def get_stored_token(jti=None, encoded_token=None):
"""
Get the stored token for the passed in jti or encoded_token
:param jti: The jti of the token
:param encoded_token: The encoded JWT string
:return: Python dictionary with the token information
"""
if jti is None and encoded_token is not None:
jti = get_jti(encoded_token)
elif jti is None and encoded_token is None:
raise ValueError('Either jti or encoded_token is required')
return _get_token_from_store(jti)
def test_revoked_token_with_access_blacklist_only(self):
# Setup to only revoke refresh tokens
self.app.config['JWT_BLACKLIST_TOKEN_CHECKS'] = ['refresh']
# Generate our tokens
access_token, refresh_token = self._login('user')
with self.app.app_context():
access_jti = get_jti(access_token)
refresh_jti = get_jti(refresh_token)
# Revoke both tokens (even though app is only configured to look
# at revoked refresh tokens)
self._jwt_post('/auth/revoke/{}'.format(access_jti))
self._jwt_post('/auth/revoke/{}'.format(refresh_jti))
# Make sure we can still access a protected endpoint with the access token
status_code, data = self._jwt_post('/protected', access_token)
self.assertEqual(status_code, 200)
self.assertEqual(data, {'hello': 'world'})
# Make sure that the refresh token kicks us back out
status_code, data = self._jwt_post('/auth/refresh', refresh_token)
self.assertEqual(status_code, 401)
self.assertEqual(data, {'msg': 'Token has been revoked'})
def test_revoke_access_token(self):
# Check access and refresh tokens
self.app.config['JWT_BLACKLIST_TOKEN_CHECKS'] = ['access', 'refresh']
# Generate our tokens
access_token, _ = self._login('user')
with self.app.app_context():
access_jti = get_jti(access_token)
# Make sure we can access a protected endpoint
status_code, data = self._jwt_post('/protected', access_token)
self.assertEqual(status_code, 200)
self.assertEqual(data, {'hello': 'world'})
# Revoke our access token
status, data = self._jwt_post('/auth/revoke/{}'.format(access_jti))
self.assertEqual(status, 200)
self.assertEqual(data, {'msg': 'Token revoked'})
# Verify the access token can no longer access a protected endpoint
status_code, data = self._jwt_post('/protected', access_token)
self.assertEqual(status_code, 401)
self.assertEqual(data, {'msg': 'Token has been revoked'})
def post(self):
"""User's login view"""
args = user_login_parser.parse_args()
user: User = User.query.filter(
or_(
func.lower(User.email) == args.get("username", "").lower(),
func.lower(User.username) == args.get("username", "").lower(),
)).first()
if not user or user.password != args.get("password", None):
raise UserExceptions.wrong_login_creds()
token = create_access_token(user)
user.token = get_csrf_token(token)
user_session = Session(user=user,
token=get_jti(token),
**extract_request_info(request=request))
user_session.save(True)
response = make_response(marshal(
user,
user_model,
))
set_access_cookies(response=response, encoded_access_token=token)
return response
def post(self):
jti = get_jti()['jti']
BLACKLIST.add(jti)
return {'message': 'Successfully logged out.'}, 200
def post(self):
jti = get_jti()
BLACKLIST.add(jti)
return jsonify({'message': 'Successfully logged out'})
