def _encode_refresh_token(identity, secret, algorithm, token_expire_delta):
"""
Creates a new refresh token, which can be used to create subsequent access
tokens.
:param identity: Some identifier used to identify the owner of this token
:param secret: Secret key to encode the JWT with
:param algorithm: Which algorithm to use for the toek
:return: Encoded JWT
"""
now = datetime.datetime.utcnow()
uid = str(uuid.uuid4())
token_data = {
'exp': now + token_expire_delta,
'iat': now,
'nbf': now,
'jti': uid,
'identity': identity,
'type': 'refresh',
}
encoded_token = jwt.encode(token_data, secret, algorithm).decode('utf-8')
# If blacklisting is enabled, store this token in our key-value store
blacklist_enabled = get_blacklist_enabled()
if blacklist_enabled:
store_token(token_data, revoked=False)
return encoded_token
def create_refresh_token(self, identity, expires_delta=None):
"""
Creates a new refresh token
:param identity: The identity of this token. This can be any data that is
json serializable. It can also be an object, in which case
you can use the user_identity_loader to define a function
that will be called to pull a json serializable identity
out of this object. This is useful so you don't need to
query disk twice, once for initially finding the identity
in your login endpoint, and once for setting addition data
in the JWT via the user_claims_loader
:param expires_delta: A datetime.timedelta for how long this token should
last before it expires. If this is None, it will
use the 'JWT_REFRESH_TOKEN_EXPIRES` config value
:return: A new refresh token
"""
if expires_delta is None:
expires_delta = config.refresh_expires
refresh_token = encode_refresh_token(
identity=self._user_identity_callback(identity),
secret=config.encode_key,
algorithm=config.algorithm,
expires_delta=expires_delta,
csrf=config.csrf_protect)
# If blacklisting is enabled, store this token in our key-value store
if config.blacklist_enabled:
decoded_token = decode_jwt(refresh_token,
config.decode_key,
config.algorithm,
csrf=config.csrf_protect)
store_token(decoded_token, revoked=False)
return refresh_token
def create_access_token(self, identity, fresh=False):
"""
Creates a new access token
:param identity: The identity of this token. This can be any data that is
json serializable. It can also be an object, in which case
you can use the user_identity_loader to define a function
that will be called to pull a json serializable identity
out of this object. This is useful so you don't need to
query disk twice, once for initially finding the identity
in your login endpoint, and once for setting addition data
in the JWT via the user_claims_loader
:param fresh: If this token should be marked as fresh, and can thus access
fresh_jwt_required protected endpoints. Defaults to False
:return: A new access token
"""
access_token = encode_access_token(
identity=self._user_identity_callback(identity),
secret=config.encode_key,
algorithm=config.algorithm,
expires_delta=config.access_expires,
fresh=fresh,
user_claims=self._user_claims_callback(identity),
csrf=config.csrf_protect)
if config.blacklist_enabled and config.blacklist_access_tokens:
decoded_token = decode_jwt(access_token,
config.decode_key,
config.algorithm,
csrf=config.csrf_protect)
store_token(decoded_token, revoked=False)
return access_token
def _encode_access_token(identity, secret, algorithm, token_expire_delta,
fresh, user_claims):
"""
Creates a new access token.
:param identity: Some identifier of who this client is (most common would be a client id)
:param secret: Secret key to encode the JWT with
:param fresh: If this should be a 'fresh' token or not
:param algorithm: Which algorithm to use for the toek
:return: Encoded JWT
"""
# Verify that all of our custom data we are encoding is what we expect
if not isinstance(user_claims, dict):
raise JWTEncodeError('user_claims must be a dict')
if not isinstance(fresh, bool):
raise JWTEncodeError('fresh must be a bool')
try:
json.dumps(user_claims)
except Exception as e:
raise JWTEncodeError('Error json serializing user_claims: {}'.format(
str(e)))
# Create the jwt
now = datetime.datetime.utcnow()
uid = str(uuid.uuid4())
token_data = {
'exp': now + token_expire_delta,
'iat': now,
'nbf': now,
'jti': uid,
'identity': identity,
'fresh': fresh,
'type': 'access',
'user_claims': user_claims,
}
if get_token_location() == 'cookies' and get_cookie_csrf_protect():
token_data['csrf'] = _create_csrf_token()
encoded_token = jwt.encode(token_data, secret, algorithm).decode('utf-8')
# If blacklisting is enabled and configured to store access and refresh tokens,
# add this token to the store
blacklist_enabled = get_blacklist_enabled()
if blacklist_enabled and get_blacklist_checks() == 'all':
store_token(token_data, revoked=False)
return encoded_token
