def refresh_expiring_jwts(response): try: if response.status_code == 401: # Si no estamos autorizados (JWT vencido o no logueado) se borrarán esas cookies response = redirect('/login') unset_jwt_cookies(response) return response exp_timestamp = get_jwt()[ "exp"] # Obtener la fecha de expiración del JWT actual now = datetime.now(timezone.utc) # Obtener la hora local target_timestamp = datetime.timestamp( now + timedelta(hours=20)) # A la hora actual aumentar 15min if target_timestamp > exp_timestamp: additional_claims = { "roleuser": get_jwt()["roleuser"] } # Obtenemos el rol del JWT anterior para conservarlo access_token = create_access_token( identity=get_jwt_identity(), additional_claims=additional_claims ) # crear el nuevo JWT con su misma identidad y rol set_access_cookies( response, access_token ) # Configuramos el JWT y retornamos el request que se estaba pidiendo return response except (RuntimeError, KeyError): # Case where there is not a valid JWT. Just return the original response return response
def post(self): """Get a valid Access Token """ if get_jwt(): # blacklist existing token if available jti = get_jwt()['jti'] blacklist_token(jti) login_args = user_login_parser.parse_args() username = login_args['username'] password = login_args['password'] user = get_user_by_username(username) if user and user.verify_password(password): return { 'msg': f'Welcome back {user.name}', 'access_token': f'Bearer {user.generate_access_token()}', 'action': 'Update Authorization header with-access_token' }, HTTPStatus.OK #200 return { 'msg': 'Your Username or Password is wrong', 'action': 'Head over to registration', 'link': url_for('api_bp.auth_signup_resource') }, HTTPStatus.UNAUTHORIZED #401
def decorator(*args, **kwargs): verify_jwt_in_request(optional=True) if get_jwt() == {}: return serializer.Response(serializer.JWT_FORMAT_ERROR, None, "JWT TOKEN未填写").Return() if (checkJWTisLogout(get_jwt()["jti"])): return serializer.Response(serializer.JWT_EXPIRED_ERROR, None, "token已失效").Return() return fn(*args, **kwargs)
def post(self): jti = get_jwt()['jti'] exp = get_jwt()['exp'] try: revoked_token = db.RevokedToken( jti=jti, expiration_date=datetime.datetime.fromtimestamp( exp, datetime.timezone.utc).isoformat()) revoked_token.save() resp = make_response({'message': 'Refresh token has been revoked'}) unset_jwt_cookies(resp) return resp except: return {'message': 'Something went wrong'}, 500
def wrapper(*args, **kwargs): verify_jwt_in_request() claims = get_jwt() if claims['role'] == "proveedor": return fn(*args, **kwargs) else: return 'Only proveedor can access', 403
def decorator(*args, **kwargs): verify_jwt_in_request() claims = get_jwt() if claims["is_teacher"]: return fn(*args, **kwargs) else: return jsonify(msg="teachers only!"), 403
def logout(): """Adds a refresh token jti to the blocklist""" jti = get_jwt()["jti"] blocked_jti = Blocklist(jti=jti) db.session.add(blocked_jti) db.session.commit() return jsonify({"status": "OK", "detail": "Logged out successfully"}), 200
def get(self): """Show email confirmation dialog.""" auth_provider = current_app.config.get("AUTH_PROVIDER") if auth_provider is None: abort(405) user_id = get_jwt_identity() try: username = auth_provider.get_name(user_id) except ValueError: abort(401) claims = get_jwt() if claims[CLAIM_LIMITED_SCOPE] != SCOPE_CONF_EMAIL: # This is a wrong token! abort(403) current_details = auth_provider.get_user_details(username) # the email is stored in the JWT if claims["email"] != current_details.get("email"): # This is a wrong token! abort(403) if current_details["role"] == ROLE_UNCONFIRMED: # otherwise it has been confirmed already auth_provider.modify_user(name=username, role=ROLE_DISABLED) send_email_new_user( username=username, fullname=current_details.get("full_name", ""), email=claims["email"], ) title = _("E-mail address confirmation") message = _("Thank you for confirming your e-mail address.") return render_template("confirmation.html", title=title, message=message)
def post(self): try: current_identity = get_jwt_identity() claims = get_jwt() if not current_identity: response_object = { 'status': 'fail', 'message': 'Not Authorized. ' } return response_object, 401 additional_claims = { 'user_type': claims['user_type'] } access_token = create_access_token( identity=current_identity, additional_claims=additional_claims, expires_delta=timedelta(days=7)) refresh_token = create_refresh_token( identity=current_identity, additional_claims=additional_claims, expires_delta=timedelta(days=7)) response_object = { 'username': current_identity, 'user_type': claims['user_type'], 'access_token': access_token, 'refresh_token': refresh_token } return response_object, 200 except BaseException: response_object = { 'status': 'fail', 'message': 'Could not refresh token. ' } return response_object, 500
def get(self): user_data = get_jwt()['sub'] result = voting.CheckHakPilih(user_data) if result['status'] == "Berhasil" or result['status'] == "Gagal": return result else: api.abort(500, "Internal server error")
def decorator(*args, **kwargs): verify_jwt_in_request(optional=True) if get_jwt() == {}: return serializer.Response(serializer.JWT_FORMAT_ERROR, None, "JWT TOKEN未填写").Return() if (checkJWTisLogout(get_jwt()["jti"])): return serializer.Response(serializer.JWT_EXPIRED_ERROR, None, "token已失效").Return() claims = get_jwt_identity() if claims["is_admin"]: return fn(*args, **kwargs) else: return serializer.Response(serializer.JWT_TOKEN_ERROR, None, "您不是管理员").Return()
def users(): """Users list""" claims = get_jwt() iam_admin = claims['role'] == 'admin' users = database.manager.db.list_users(include_new_and_expired=iam_admin) if iam_admin: # Add a border to list admins and new users for user in users: if user['role'] == 'admin': user['border'] = 'border-danger' elif user['role'] == 'new': user['border'] = 'border-info' for user in users: LoginAPI.test_user_expiration(user) if user['role'] == 'temporary': user['expiration_date'] = LoginAPI.get_expiration_datetime(user) header = render_template('header.html', **lang, is_connected=True) return render_template('users.html', title=lang['usersTitle'], lang=lang['lang'], gotohome=lang['gotohome'], users=users, theme=claims['theme'], header=header, iam_admin=iam_admin, approve=lang['APPROVE'], temporary=lang['TEMPORARY_USER'], delete=lang['DELETE'])
def handle_exception(e): # pass through HTTP exceptions if isinstance(e, HTTPException): return e exc_type, exc_value, exc_traceback = sys.exc_info() infos = "<br/>".join( traceback.format_exception(exc_type, exc_value, exc_traceback)) try: id = get_jwt_identity() if id is not None: claims = get_jwt() infos = "user_id: {}<br/>claims: {}<br/><br/>{}".format( id, json.dumps(claims), infos) except: pass try: user_agent = request.headers.get('User-Agent') infos = "{}<br/><br/>UA: {}".format(infos, user_agent) except: pass if not app.debug: # Send detailled infos to dev. emails.send_application_exception(infos) error = str(e) else: error = infos return error_page(error), 500
def logout(): """ User logout --- tags: - Authentication summary: Logout consumes: - application/json produces: - application/json parameters: - name: authorization in: authorization description: JSON parameter required: true schema: required: - authorization properties: authorization: type: string example: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6ImZjbG9pdHJlIiwiZnJlc2giOmZhbHNlLCJ0eXBlIjoiYWNjZXNzIiwiZXhwIjoxNTMyMjA4Nzk0LCJqdGkiOiI5YmQ5OGEwNC1lMTYyLTQwNWMtODg4Zi03YzlhMTAwNTE2ODAiLCJuYmYiOjE1MzIyMDc4OTQsImlhdCI6MTUzMjIwNzg5NH0.oZKoybFIt4mIPF6LrC2cKXHP8o32vAEcet0xVjpCptE responses: 200: description: user disconnected """ jti = get_jwt()["jti"] try: revoked_token = RevokedTokenModel(jti=jti) revoked_token.add() return {"msg": "Successfully logged out"}, 200 except Exception: return {"message": "Something went wrong"}, 500
def decorator(*args, **kwargs): verify_jwt_in_request() claims = get_jwt() if claims["is_admin"]: return fn(*args, **kwargs) else: return jsonify({'success': False, 'msg': 'Admins only'}), 403
def update_appointment(appointment_id): current_user = get_jwt() body = request.get_json() session = current_app.db.session result = Appointments.query.filter_by(id=appointment_id).first() if result: if (current_user["user_id"] == result.client_id and current_user["user_type"] == "client"): current_appointment: Appointments = Appointments.query.get( appointment_id) if body.get("date_time"): date_time = body.get("date_time") current_appointment.date_time = date_time session.add(current_appointment) session.commit() return {"data": date_time}, HTTPStatus.OK else: return {"msg": "Verify BODY content"}, HTTPStatus.BAD_REQUEST else: return { "data": "You don't have permission to do this" }, HTTPStatus.UNAUTHORIZED return {"msg": "Wrong appointment ID"}, HTTPStatus.BAD_REQUEST
def wrapper(*args, **kwargs): verify_jwt_in_request() claims = get_jwt() if claims['role'] == "cliente" or claims['role'] == "admin": return fn(*args, **kwargs) else: return 'Only cliente or admin can acces', 403
def addflow(): comprobar_role = get_jwt()['roleuser'] if comprobar_role == "admin" or comprobar_role == 'operator': return render_template('addflow.html', switches=switches) else: return render_template('AccessDenied.html')
def add_answer(qid): # if 'user_id' in session and session['user_id'] is not None: if request.method == 'GET': question = db_question.find_one({"_id": ObjectId(qid)}) print(question) quest = {'Question': question["Question"]} return quest if request.method == 'POST': question_id = qid user_id = get_jwt()['user'] answer = request.json.get('answer') if db_answer.find_one({ 'user_id': user_id, 'question_id': qid }) != None: return {'Error': 'User Already Added Answer'} # This is when Front End is made and we can upload pictures # profile_picture = request.files['img'] # if img.filename != '': # filename = secure_filename(img.filename) # img.save(os.path.join(current_app.config['UPLOAD_FOLDER'], filename)) # img_url = upload_to_cloudinary(current_app.config['UPLOAD_FOLDER']+filename) # else: # img_url = 'https://res.cloudinary.com/thekillingamd/image/upload/v1612692376/Profile%20Pictures/hide-facebook-profile-picture-notification_q15wp8.jpg' data = { "question_id": question_id, "user_id": user_id, "answer": answer, } db_answer.insert_one(data) return {'result': 'Answer Added successfully'}
def wrapper(*args, **kwargs): verify_jwt_in_request() claims = get_jwt() if claims["role"] != "admin": # TODO could be multiple return jsonify(msg="Admins only!"), 403 else: return fn(*args, **kwargs)
def get(self): user_data = get_jwt()['sub'] try: result = voting.GetKandidatTerpilih(user_data) return result except Exception as e: api.abort(500, e)
def wrapper(*args, **kwargs): verify_jwt_in_request() claims = get_jwt() if claims['status']: return {'status':'failed', 'message':'FORBIDDEN | JWT NEEDED'}, 403 else: return fn(*args, **kwargs)
def generate_update_email_token(email): """return email update token and send it to the user email address""" user = User.query.filter(User.username == get_jwt()['sub']).first() if not user: raise MyException('invalid user', status_code=404) email_verify_token = create_access_token(identity=user.user_id, fresh=True, expires_delta=timedelta(hours=1), additional_claims={ 'email': email, 'username': user.username }) try: msg = Message(subject="email verification", sender=os.environ.get('MAIL_USERNAME'), recipients=[email]) msg.body = 'click the link below to verify email' msg.html = "<href>" f"{email_verify_token}" "</href>" mail.send(msg) except Exception: print( 'message:- this are test email, you can use real email in a sender and recipients' ) finally: return email_verify_token
def post(self): if get_jwt().get('jti') == current_user.refresh_token: access_token = create_access_token(identity=current_user) return jsonify(access_token=access_token) else: return make_response( jsonify({"message": "Incorrect or expired token"}), 401)
def wrapper(*args, **kwargs): verify_jwt_in_request() claims = get_jwt() if not claims['status']: return {'status':'failed', 'message':'FORBIDDEN | Internal Only'}, 403 else: return fn(*args, **kwargs)
def post(cls): jti = get_jwt()['jti'] user_id = get_jwt_identity() BLOCKLIST.add(jti) return { 'message': gettext('user_logged_out').format(id=user_id), }, 200
def find(id): user = User() user.id = id claims = get_jwt() user.schema = claims["schema"] user.config = claims["config"] return user
def delete_user(username: str): claims = get_jwt() user = UserModel.get_by_username(username) if user and (user.id == get_jwt_identity() or claims['is_admin']): user.remove_from_db() return {"message": "Delete successful."} return {"message": "You may not delete other user accounts."}, 401
def put(self): claims = get_jwt() if not claims.get("is_admin"): return { "description": "You need admin privileges", "error": "invalid_credentials", }, 401 color_data = request.get_json() if not color_data["color_id"]: return { "description": "The color id must be given", "error": "missing_info", }, 400 if not color_data["color_value"]: return { "description": "The color needs a new color hex value", "error": "missing_info", }, 400 color: ColorModel = ColorService.retrieve_by_color_id( color_data["color_id"], self.app) updates: ColorInterface = dict(color_value=color_data["color_value"]) color = ColorService.update(color, updates, self.app, db) return { "message": "Color updated successfully.", "color": ColorService.json(color), }
def wrapper(*args, **kwargs): if not current_app.config.get("DISABLE_AUTH"): verify_jwt_in_request() claims = get_jwt() if not claims.get(CLAIM_LIMITED_SCOPE): raise NoAuthorizationError return func(*args, **kwargs)