def test_get_token_ttl(self): # This is called when using a simplekv backend that supports ttl (such # as redis or memcached). Because I do not want to require having those # installed to run the unit tests, I'm going to fiat that the code for # them works, and manually test the helper methods they call for correctness. # Test token ttl with self.app.test_request_context(): token_str = encode_refresh_token('foo', 'secret', 'HS256', timedelta(minutes=5), csrf=False) token = decode_jwt(token_str, 'secret', 'HS256', csrf=False) time.sleep(2) token_ttl = _get_token_ttl(token).total_seconds() self.assertGreater(token_ttl, 296) self.assertLessEqual(token_ttl, 298) # Test ttl is 0 if token is already expired with self.app.test_request_context(): token_str = encode_refresh_token('foo', 'secret', 'HS256', timedelta(seconds=0), csrf=False) token = decode_jwt(token_str, 'secret', 'HS256', csrf=False) time.sleep(2) token_ttl = _get_token_ttl(token).total_seconds() self.assertEqual(token_ttl, 0)
def test_encode_refresh_token(self): secret = 'super-totally-secret-key' algorithm = 'HS256' token_expire_delta = timedelta(minutes=5) identity_claim = 'sub' # Check with a fresh token with self.app.test_request_context(): identity = 'user1' token = encode_refresh_token(identity, secret, algorithm, token_expire_delta, csrf=False, identity_claim=identity_claim) data = jwt.decode(token, secret, algorithms=[algorithm]) self.assertIn('exp', data) self.assertIn('iat', data) self.assertIn('nbf', data) self.assertIn('jti', data) self.assertIn('type', data) self.assertIn(identity_claim, data) self.assertNotIn('csrf', data) self.assertEqual(data[identity_claim], identity) self.assertEqual(data['type'], 'refresh') self.assertEqual(data['iat'], data['nbf']) now_ts = calendar.timegm(datetime.utcnow().utctimetuple()) exp_seconds = data['exp'] - now_ts self.assertLessEqual(exp_seconds, 60 * 5) self.assertGreater(exp_seconds, 60 * 4) # Check with a csrf token identity = 12345 # identity can be anything json serializable token = encode_refresh_token(identity, secret, algorithm, token_expire_delta, csrf=True, identity_claim=identity_claim) data = jwt.decode(token, secret, algorithms=[algorithm]) self.assertIn('exp', data) self.assertIn('iat', data) self.assertIn('nbf', data) self.assertIn('jti', data) self.assertIn('type', data) self.assertIn('csrf', data) self.assertIn(identity_claim, data) self.assertEqual(data[identity_claim], identity) self.assertEqual(data['type'], 'refresh') self.assertEqual(data['iat'], data['nbf']) now_ts = calendar.timegm(datetime.utcnow().utctimetuple()) exp_seconds = data['exp'] - now_ts self.assertLessEqual(exp_seconds, 60 * 5) self.assertGreater(exp_seconds, 60 * 4)
def _create_refresh_token(self, identity, expires_delta=None, user_claims=None, headers=None): if expires_delta is None: expires_delta = config.refresh_expires if user_claims is None and config.user_claims_in_refresh_token: user_claims = self._user_claims_callback(identity) if headers is None: headers = self._jwt_additional_header_callback(identity) refresh_token = encode_refresh_token( identity=self._user_identity_callback(identity), secret=self._encode_key_callback(identity), algorithm=config.algorithm, expires_delta=expires_delta, user_claims=user_claims, csrf=config.csrf_protect, identity_claim_key=config.identity_claim_key, user_claims_key=config.user_claims_key, json_encoder=config.json_encoder, headers=headers) return refresh_token
def create_refresh_token(self, identity, expires_delta=None): """ Creates a new refresh token :param identity: The identity of this token. This can be any data that is json serializable. It can also be an object, in which case you can use the user_identity_loader to define a function that will be called to pull a json serializable identity out of this object. This is useful so you don't need to query disk twice, once for initially finding the identity in your login endpoint, and once for setting addition data in the JWT via the user_claims_loader :param expires_delta: A datetime.timedelta for how long this token should last before it expires. If this is None, it will use the 'JWT_REFRESH_TOKEN_EXPIRES` config value :return: A new refresh token """ if expires_delta is None: expires_delta = config.refresh_expires refresh_token = encode_refresh_token( identity=self._user_identity_callback(identity), secret=config.encode_key, algorithm=config.algorithm, expires_delta=expires_delta, csrf=config.csrf_protect) return refresh_token
def create_refresh_token(self, identity): """ Creates a new refresh token :param identity: The identity of this token. This can be any data that is json serializable. It can also be an object, in which case you can use the user_identity_loader to define a function that will be called to pull a json serializable identity out of this object. This is useful so you don't need to query disk twice, once for initially finding the identity in your login endpoint, and once for setting addition data in the JWT via the user_claims_loader :return: A new refresh token """ refresh_token = encode_refresh_token( identity=self._user_identity_callback(identity), secret=config.encode_key, algorithm=config.algorithm, expires_delta=config.refresh_expires, csrf=config.csrf_protect) # If blacklisting is enabled, store this token in our key-value store if config.blacklist_enabled: decoded_token = decode_jwt(refresh_token, config.decode_key, config.algorithm, csrf=config.csrf_protect) store_token(decoded_token, revoked=False) return refresh_token
def _create_refresh_token(self, identity, expires_delta=None): if expires_delta is None: expires_delta = config.refresh_expires refresh_token = encode_refresh_token( identity=self._user_identity_callback(identity), secret=config.encode_key, algorithm=config.algorithm, expires_delta=expires_delta, csrf=config.csrf_protect, identity_claim=config.identity_claim) return refresh_token
def _create_refresh_token(self, identity, expires_delta=None): if expires_delta is None: expires_delta = config.refresh_expires if config.user_claims_in_refresh_token: user_claims = self._user_claims_callback(identity) else: user_claims = None refresh_token = encode_refresh_token( identity=self._user_identity_callback(identity), secret=self._encode_key_callback(identity), algorithm=config.algorithm, expires_delta=expires_delta, user_claims=user_claims, csrf=config.csrf_protect, identity_claim_key=config.identity_claim_key, user_claims_key=config.user_claims_key, json_encoder=config.json_encoder) return refresh_token