def _decode_jwt_from_request(request_type):
# We have three cases here, having jwts in both cookies and headers is
# valid, or the jwt can only be saved in one of cookies or headers. Check
# all cases here.
if config.jwt_in_cookies and config.jwt_in_headers:
try:
decoded_token = _decode_jwt_from_cookies(request_type)
except NoAuthorizationError:
try:
decoded_token = _decode_jwt_from_headers()
except NoAuthorizationError:
raise NoAuthorizationError("Missing JWT in headers and cookies")
elif config.jwt_in_headers:
decoded_token = _decode_jwt_from_headers()
else:
decoded_token = _decode_jwt_from_cookies(request_type)
# Make sure the type of token we received matches the request type we expect
if decoded_token['type'] != request_type:
raise WrongTokenError('Only {} tokens can access this endpoint'.format(request_type))
# Check if the custom claims in access tokens are valid
if request_type == 'access':
if not verify_token_claims(decoded_token['user_claims']):
raise UserClaimsVerificationError('user_claims verification failed')
# If blacklisting is enabled, see if this token has been revoked
if _token_blacklisted(decoded_token, request_type):
raise RevokedTokenError('Token has been revoked')
return decoded_token
def _decode_jwt_from_request(request_type):
# We have three cases here, having jwts in both cookies and headers is
# valid, or the jwt can only be saved in one of cookies or headers. Check
# all cases here.
if config.jwt_in_cookies and config.jwt_in_headers:
try:
decoded_token = _decode_jwt_from_cookies(request_type)
except NoAuthorizationError:
try:
decoded_token = _decode_jwt_from_headers()
except NoAuthorizationError:
raise NoAuthorizationError(
"Missing JWT in headers and cookies")
elif config.jwt_in_headers:
decoded_token = _decode_jwt_from_headers()
else:
decoded_token = _decode_jwt_from_cookies(request_type)
# Make sure the type of token we received matches the request type we expect
if decoded_token['type'] != request_type:
raise WrongTokenError(
'Only {} tokens can access this endpoint'.format(request_type))
# If blacklisting is enabled, see if this token has been revoked
if config.blacklist_enabled:
check_if_token_revoked(decoded_token)
return decoded_token
def wrapper(*args, **kwargs):
token = request.args.get('refresh_token')
secret = _get_secret_key()
algorithm = get_algorithm()
jwt_data = _decode_jwt(token, secret, algorithm)
if jwt_data['type'] != 'refresh':
raise WrongTokenError(
'Only refresh tokens can access this endpoint')
ctx_stack.top.jwt = jwt_data
return fn(*args, **kwargs)
def wrapper(*args, **kwargs):
# Get the JWT
jwt_data = _decode_jwt_from_request()
# verify this is a refresh token
if jwt_data['type'] != 'refresh':
raise WrongTokenError('Only refresh tokens can access this endpoint')
# If blacklisting is enabled, see if this token has been revoked
blacklist_enabled = get_blacklist_enabled()
if blacklist_enabled:
check_if_token_revoked(jwt_data)
# Save the jwt in the context so that it can be accessed later by
# the various endpoints that is using this decorator
ctx_stack.top.jwt_identity = jwt_data['identity']
return fn(*args, **kwargs)
def wrapper(*args, **kwargs):
# Attempt to decode the token
jwt_data = _decode_jwt_from_request(type='access')
# Verify this is an access token
if jwt_data['type'] != 'access':
raise WrongTokenError(
'Only access tokens can access this endpoint')
# If blacklisting is enabled, see if this token has been revoked
blacklist_enabled = get_blacklist_enabled()
if blacklist_enabled:
check_if_token_revoked(jwt_data)
# Save the jwt in the context so that it can be accessed later by
# the various endpoints that is using this decorator
ctx_stack.top.jwt = jwt_data
return fn(*args, **kwargs)
def wrapper(*args, **kwargs):
jwt_token = request.json.get('refresh_token', None)
if not jwt_token:
raise NoAuthorizationError("Missing refresh token")
decoded_token = decode_jwt(
jwt_token, config.decode_key, config.algorithm, csrf=False)
# Make sure the type of token we received matches the request type we expect
if decoded_token['type'] != 'refresh':
raise WrongTokenError('Only refresh tokens can access this endpoint')
# If blacklisting is enabled, see if this token has been revoked
#if config.blacklist_enabled:
#check_if_token_revoked(decoded_token)
ctx_stack.top.jwt = decoded_token
_load_user(decoded_token['identity'])
return fn(*args, **kwargs)
def wrapper(*args, **kwargs):
# Decode token in header
try:
jwt_data = utils._decode_jwt_from_request(type='access')
# Verify this is an access token
if jwt_data['type'] != 'access':
raise WrongTokenError(
'Only access tokens can access this endpoint')
# Check if this is a revoked token
if utils.get_blacklist_enabled():
utils.check_if_token_revoked(jwt_data)
# Add the data to the context
ctx_stack.top.jwt = jwt_data
except NoAuthorizationError:
# Ignore a missing header
pass
finally:
return fn(*args, **kwargs)
def wrapper(*args, **kwargs):
# Attempt to decode the token
jwt_data = _decode_jwt_from_request()
# Verify this is an access token
if jwt_data['type'] != 'access':
raise WrongTokenError('Only access tokens can access this endpoint')
# If blacklisting is enabled, see if this token has been revoked
blacklist_enabled = get_blacklist_enabled()
if blacklist_enabled:
check_if_token_revoked(jwt_data)
# Check if the token is fresh
if not jwt_data['fresh']:
raise FreshTokenRequired('Fresh token required')
# Save the jwt in the context so that it can be accessed later by
# the various endpoints that is using this decorator
ctx_stack.top.jwt_identity = jwt_data['identity']
ctx_stack.top.jwt_user_claims = jwt_data['user_claims']
return fn(*args, **kwargs)
def verify_token_type(decoded_token, expected_type):
if decoded_token['type'] != expected_type:
raise WrongTokenError(
'Only {} tokens are allowed'.format(expected_type))
def verify_token_type(decoded_token, refresh):
if not refresh and decoded_token["type"] == "refresh":
raise WrongTokenError("Only non-refresh tokens are allowed")
elif refresh and decoded_token["type"] != "refresh":
raise WrongTokenError("Only refresh tokens are allowed")
def verify_token_type(decoded_token, expected_type):
if decoded_token["type"] != expected_type:
raise WrongTokenError(
"Only {} tokens are allowed".format(expected_type))