def _decode_jwt_from_request(request_type): # Check for the presence of _fake_token_callback and runs it instead of trying to retrieve token (provided app.debug is True) if has_fake_token_callback(): if current_app.debug: return fake_token(request_type) else: import warnings warnings.warn( "ignoring _fake_token_callback, as app.debug is False") # We have three cases here, having jwts in both cookies and headers is # valid, or the jwt can only be saved in one of cookies or headers. Check # all cases here. if config.jwt_in_cookies and config.jwt_in_headers: try: decoded_token = _decode_jwt_from_cookies(request_type) except NoAuthorizationError: try: decoded_token = _decode_jwt_from_headers() except NoAuthorizationError: raise NoAuthorizationError( "Missing JWT in headers and cookies") elif config.jwt_in_headers: decoded_token = _decode_jwt_from_headers() else: decoded_token = _decode_jwt_from_cookies(request_type) # Make sure the type of token we received matches the request type we expect verify_token_type(decoded_token, expected_type=request_type) # If blacklisting is enabled, see if this token has been revoked verify_token_not_blacklisted(decoded_token, request_type) return decoded_token
def _decode_jwt_from_request(request_type): # We have three cases here, having jwts in both cookies and headers is # valid, or the jwt can only be saved in one of cookies or headers. Check # all cases here. if config.jwt_in_cookies and config.jwt_in_headers: try: decoded_token = _decode_jwt_from_cookies(request_type) except NoAuthorizationError: try: decoded_token = _decode_jwt_from_headers() except NoAuthorizationError: raise NoAuthorizationError( "Missing JWT in headers and cookies") elif config.jwt_in_headers: decoded_token = _decode_jwt_from_headers() else: decoded_token = _decode_jwt_from_cookies(request_type) # Make sure the type of token we received matches the request type we expect verify_token_type(decoded_token, expected_type=request_type) # If blacklisting is enabled, see if this token has been revoked verify_token_not_blacklisted(decoded_token, request_type) return decoded_token
def decode_jwt_from_json(request, request_type, allow_missing_token=False): if request.content_type != 'application/json': raise NoAuthorizationError( 'Invalid content-type. Must be application/json.') if request_type == 'access': token_key = 'access_token' else: token_key = 'refresh_token' try: encoded_token = request.get_json().get(token_key) if not encoded_token: if allow_missing_token: return None else: raise BadRequest() except BadRequest: raise NoAuthorizationError( 'Missing "{}" key in json data.'.format(token_key)) decoded_token = None decoded_token = decode_token(encoded_token, None) verify_token_type(decoded_token, expected_type=request_type) verify_token_not_blacklisted(decoded_token, request_type) return decoded_token
def check_token(self, token): """检测token是否存在""" try: decoded_token = decode_token(token) verify_token_not_blacklisted(decoded_token, "access") email = decoded_token["identity"] self.user_hash = encrypt_str(email) return True except RevokedTokenError: return False except DecodeError: return False
def _decode_jwt_from_request(request_type): # All the places we can get a JWT from in this request get_encoded_token_functions = [] locations = config.token_location # add the functions in the order specified in JWT_TOKEN_LOCATION for location in locations: if location == "cookies": get_encoded_token_functions.append( lambda: _decode_jwt_from_cookies(request_type)) if location == "query_string": get_encoded_token_functions.append(_decode_jwt_from_query_string) if location == "headers": get_encoded_token_functions.append(_decode_jwt_from_headers) if location == "json": get_encoded_token_functions.append( lambda: _decode_jwt_from_json(request_type)) # Try to find the token from one of these locations. It only needs to exist # in one place to be valid (not every location). errors = [] decoded_token = None jwt_header = None for get_encoded_token_function in get_encoded_token_functions: try: encoded_token, csrf_token = get_encoded_token_function() decoded_token = decode_token(encoded_token, csrf_token) jwt_header = get_unverified_jwt_headers(encoded_token) break except NoAuthorizationError as e: errors.append(str(e)) # Do some work to make a helpful and human readable error message if no # token was found in any of the expected locations. if not decoded_token: token_locations = config.token_location multiple_jwt_locations = len(token_locations) != 1 if multiple_jwt_locations: err_msg = "Missing JWT in {start_locs} or {end_locs} ({details})".format( start_locs=", ".join(token_locations[:-1]), end_locs=token_locations[-1], details="; ".join(errors), ) raise NoAuthorizationError(err_msg) else: raise NoAuthorizationError(errors[0]) verify_token_type(decoded_token, expected_type=request_type) verify_token_not_blacklisted(decoded_token, request_type) return decoded_token, jwt_header
def _decode_jwt_from_request(request_type): # All the places we can get a JWT from in this request get_encoded_token_functions = [] if config.jwt_in_cookies: get_encoded_token_functions.append( lambda: _decode_jwt_from_cookies(request_type)) if config.jwt_in_query_string: get_encoded_token_functions.append(_decode_jwt_from_query_string) if config.jwt_in_headers: get_encoded_token_functions.append(_decode_jwt_from_headers) if config.jwt_in_json: get_encoded_token_functions.append( lambda: _decode_jwt_from_json(request_type)) # Try to find the token from one of these locations. It only needs to exist # in one place to be valid (not every location). errors = [] decoded_token = None for get_encoded_token_function in get_encoded_token_functions: try: encoded_token, csrf_token = get_encoded_token_function() decoded_token = decode_token(encoded_token, csrf_token) break except ExpiredSignatureError: # Save the expired token so we can access it in a callback later expired_data = decode_token(encoded_token, csrf_token, allow_expired=True) ctx_stack.top.expired_jwt = expired_data raise except NoAuthorizationError as e: errors.append(str(e)) # Do some work to make a helpful and human readable error message if no # token was found in any of the expected locations. if not decoded_token: token_locations = config.token_location multiple_jwt_locations = len(token_locations) != 1 if multiple_jwt_locations: err_msg = "Missing JWT in {start_locs} or {end_locs} ({details})".format( start_locs=", ".join(token_locations[:-1]), end_locs=token_locations[-1], details="; ".join(errors)) raise NoAuthorizationError(err_msg) else: raise NoAuthorizationError(errors[0]) verify_token_type(decoded_token, expected_type=request_type) verify_token_not_blacklisted(decoded_token, request_type) return decoded_token
def get_user_token(encoded_token, token_type): from flask_jwt_extended.exceptions import NoAuthorizationError, UserLoadError from flask_jwt_extended import utils as jwt_utils from flask_jwt_extended.config import config as jwt_config if encoded_token is None: raise NoAuthorizationError('Missing "access_token" query parameter') token_data = decode_token(encoded_token) jwt_utils.verify_token_type(token_data, expected_type=token_type) jwt_utils.verify_token_not_blacklisted(token_data, token_type) jwt_utils.verify_token_claims(token_data) return token_data[jwt_config.identity_claim_key]
def verify_jwt_token(encoded_token, token_type): from flask_jwt_extended.exceptions import NoAuthorizationError, UserLoadError from flask_jwt_extended import utils as jwt_utils from flask_jwt_extended.config import config as jwt_config if encoded_token is None: raise NoAuthorizationError('Missing "access_token" query parameter') token_data = decode_token(encoded_token) jwt_utils.verify_token_type(token_data, expected_type=token_type) jwt_utils.verify_token_not_blacklisted(token_data, token_type) jwt_utils.verify_token_claims(token_data) identity = token_data[jwt_config.identity_claim_key] if jwt_utils.has_user_loader(): user = jwt_utils.user_loader(identity) if user is None: raise UserLoadError( "user_loader returned None for {}".format(identity))
def is_accessible(self): try: token = request.args.get("jwt") if not token: token = urllib.parse.parse_qsl(request.args.get("url"))[0][1] decoded_token = decode_token(token) verify_token_not_blacklisted(decoded_token, request_type="access") ctx_stack.top.jwt = decoded_token if has_user_loader(): user = user_loader(ctx_stack.top.jwt["identity"]) if user is None: raise UserLoadError( "user_loader returned None for {}".format(user)) ctx_stack.top.jwt_user = user current_user = get_jwt_identity() is_admin = UserModel.query.filter_by( username=current_user).one().admin return current_user and is_admin except Exception as e: current_app.logger.critical("FAULTY ADMIN UI ACCESS: %s", str(e)) return False