def auth_lg_1(*args, **kw): username = get_jwt_identity() user_login = UserLogins.query.filter_by(username=username).first() if user_login is None: raise NoAuthorizationError(u"请先登陆") elif user_login.level < 2: raise NoAuthorizationError(u'您没有足够的权限进行此操作!')
def wrapper(*args, **kwargs): isUserAuthorized = False search_option = { 'full_document': True, 'filter': { 'fliptapikey': { 'type': 'eq', 'value': auth.username(), 'case_sensitive': False } }, 'filter_type': 'and' } userattribute, userid = OptionalModules.user().search_tvuser( search_option) if userid == None: isUserAuthorized = False else: isUserAuthorized = True if not isUserAuthorized: raise NoAuthorizationError( "You are not authorized user to access the API") if not userattribute['status'] == 'Active': raise NoAuthorizationError("Your account is Inactive") return apifunction(userattribute)
def decode_jwt_from_json(request, request_type, allow_missing_token=False): if request.content_type != 'application/json': raise NoAuthorizationError( 'Invalid content-type. Must be application/json.') if request_type == 'access': token_key = 'access_token' else: token_key = 'refresh_token' try: encoded_token = request.get_json().get(token_key) if not encoded_token: if allow_missing_token: return None else: raise BadRequest() except BadRequest: raise NoAuthorizationError( 'Missing "{}" key in json data.'.format(token_key)) decoded_token = None decoded_token = decode_token(encoded_token, None) verify_token_type(decoded_token, expected_type=request_type) verify_token_not_blacklisted(decoded_token, request_type) return decoded_token
def _decode_jwt_from_request(locations, fresh, refresh=False): # Figure out what locations to look for the JWT in this request if isinstance(locations, str): locations = [locations] if not locations: locations = config.token_location # Get the decode functions in the order specified by locations. get_encoded_token_functions = [] for location in locations: if location == "cookies": get_encoded_token_functions.append( lambda: _decode_jwt_from_cookies(refresh)) elif location == "query_string": get_encoded_token_functions.append(_decode_jwt_from_query_string) elif location == "headers": get_encoded_token_functions.append(_decode_jwt_from_headers) elif location == "json": get_encoded_token_functions.append( lambda: _decode_jwt_from_json(refresh)) else: raise RuntimeError(f"'{location}' is not a valid location") # Try to find the token from one of these locations. It only needs to exist # in one place to be valid (not every location). errors = [] decoded_token = None jwt_header = None for get_encoded_token_function in get_encoded_token_functions: try: encoded_token, csrf_token = get_encoded_token_function() decoded_token = decode_token(encoded_token, csrf_token) jwt_header = get_unverified_jwt_headers(encoded_token) break except NoAuthorizationError as e: errors.append(str(e)) # Do some work to make a helpful and human readable error message if no # token was found in any of the expected locations. if not decoded_token: if len(locations) > 1: err_msg = "Missing JWT in {start_locs} or {end_locs} ({details})".format( start_locs=", ".join(locations[:-1]), end_locs=locations[-1], details="; ".join(errors), ) raise NoAuthorizationError(err_msg) else: raise NoAuthorizationError(errors[0]) # Additional verifications provided by this extension verify_token_type(decoded_token, refresh) if fresh: _verify_token_is_fresh(jwt_header, decoded_token) verify_token_not_blocklisted(jwt_header, decoded_token) custom_verification_for_token(jwt_header, decoded_token) return decoded_token, jwt_header
def _decode_jwt_from_request(token_type, locations, fresh): # All the places we can get a JWT from in this request get_encoded_token_functions = [] # Get locations in the order specified by the decorator or JWT_TOKEN_LOCATION # configuration. if not locations: locations = config.token_location # Add the functions in the order specified by locations. for location in locations: if location == "cookies": get_encoded_token_functions.append( lambda: _decode_jwt_from_cookies(token_type)) if location == "query_string": get_encoded_token_functions.append(_decode_jwt_from_query_string) if location == "headers": get_encoded_token_functions.append(_decode_jwt_from_headers) if location == "json": get_encoded_token_functions.append( lambda: _decode_jwt_from_json(token_type)) # Try to find the token from one of these locations. It only needs to exist # in one place to be valid (not every location). errors = [] decoded_token = None jwt_header = None for get_encoded_token_function in get_encoded_token_functions: try: encoded_token, csrf_token = get_encoded_token_function() decoded_token = decode_token(encoded_token, csrf_token) jwt_header = get_unverified_jwt_headers(encoded_token) break except NoAuthorizationError as e: errors.append(str(e)) # Do some work to make a helpful and human readable error message if no # token was found in any of the expected locations. if not decoded_token: if len(locations) > 1: err_msg = "Missing JWT in {start_locs} or {end_locs} ({details})".format( start_locs=", ".join(locations[:-1]), end_locs=locations[-1], details="; ".join(errors), ) raise NoAuthorizationError(err_msg) else: raise NoAuthorizationError(errors[0]) # Additional verifications provided by this extension verify_token_type(decoded_token, expected_type=token_type) if fresh: _verify_token_is_fresh(jwt_header, decoded_token) verify_token_not_blocklisted(jwt_header, decoded_token, token_type) custom_verification_for_token(jwt_header, decoded_token) return decoded_token, jwt_header
def _decode_jwt_from_request(request_type): # All the places we can get a JWT from in this request get_encoded_token_functions = [] locations = config.token_location # add the functions in the order specified in JWT_TOKEN_LOCATION for location in locations: if location == "cookies": get_encoded_token_functions.append( lambda: _decode_jwt_from_cookies(request_type)) if location == "query_string": get_encoded_token_functions.append(_decode_jwt_from_query_string) if location == "headers": get_encoded_token_functions.append(_decode_jwt_from_headers) if location == "json": get_encoded_token_functions.append( lambda: _decode_jwt_from_json(request_type)) # Try to find the token from one of these locations. It only needs to exist # in one place to be valid (not every location). errors = [] decoded_token = None jwt_header = None for get_encoded_token_function in get_encoded_token_functions: try: encoded_token, csrf_token = get_encoded_token_function() decoded_token = decode_token(encoded_token, csrf_token) jwt_header = get_unverified_jwt_headers(encoded_token) break except NoAuthorizationError as e: errors.append(str(e)) # Do some work to make a helpful and human readable error message if no # token was found in any of the expected locations. if not decoded_token: token_locations = config.token_location multiple_jwt_locations = len(token_locations) != 1 if multiple_jwt_locations: err_msg = "Missing JWT in {start_locs} or {end_locs} ({details})".format( start_locs=", ".join(token_locations[:-1]), end_locs=token_locations[-1], details="; ".join(errors), ) raise NoAuthorizationError(err_msg) else: raise NoAuthorizationError(errors[0]) verify_token_type(decoded_token, expected_type=request_type) verify_token_not_blacklisted(decoded_token, request_type) return decoded_token, jwt_header
def _decode_jwt_from_request(request_type): # All the places we can get a JWT from in this request get_encoded_token_functions = [] if config.jwt_in_cookies: get_encoded_token_functions.append( lambda: _decode_jwt_from_cookies(request_type)) if config.jwt_in_query_string: get_encoded_token_functions.append(_decode_jwt_from_query_string) if config.jwt_in_headers: get_encoded_token_functions.append(_decode_jwt_from_headers) if config.jwt_in_json: get_encoded_token_functions.append( lambda: _decode_jwt_from_json(request_type)) # Try to find the token from one of these locations. It only needs to exist # in one place to be valid (not every location). errors = [] decoded_token = None for get_encoded_token_function in get_encoded_token_functions: try: encoded_token, csrf_token = get_encoded_token_function() decoded_token = decode_token(encoded_token, csrf_token) break except ExpiredSignatureError: # Save the expired token so we can access it in a callback later expired_data = decode_token(encoded_token, csrf_token, allow_expired=True) ctx_stack.top.expired_jwt = expired_data raise except NoAuthorizationError as e: errors.append(str(e)) # Do some work to make a helpful and human readable error message if no # token was found in any of the expected locations. if not decoded_token: token_locations = config.token_location multiple_jwt_locations = len(token_locations) != 1 if multiple_jwt_locations: err_msg = "Missing JWT in {start_locs} or {end_locs} ({details})".format( start_locs=", ".join(token_locations[:-1]), end_locs=token_locations[-1], details="; ".join(errors)) raise NoAuthorizationError(err_msg) else: raise NoAuthorizationError(errors[0]) verify_token_type(decoded_token, expected_type=request_type) verify_token_not_blacklisted(decoded_token, request_type) return decoded_token
def _decode_jwt_from_cookies(refresh): if refresh: cookie_key = config.refresh_cookie_name csrf_header_key = config.refresh_csrf_header_name csrf_field_key = config.refresh_csrf_field_name else: cookie_key = config.access_cookie_name csrf_header_key = config.access_csrf_header_name csrf_field_key = config.access_csrf_field_name encoded_token = request.cookies.get(cookie_key) if not encoded_token: raise NoAuthorizationError('Missing cookie "{}"'.format(cookie_key)) if (config.csrf_protect and request.method in config.csrf_request_methods and current_app.config["JWT_CSRF_ACCESS_PATH"] in request.url): csrf_value = request.headers.get(csrf_header_key, None) if not csrf_value and config.csrf_check_form: csrf_value = request.form.get(csrf_field_key, None) if not csrf_value: raise CSRFError("Missing CSRF token") else: csrf_value = None return encoded_token, csrf_value
def wrapper(*args, **kwargs): verify_jwt_in_request() claims = get_jwt_claims() if 'admin' not in claims['roles']: raise NoAuthorizationError("Permission Denied!") else: return fn(*args, **kwargs)
def _decode_jwt_from_cookies(request_type): if request_type == 'access': cookie_key = config.access_cookie_name csrf_header_key = config.access_csrf_header_name csrf_field_key = config.access_csrf_field_name csrf_cookie_name = config.access_csrf_cookie_name else: cookie_key = config.refresh_cookie_name csrf_header_key = config.refresh_csrf_header_name csrf_field_key = config.refresh_csrf_field_name csrf_cookie_name = config.refresh_csrf_cookie_name encoded_token = request.cookies.get(cookie_key) if not encoded_token: raise NoAuthorizationError('Missing cookie "{}"'.format(cookie_key)) if config.csrf_protect and request.method in config.csrf_request_methods: csrf_value = request.headers.get(csrf_header_key, None) if not csrf_value and config.csrf_check_cookies: csrf_value = request.cookies.get(csrf_cookie_name, None) if not csrf_value and config.csrf_check_form: csrf_value = request.form.get(csrf_field_key, None) if not csrf_value: raise CSRFError("Missing CSRF token") else: csrf_value = None return encoded_token, csrf_value
def _decode_jwt_from_query_string(): query_param = config.query_string_name encoded_token = request.args.get(query_param) if not encoded_token: raise NoAuthorizationError('Missing "{}" query paramater'.format(query_param)) return decode_token(encoded_token)
def _decode_jwt_from_cookies(type): if type == 'access': cookie_key = get_access_cookie_name() else: cookie_key = get_refresh_cookie_name() token = request.cookies.get(cookie_key) if not token: raise NoAuthorizationError('Missing cookie "{}"'.format(cookie_key)) secret = _get_secret_key() algorithm = get_algorithm() token = _decode_jwt(token, secret, algorithm) if get_cookie_csrf_protect( ) and request.method in get_csrf_request_methods(): csrf_header_key = get_csrf_header_name() csrf_token_from_header = request.headers.get(csrf_header_key, None) csrf_token_from_cookie = token.get('csrf', None) # Verify the csrf tokens are present and matching if csrf_token_from_cookie is None: raise JWTDecodeError("Missing claim: 'csrf'") if not isinstance(csrf_token_from_cookie, six.string_types): raise JWTDecodeError("Invalid claim: 'csrf' (must be a string)") if csrf_token_from_header is None: raise CSRFError("Missing CSRF token in headers") if not safe_str_cmp(csrf_token_from_header, csrf_token_from_cookie): raise CSRFError("CSRF double submit tokens do not match") return token
def _decode_jwt_from_headers(): # Verify we have the auth header header_name = get_jwt_header_name() jwt_header = request.headers.get(header_name, None) if not jwt_header: raise NoAuthorizationError("Missing {} Header".format(header_name)) # Make sure the header is valid expected_header = get_jwt_header_type() parts = jwt_header.split() if not expected_header: if len(parts) != 1: msg = "Bad {} header. Expected '<JWT>'" raise InvalidHeaderError(msg) token = parts[0] else: if parts[0] != expected_header or len(parts) != 2: msg = "Bad {} header. Expected '{} <JWT>'".format( header_name, expected_header) raise InvalidHeaderError(msg) token = parts[1] secret = _get_secret_key() algorithm = get_algorithm() return _decode_jwt(token, secret, algorithm)
def wrapper(*args, **kwargs): verify_jwt_in_request() claims = get_jwt_claims() if claims.get('role') != ROLE_ADMIN: raise NoAuthorizationError("User not Autohrized") else: return func(*args, **kwargs)
def _decode_jwt_from_request(request_type): # We have three cases here, having jwts in both cookies and headers is # valid, or the jwt can only be saved in one of cookies or headers. Check # all cases here. if config.jwt_in_cookies and config.jwt_in_headers: try: decoded_token = _decode_jwt_from_cookies(request_type) except NoAuthorizationError: try: decoded_token = _decode_jwt_from_headers() except NoAuthorizationError: raise NoAuthorizationError( "Missing JWT in headers and cookies") elif config.jwt_in_headers: decoded_token = _decode_jwt_from_headers() else: decoded_token = _decode_jwt_from_cookies(request_type) # Make sure the type of token we received matches the request type we expect verify_token_type(decoded_token, expected_type=request_type) # If blacklisting is enabled, see if this token has been revoked verify_token_not_blacklisted(decoded_token, request_type) return decoded_token
def _decode_jwt_from_request(request_type): # We have three cases here, having jwts in both cookies and headers is # valid, or the jwt can only be saved in one of cookies or headers. Check # all cases here. if config.jwt_in_cookies and config.jwt_in_headers: try: decoded_token = _decode_jwt_from_cookies(request_type) except NoAuthorizationError: try: decoded_token = _decode_jwt_from_headers() except NoAuthorizationError: raise NoAuthorizationError("Missing JWT in headers and cookies") elif config.jwt_in_headers: decoded_token = _decode_jwt_from_headers() else: decoded_token = _decode_jwt_from_cookies(request_type) # Make sure the type of token we received matches the request type we expect if decoded_token['type'] != request_type: raise WrongTokenError('Only {} tokens can access this endpoint'.format(request_type)) # Check if the custom claims in access tokens are valid if request_type == 'access': if not verify_token_claims(decoded_token['user_claims']): raise UserClaimsVerificationError('user_claims verification failed') # If blacklisting is enabled, see if this token has been revoked if _token_blacklisted(decoded_token, request_type): raise RevokedTokenError('Token has been revoked') return decoded_token
def _decode_jwt_from_headers(): header_name = config.header_name header_type = config.header_type # Verify we have the auth header jwt_header = request.headers.get(header_name, None) if not jwt_header: raise NoAuthorizationError("Missing {} Header".format(header_name)) # Make sure the header is in a valid format that we are expecting, ie # <HeaderName>: <HeaderType(optional)> <JWT> parts = jwt_header.split() if not header_type: if len(parts) != 1: msg = "Bad {} header. Expected value '<JWT>'".format(header_name) raise InvalidHeaderError(msg) encoded_token = parts[0] else: if parts[0] != header_type or len(parts) != 2: msg = "Bad {} header. Expected value '{} <JWT>'".format( header_name, header_type) raise InvalidHeaderError(msg) encoded_token = parts[1] return decode_token(encoded_token)
def _decode_jwt_from_cookies(request_type): if request_type == 'access': cookie_key = config.access_cookie_name csrf_header_key = config.access_csrf_header_name else: cookie_key = config.refresh_cookie_name csrf_header_key = config.refresh_csrf_header_name encoded_token = request.cookies.get(cookie_key) if not encoded_token: raise NoAuthorizationError('Missing cookie "{}"'.format(cookie_key)) decoded_token = decode_jwt(encoded_token=encoded_token, secret=config.decode_key, algorithm=config.algorithm, csrf=config.csrf_protect) # Verify csrf double submit tokens match if required if config.csrf_protect and request.method in config.csrf_request_methods: csrf_token_in_token = decoded_token['csrf'] csrf_token_in_header = request.headers.get(csrf_header_key, None) if not csrf_token_in_header: raise CSRFError("Missing CSRF token in headers") if not safe_str_cmp(csrf_token_in_header, csrf_token_in_token): raise CSRFError("CSRF double submit tokens do not match") return decoded_token
def _decode_jwt_from_request(request_type): # We have three cases here, having jwts in both cookies and headers is # valid, or the jwt can only be saved in one of cookies or headers. Check # all cases here. if config.jwt_in_cookies and config.jwt_in_headers: try: decoded_token = _decode_jwt_from_cookies(request_type) except NoAuthorizationError: try: decoded_token = _decode_jwt_from_headers() except NoAuthorizationError: raise NoAuthorizationError( "Missing JWT in headers and cookies") elif config.jwt_in_headers: decoded_token = _decode_jwt_from_headers() else: decoded_token = _decode_jwt_from_cookies(request_type) # Make sure the type of token we received matches the request type we expect if decoded_token['type'] != request_type: raise WrongTokenError( 'Only {} tokens can access this endpoint'.format(request_type)) # If blacklisting is enabled, see if this token has been revoked if config.blacklist_enabled: check_if_token_revoked(decoded_token) return decoded_token
def _decode_jwt_from_request(request_type): # Check for the presence of _fake_token_callback and runs it instead of trying to retrieve token (provided app.debug is True) if has_fake_token_callback(): if current_app.debug: return fake_token(request_type) else: import warnings warnings.warn( "ignoring _fake_token_callback, as app.debug is False") # We have three cases here, having jwts in both cookies and headers is # valid, or the jwt can only be saved in one of cookies or headers. Check # all cases here. if config.jwt_in_cookies and config.jwt_in_headers: try: decoded_token = _decode_jwt_from_cookies(request_type) except NoAuthorizationError: try: decoded_token = _decode_jwt_from_headers() except NoAuthorizationError: raise NoAuthorizationError( "Missing JWT in headers and cookies") elif config.jwt_in_headers: decoded_token = _decode_jwt_from_headers() else: decoded_token = _decode_jwt_from_cookies(request_type) # Make sure the type of token we received matches the request type we expect verify_token_type(decoded_token, expected_type=request_type) # If blacklisting is enabled, see if this token has been revoked verify_token_not_blacklisted(decoded_token, request_type) return decoded_token
def _decode_jwt_from_json(request_type): if request.content_type != "application/json": raise NoAuthorizationError("Invalid content-type. Must be application/json.") if request_type == "access": token_key = config.json_key else: token_key = config.refresh_json_key try: encoded_token = request.json.get(token_key, None) if not encoded_token: raise BadRequest() except BadRequest: raise NoAuthorizationError('Missing "{}" key in json data.'.format(token_key)) return decode_token(encoded_token)
def _decode_jwt_from_json(refresh: bool) -> Tuple[str, str]: content_type = request.content_type or "" if not content_type.startswith("application/json"): raise NoAuthorizationError( "Invalid content-type. Must be application/json.") if refresh: token_key = config.refresh_json_key else: token_key = config.json_key try: encoded_token = request.json.get(token_key, None) if not encoded_token: raise BadRequest() except BadRequest: raise NoAuthorizationError( 'Missing "{}" key in json data.'.format(token_key)) from None return encoded_token, None
def _decode_jwt_from_query_string(param_name): # Verify we have the query string token = request.args.get(param_name, None) if not token: raise NoAuthorizationError("Missing {} query param".format(param_name)) return decode_jwt(encoded_token=token, secret=config.decode_key, algorithm=config.algorithm, csrf=False, identity_claim=config.identity_claim)
def _decode_jwt_from_cookies(type): if type == 'access': cookie_key = get_access_cookie_name() else: cookie_key = get_refresh_cookie_name() token = request.cookies.get(cookie_key) if not token: raise NoAuthorizationError('Missing cookie "{}"'.format(cookie_key)) secret = _get_secret_key() algorithm = get_algorithm() token = _decode_jwt(token, secret, algorithm) if get_cookie_csrf_protect(): csrf_header_key = get_csrf_header_name() csrf = request.headers.get(csrf_header_key, None) if not csrf or not safe_str_cmp(csrf, token['csrf']): raise NoAuthorizationError( "Missing or invalid csrf double submit header") return token
def wrapper(*args, **kwargs): jwt_data, jwt_header = _decode_jwt_from_request(request_type='access') if jwt_data['identity']['role'] != 'user': authorized = True else: authorized = False if not authorized: raise NoAuthorizationError("You are not admin") return view_function(*args, **kwargs)
def wrapper(*args, **kwargs): jwt_data = _decode_jwt_from_request(request_type='access') if ACCESS[jwt_data["identity"][1]] >= ACCESS[urole]: isRoleAuthorized = True else: isRoleAuthorized = False if not isRoleAuthorized: raise NoAuthorizationError( "You are not authorized user to access the API") return apifunction(*args, **kwargs)
def _decode_jwt_from_headers() -> Tuple[str, str]: header_name = config.header_name header_type = config.header_type # Verify we have the auth header auth_header = request.headers.get(header_name, "").strip().strip(",") if not auth_header: raise NoAuthorizationError(f"Missing {header_name} Header") # Make sure the header is in a valid format that we are expecting, ie # <HeaderName>: <HeaderType(optional)> <JWT>. # # Also handle the fact that the header that can be comma delimited, ie # <HeaderName>: <field> <value>, <field> <value>, etc... if header_type: field_values = split(r",\s*", auth_header) jwt_headers = [s for s in field_values if s.split()[0] == header_type] if len(jwt_headers) != 1: msg = (f"Missing '{header_type}' type in '{header_name}' header. " f"Expected '{header_name}: {header_type} <JWT>'") raise NoAuthorizationError(msg) parts = jwt_headers[0].split() if len(parts) != 2: msg = (f"Bad {header_name} header. " f"Expected '{header_name}: {header_type} <JWT>'") raise InvalidHeaderError(msg) encoded_token = parts[1] else: parts = auth_header.split() if len(parts) != 1: msg = f"Bad {header_name} header. Expected '{header_name}: <JWT>'" raise InvalidHeaderError(msg) encoded_token = parts[0] return encoded_token, None
def get_user_token(encoded_token, token_type): from flask_jwt_extended.exceptions import NoAuthorizationError, UserLoadError from flask_jwt_extended import utils as jwt_utils from flask_jwt_extended.config import config as jwt_config if encoded_token is None: raise NoAuthorizationError('Missing "access_token" query parameter') token_data = decode_token(encoded_token) jwt_utils.verify_token_type(token_data, expected_type=token_type) jwt_utils.verify_token_not_blacklisted(token_data, token_type) jwt_utils.verify_token_claims(token_data) return token_data[jwt_config.identity_claim_key]
def _decode_jwt_from_query_string() -> Tuple[str, str]: param_name = config.query_string_name prefix = config.query_string_value_prefix value = request.args.get(param_name) if not value: raise NoAuthorizationError(f"Missing '{param_name}' query paramater") if not value.startswith(prefix): raise InvalidQueryParamError( f"Invalid value for query parameter '{param_name}'. " f"Expected the value to start with '{prefix}'") encoded_token = value[len(prefix):] # noqa: E203 return encoded_token, None
def wrapper(*args, **kwargs): jwt_token = request.json.get('refresh_token', None) if not jwt_token: raise NoAuthorizationError("Missing refresh token") decoded_token = decode_jwt( jwt_token, config.decode_key, config.algorithm, csrf=False) # Make sure the type of token we received matches the request type we expect if decoded_token['type'] != 'refresh': raise WrongTokenError('Only refresh tokens can access this endpoint') # If blacklisting is enabled, see if this token has been revoked #if config.blacklist_enabled: #check_if_token_revoked(decoded_token) ctx_stack.top.jwt = decoded_token _load_user(decoded_token['identity']) return fn(*args, **kwargs)