def _encode_refresh_token(identity, secret, algorithm, token_expire_delta): """ Creates a new refresh token, which can be used to create subsequent access tokens. :param identity: Some identifier used to identify the owner of this token :param secret: Secret key to encode the JWT with :param algorithm: Which algorithm to use for the toek :return: Encoded JWT """ now = datetime.datetime.utcnow() uid = str(uuid.uuid4()) token_data = { 'exp': now + token_expire_delta, 'iat': now, 'nbf': now, 'jti': uid, 'identity': identity, 'type': 'refresh', } encoded_token = jwt.encode(token_data, secret, algorithm).decode('utf-8') # If blacklisting is enabled, store this token in our key-value store blacklist_enabled = get_blacklist_enabled() if blacklist_enabled: store_token(token_data, revoked=False) return encoded_token
def create_refresh_token(self, identity, expires_delta=None): """ Creates a new refresh token :param identity: The identity of this token. This can be any data that is json serializable. It can also be an object, in which case you can use the user_identity_loader to define a function that will be called to pull a json serializable identity out of this object. This is useful so you don't need to query disk twice, once for initially finding the identity in your login endpoint, and once for setting addition data in the JWT via the user_claims_loader :param expires_delta: A datetime.timedelta for how long this token should last before it expires. If this is None, it will use the 'JWT_REFRESH_TOKEN_EXPIRES` config value :return: A new refresh token """ if expires_delta is None: expires_delta = config.refresh_expires refresh_token = encode_refresh_token( identity=self._user_identity_callback(identity), secret=config.encode_key, algorithm=config.algorithm, expires_delta=expires_delta, csrf=config.csrf_protect) # If blacklisting is enabled, store this token in our key-value store if config.blacklist_enabled: decoded_token = decode_jwt(refresh_token, config.decode_key, config.algorithm, csrf=config.csrf_protect) store_token(decoded_token, revoked=False) return refresh_token
def create_access_token(self, identity, fresh=False): """ Creates a new access token :param identity: The identity of this token. This can be any data that is json serializable. It can also be an object, in which case you can use the user_identity_loader to define a function that will be called to pull a json serializable identity out of this object. This is useful so you don't need to query disk twice, once for initially finding the identity in your login endpoint, and once for setting addition data in the JWT via the user_claims_loader :param fresh: If this token should be marked as fresh, and can thus access fresh_jwt_required protected endpoints. Defaults to False :return: A new access token """ access_token = encode_access_token( identity=self._user_identity_callback(identity), secret=config.encode_key, algorithm=config.algorithm, expires_delta=config.access_expires, fresh=fresh, user_claims=self._user_claims_callback(identity), csrf=config.csrf_protect) if config.blacklist_enabled and config.blacklist_access_tokens: decoded_token = decode_jwt(access_token, config.decode_key, config.algorithm, csrf=config.csrf_protect) store_token(decoded_token, revoked=False) return access_token
def _encode_access_token(identity, secret, algorithm, token_expire_delta, fresh, user_claims): """ Creates a new access token. :param identity: Some identifier of who this client is (most common would be a client id) :param secret: Secret key to encode the JWT with :param fresh: If this should be a 'fresh' token or not :param algorithm: Which algorithm to use for the toek :return: Encoded JWT """ # Verify that all of our custom data we are encoding is what we expect if not isinstance(user_claims, dict): raise JWTEncodeError('user_claims must be a dict') if not isinstance(fresh, bool): raise JWTEncodeError('fresh must be a bool') try: json.dumps(user_claims) except Exception as e: raise JWTEncodeError('Error json serializing user_claims: {}'.format( str(e))) # Create the jwt now = datetime.datetime.utcnow() uid = str(uuid.uuid4()) token_data = { 'exp': now + token_expire_delta, 'iat': now, 'nbf': now, 'jti': uid, 'identity': identity, 'fresh': fresh, 'type': 'access', 'user_claims': user_claims, } if get_token_location() == 'cookies' and get_cookie_csrf_protect(): token_data['csrf'] = _create_csrf_token() encoded_token = jwt.encode(token_data, secret, algorithm).decode('utf-8') # If blacklisting is enabled and configured to store access and refresh tokens, # add this token to the store blacklist_enabled = get_blacklist_enabled() if blacklist_enabled and get_blacklist_checks() == 'all': store_token(token_data, revoked=False) return encoded_token