def refresh_expiring_jwts(response):
try:
if response.status_code == 401: # Si no estamos autorizados (JWT vencido o no logueado) se borrarán esas cookies
response = redirect('/login')
unset_jwt_cookies(response)
return response
exp_timestamp = get_jwt()[
"exp"] # Obtener la fecha de expiración del JWT actual
now = datetime.now(timezone.utc) # Obtener la hora local
target_timestamp = datetime.timestamp(
now + timedelta(hours=20)) # A la hora actual aumentar 15min
if target_timestamp > exp_timestamp:
additional_claims = {
"roleuser": get_jwt()["roleuser"]
} # Obtenemos el rol del JWT anterior para conservarlo
access_token = create_access_token(
identity=get_jwt_identity(),
additional_claims=additional_claims
) # crear el nuevo JWT con su misma identidad y rol
set_access_cookies(
response, access_token
) # Configuramos el JWT y retornamos el request que se estaba pidiendo
return response
except (RuntimeError, KeyError):
# Case where there is not a valid JWT. Just return the original response
return response
def post(self):
"""Get a valid Access Token
"""
if get_jwt(): # blacklist existing token if available
jti = get_jwt()['jti']
blacklist_token(jti)
login_args = user_login_parser.parse_args()
username = login_args['username']
password = login_args['password']
user = get_user_by_username(username)
if user and user.verify_password(password):
return {
'msg': f'Welcome back {user.name}',
'access_token': f'Bearer {user.generate_access_token()}',
'action': 'Update Authorization header with-access_token'
}, HTTPStatus.OK #200
return {
'msg': 'Your Username or Password is wrong',
'action': 'Head over to registration',
'link': url_for('api_bp.auth_signup_resource')
}, HTTPStatus.UNAUTHORIZED #401
def decorator(*args, **kwargs):
verify_jwt_in_request(optional=True)
if get_jwt() == {}:
return serializer.Response(serializer.JWT_FORMAT_ERROR, None,
"JWT TOKEN未填写").Return()
if (checkJWTisLogout(get_jwt()["jti"])):
return serializer.Response(serializer.JWT_EXPIRED_ERROR, None,
"token已失效").Return()
return fn(*args, **kwargs)
def post(self):
jti = get_jwt()['jti']
exp = get_jwt()['exp']
try:
revoked_token = db.RevokedToken(
jti=jti,
expiration_date=datetime.datetime.fromtimestamp(
exp, datetime.timezone.utc).isoformat())
revoked_token.save()
resp = make_response({'message': 'Refresh token has been revoked'})
unset_jwt_cookies(resp)
return resp
except:
return {'message': 'Something went wrong'}, 500
def wrapper(*args, **kwargs):
verify_jwt_in_request()
claims = get_jwt()
if claims['role'] == "proveedor":
return fn(*args, **kwargs)
else:
return 'Only proveedor can access', 403
def decorator(*args, **kwargs):
verify_jwt_in_request()
claims = get_jwt()
if claims["is_teacher"]:
return fn(*args, **kwargs)
else:
return jsonify(msg="teachers only!"), 403
def logout():
"""Adds a refresh token jti to the blocklist"""
jti = get_jwt()["jti"]
blocked_jti = Blocklist(jti=jti)
db.session.add(blocked_jti)
db.session.commit()
return jsonify({"status": "OK", "detail": "Logged out successfully"}), 200
def get(self):
"""Show email confirmation dialog."""
auth_provider = current_app.config.get("AUTH_PROVIDER")
if auth_provider is None:
abort(405)
user_id = get_jwt_identity()
try:
username = auth_provider.get_name(user_id)
except ValueError:
abort(401)
claims = get_jwt()
if claims[CLAIM_LIMITED_SCOPE] != SCOPE_CONF_EMAIL:
# This is a wrong token!
abort(403)
current_details = auth_provider.get_user_details(username)
# the email is stored in the JWT
if claims["email"] != current_details.get("email"):
# This is a wrong token!
abort(403)
if current_details["role"] == ROLE_UNCONFIRMED:
# otherwise it has been confirmed already
auth_provider.modify_user(name=username, role=ROLE_DISABLED)
send_email_new_user(
username=username,
fullname=current_details.get("full_name", ""),
email=claims["email"],
)
title = _("E-mail address confirmation")
message = _("Thank you for confirming your e-mail address.")
return render_template("confirmation.html",
title=title,
message=message)
def post(self):
try:
current_identity = get_jwt_identity()
claims = get_jwt()
if not current_identity:
response_object = {
'status': 'fail',
'message': 'Not Authorized. '
}
return response_object, 401
additional_claims = {
'user_type': claims['user_type']
}
access_token = create_access_token(
identity=current_identity, additional_claims=additional_claims, expires_delta=timedelta(days=7))
refresh_token = create_refresh_token(
identity=current_identity, additional_claims=additional_claims, expires_delta=timedelta(days=7))
response_object = {
'username': current_identity,
'user_type': claims['user_type'],
'access_token': access_token,
'refresh_token': refresh_token
}
return response_object, 200
except BaseException:
response_object = {
'status': 'fail',
'message': 'Could not refresh token. '
}
return response_object, 500
def get(self):
user_data = get_jwt()['sub']
result = voting.CheckHakPilih(user_data)
if result['status'] == "Berhasil" or result['status'] == "Gagal":
return result
else:
api.abort(500, "Internal server error")
def decorator(*args, **kwargs):
verify_jwt_in_request(optional=True)
if get_jwt() == {}:
return serializer.Response(serializer.JWT_FORMAT_ERROR, None,
"JWT TOKEN未填写").Return()
if (checkJWTisLogout(get_jwt()["jti"])):
return serializer.Response(serializer.JWT_EXPIRED_ERROR, None,
"token已失效").Return()
claims = get_jwt_identity()
if claims["is_admin"]:
return fn(*args, **kwargs)
else:
return serializer.Response(serializer.JWT_TOKEN_ERROR, None,
"您不是管理员").Return()
def users():
"""Users list"""
claims = get_jwt()
iam_admin = claims['role'] == 'admin'
users = database.manager.db.list_users(include_new_and_expired=iam_admin)
if iam_admin:
# Add a border to list admins and new users
for user in users:
if user['role'] == 'admin':
user['border'] = 'border-danger'
elif user['role'] == 'new':
user['border'] = 'border-info'
for user in users:
LoginAPI.test_user_expiration(user)
if user['role'] == 'temporary':
user['expiration_date'] = LoginAPI.get_expiration_datetime(user)
header = render_template('header.html', **lang, is_connected=True)
return render_template('users.html',
title=lang['usersTitle'],
lang=lang['lang'],
gotohome=lang['gotohome'],
users=users,
theme=claims['theme'],
header=header,
iam_admin=iam_admin,
approve=lang['APPROVE'],
temporary=lang['TEMPORARY_USER'],
delete=lang['DELETE'])
def handle_exception(e):
# pass through HTTP exceptions
if isinstance(e, HTTPException):
return e
exc_type, exc_value, exc_traceback = sys.exc_info()
infos = "<br/>".join(
traceback.format_exception(exc_type, exc_value, exc_traceback))
try:
id = get_jwt_identity()
if id is not None:
claims = get_jwt()
infos = "user_id: {}<br/>claims: {}<br/><br/>{}".format(
id, json.dumps(claims), infos)
except:
pass
try:
user_agent = request.headers.get('User-Agent')
infos = "{}<br/><br/>UA: {}".format(infos, user_agent)
except:
pass
if not app.debug:
# Send detailled infos to dev.
emails.send_application_exception(infos)
error = str(e)
else:
error = infos
return error_page(error), 500
def logout():
"""
User logout
---
tags:
- Authentication
summary: Logout
consumes:
- application/json
produces:
- application/json
parameters:
- name: authorization
in: authorization
description: JSON parameter
required: true
schema:
required:
- authorization
properties:
authorization:
type: string
example: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6ImZjbG9pdHJlIiwiZnJlc2giOmZhbHNlLCJ0eXBlIjoiYWNjZXNzIiwiZXhwIjoxNTMyMjA4Nzk0LCJqdGkiOiI5YmQ5OGEwNC1lMTYyLTQwNWMtODg4Zi03YzlhMTAwNTE2ODAiLCJuYmYiOjE1MzIyMDc4OTQsImlhdCI6MTUzMjIwNzg5NH0.oZKoybFIt4mIPF6LrC2cKXHP8o32vAEcet0xVjpCptE
responses:
200:
description: user disconnected
"""
jti = get_jwt()["jti"]
try:
revoked_token = RevokedTokenModel(jti=jti)
revoked_token.add()
return {"msg": "Successfully logged out"}, 200
except Exception:
return {"message": "Something went wrong"}, 500
def decorator(*args, **kwargs):
verify_jwt_in_request()
claims = get_jwt()
if claims["is_admin"]:
return fn(*args, **kwargs)
else:
return jsonify({'success': False, 'msg': 'Admins only'}), 403
def update_appointment(appointment_id):
current_user = get_jwt()
body = request.get_json()
session = current_app.db.session
result = Appointments.query.filter_by(id=appointment_id).first()
if result:
if (current_user["user_id"] == result.client_id
and current_user["user_type"] == "client"):
current_appointment: Appointments = Appointments.query.get(
appointment_id)
if body.get("date_time"):
date_time = body.get("date_time")
current_appointment.date_time = date_time
session.add(current_appointment)
session.commit()
return {"data": date_time}, HTTPStatus.OK
else:
return {"msg": "Verify BODY content"}, HTTPStatus.BAD_REQUEST
else:
return {
"data": "You don't have permission to do this"
}, HTTPStatus.UNAUTHORIZED
return {"msg": "Wrong appointment ID"}, HTTPStatus.BAD_REQUEST
def wrapper(*args, **kwargs):
verify_jwt_in_request()
claims = get_jwt()
if claims['role'] == "cliente" or claims['role'] == "admin":
return fn(*args, **kwargs)
else:
return 'Only cliente or admin can acces', 403
def addflow():
comprobar_role = get_jwt()['roleuser']
if comprobar_role == "admin" or comprobar_role == 'operator':
return render_template('addflow.html', switches=switches)
else:
return render_template('AccessDenied.html')
def add_answer(qid):
# if 'user_id' in session and session['user_id'] is not None:
if request.method == 'GET':
question = db_question.find_one({"_id": ObjectId(qid)})
print(question)
quest = {'Question': question["Question"]}
return quest
if request.method == 'POST':
question_id = qid
user_id = get_jwt()['user']
answer = request.json.get('answer')
if db_answer.find_one({
'user_id': user_id,
'question_id': qid
}) != None:
return {'Error': 'User Already Added Answer'}
# This is when Front End is made and we can upload pictures
# profile_picture = request.files['img']
# if img.filename != '':
# filename = secure_filename(img.filename)
# img.save(os.path.join(current_app.config['UPLOAD_FOLDER'], filename))
# img_url = upload_to_cloudinary(current_app.config['UPLOAD_FOLDER']+filename)
# else:
# img_url = 'https://res.cloudinary.com/thekillingamd/image/upload/v1612692376/Profile%20Pictures/hide-facebook-profile-picture-notification_q15wp8.jpg'
data = {
"question_id": question_id,
"user_id": user_id,
"answer": answer,
}
db_answer.insert_one(data)
return {'result': 'Answer Added successfully'}
def wrapper(*args, **kwargs):
verify_jwt_in_request()
claims = get_jwt()
if claims["role"] != "admin": # TODO could be multiple
return jsonify(msg="Admins only!"), 403
else:
return fn(*args, **kwargs)
def get(self):
user_data = get_jwt()['sub']
try:
result = voting.GetKandidatTerpilih(user_data)
return result
except Exception as e:
api.abort(500, e)
def wrapper(*args, **kwargs):
verify_jwt_in_request()
claims = get_jwt()
if claims['status']:
return {'status':'failed', 'message':'FORBIDDEN | JWT NEEDED'}, 403
else:
return fn(*args, **kwargs)
def generate_update_email_token(email):
"""return email update token and send it to the user email address"""
user = User.query.filter(User.username == get_jwt()['sub']).first()
if not user:
raise MyException('invalid user', status_code=404)
email_verify_token = create_access_token(identity=user.user_id,
fresh=True,
expires_delta=timedelta(hours=1),
additional_claims={
'email': email,
'username': user.username
})
try:
msg = Message(subject="email verification",
sender=os.environ.get('MAIL_USERNAME'),
recipients=[email])
msg.body = 'click the link below to verify email'
msg.html = "<href>" f"{email_verify_token}" "</href>"
mail.send(msg)
except Exception:
print(
'message:- this are test email, you can use real email in a sender and recipients'
)
finally:
return email_verify_token
def post(self):
if get_jwt().get('jti') == current_user.refresh_token:
access_token = create_access_token(identity=current_user)
return jsonify(access_token=access_token)
else:
return make_response(
jsonify({"message": "Incorrect or expired token"}), 401)
def wrapper(*args, **kwargs):
verify_jwt_in_request()
claims = get_jwt()
if not claims['status']:
return {'status':'failed', 'message':'FORBIDDEN | Internal Only'}, 403
else:
return fn(*args, **kwargs)
def post(cls):
jti = get_jwt()['jti']
user_id = get_jwt_identity()
BLOCKLIST.add(jti)
return {
'message': gettext('user_logged_out').format(id=user_id),
}, 200
def find(id):
user = User()
user.id = id
claims = get_jwt()
user.schema = claims["schema"]
user.config = claims["config"]
return user
def delete_user(username: str):
claims = get_jwt()
user = UserModel.get_by_username(username)
if user and (user.id == get_jwt_identity() or claims['is_admin']):
user.remove_from_db()
return {"message": "Delete successful."}
return {"message": "You may not delete other user accounts."}, 401
def put(self):
claims = get_jwt()
if not claims.get("is_admin"):
return {
"description": "You need admin privileges",
"error": "invalid_credentials",
}, 401
color_data = request.get_json()
if not color_data["color_id"]:
return {
"description": "The color id must be given",
"error": "missing_info",
}, 400
if not color_data["color_value"]:
return {
"description": "The color needs a new color hex value",
"error": "missing_info",
}, 400
color: ColorModel = ColorService.retrieve_by_color_id(
color_data["color_id"], self.app)
updates: ColorInterface = dict(color_value=color_data["color_value"])
color = ColorService.update(color, updates, self.app, db)
return {
"message": "Color updated successfully.",
"color": ColorService.json(color),
}
def wrapper(*args, **kwargs):
if not current_app.config.get("DISABLE_AUTH"):
verify_jwt_in_request()
claims = get_jwt()
if not claims.get(CLAIM_LIMITED_SCOPE):
raise NoAuthorizationError
return func(*args, **kwargs)
