def get_stored_token(jti=None, encoded_token=None): """ Get the stored token for the passed in jti or encoded_token :param jti: The jti of the token :param encoded_token: The encoded JWT string :return: Python dictionary with the token information """ if jti is None and encoded_token is not None: jti = get_jti(encoded_token) elif jti is None and encoded_token is None: raise ValueError('Either jti or encoded_token is required') return _get_token_from_store(jti)
def test_revoked_token_with_access_blacklist_only(self): # Setup to only revoke refresh tokens self.app.config['JWT_BLACKLIST_TOKEN_CHECKS'] = ['refresh'] # Generate our tokens access_token, refresh_token = self._login('user') with self.app.app_context(): access_jti = get_jti(access_token) refresh_jti = get_jti(refresh_token) # Revoke both tokens (even though app is only configured to look # at revoked refresh tokens) self._jwt_post('/auth/revoke/{}'.format(access_jti)) self._jwt_post('/auth/revoke/{}'.format(refresh_jti)) # Make sure we can still access a protected endpoint with the access token status_code, data = self._jwt_post('/protected', access_token) self.assertEqual(status_code, 200) self.assertEqual(data, {'hello': 'world'}) # Make sure that the refresh token kicks us back out status_code, data = self._jwt_post('/auth/refresh', refresh_token) self.assertEqual(status_code, 401) self.assertEqual(data, {'msg': 'Token has been revoked'})
def test_revoke_access_token(self): # Check access and refresh tokens self.app.config['JWT_BLACKLIST_TOKEN_CHECKS'] = ['access', 'refresh'] # Generate our tokens access_token, _ = self._login('user') with self.app.app_context(): access_jti = get_jti(access_token) # Make sure we can access a protected endpoint status_code, data = self._jwt_post('/protected', access_token) self.assertEqual(status_code, 200) self.assertEqual(data, {'hello': 'world'}) # Revoke our access token status, data = self._jwt_post('/auth/revoke/{}'.format(access_jti)) self.assertEqual(status, 200) self.assertEqual(data, {'msg': 'Token revoked'}) # Verify the access token can no longer access a protected endpoint status_code, data = self._jwt_post('/protected', access_token) self.assertEqual(status_code, 401) self.assertEqual(data, {'msg': 'Token has been revoked'})
def post(self): """User's login view""" args = user_login_parser.parse_args() user: User = User.query.filter( or_( func.lower(User.email) == args.get("username", "").lower(), func.lower(User.username) == args.get("username", "").lower(), )).first() if not user or user.password != args.get("password", None): raise UserExceptions.wrong_login_creds() token = create_access_token(user) user.token = get_csrf_token(token) user_session = Session(user=user, token=get_jti(token), **extract_request_info(request=request)) user_session.save(True) response = make_response(marshal( user, user_model, )) set_access_cookies(response=response, encoded_access_token=token) return response
def post(self): jti = get_jti()['jti'] BLACKLIST.add(jti) return {'message': 'Successfully logged out.'}, 200
def post(self): jti = get_jti() BLACKLIST.add(jti) return jsonify({'message': 'Successfully logged out'})