refresh_token = encode_refresh_token(
identity=self._user_identity_callback(identity),
secret=self._encode_key_callback(identity),
algorithm=config.algorithm,
expires_delta=expires_delta,
user_claims=user_claims,
csrf=config.csrf_protect,
identity_claim_key=config.identity_claim_key,
user_claims_key=config.user_claims_key,
json_encoder=config.json_encoder)
return refresh_token
