Comments (6)
Just a suggestion too. Following Flask-JWT. You should allow give user the ability to change "Bearer" Header to the JWT.
from flask-jwt-extended.
The use case I have for it is if a refresh token for a user was stolen. That could happen with a bug in the frontend application, or perhaps a situation like an employee that was fired had an existing login to the system.
We can disable the user or change their password, but whoever has that refresh token can still freely access all of the endpoints that the user could access (except for the ones using fresh_jwt_required). At that point, the only way to stop them (well, not the only way, see bellow) would be to change the secret_key, which would invalidate their token. It would also have the side effect of invalidating every other token created by the system, in effect logging everyone out.
If the blacklist is enabled, we can go in and blacklist that single token. It will prevent them from being able to access the system any more, while not logging every other user out of the system.
This same effect could be done by checking the user rights on the database, and in many cases that may make more sense to do. That does have the side effect of checking a database for every endpoint though, which depending on the application could be expensive. By setting the access tokens to a very low expires time, and only checking the refresh token, we can avoid the db/redis/whatever lookup costs the majority of the time.
That said, this is totally an optional feature, which is disabled by default :)
from flask-jwt-extended.
Totally unrelated, most of this stuff has been loosely tested via curl, but it's been changing fast and I'm sure there are bugs or things that straight up don't work right now. I'm hoping to have unit tests up today to help with that. If you notice any bugs, etc, or have any suggestions on making the user facing api better, I would love to hear them :)
from flask-jwt-extended.
@vimalloc Just a thought... If a hacker or an account was compromised. Wouldn't it be much safer to just invalidate everybody and have them log in again instead of blacklisting just one account? Assuming that hacker is going to steal accounts, they probably will be going for the whole basket full instead of targeting one... It is really rare to hear that only ONE account of an organization was compromised, usually I think there are more than a few.
from flask-jwt-extended.
Very true, and in that case I completely agree.
An example for what I'm thinking of might be a large scale email application. If they had a breach on their backend where a hacker was able to access their database or something along those lines, they should most certainly change the secret key (along with changing user passwords and all that other fun song and dance).
But I'm sure there users get attacked all the time via phishing attempts, viruses on their computer, brute forces, other companies being hacked and users sharing the same passwords across accounts, that sort of thing. Forcing everyone to re-login in when one person got compromised would be a huge pain for the end users. It would be much easier for them if we could change the password of just the compromised account, then revoke any current tokens they are using to access the application (or, as you mentioned above, forgo the token revoking and build some logic to check the user management db on all the views).
from flask-jwt-extended.
Can do!
from flask-jwt-extended.
Related Issues (20)
- No 401 on failure HOT 1
- 'JWT_HEADER_TYPE' is being set to "" but not reflecting. I mean I still have to pass 'Bearer <token>'
- Signature verification failed with just generated tokens HOT 1
- Unable to catch errors using flask @app.errorhandler HOT 2
- Implicit refresh with cookies: timeout does not remove JWT/CSRF cookies – was this expected? HOT 1
- How does the CSRF functionality work? HOT 2
- Decoding CSRF Token from cookies does not work HOT 1
- flask-jwt-extended, refresh token HOT 3
- RS512 not supported HOT 2
- Is option JWT_REFRESH_TOKEN_EXPIRES working? HOT 3
- ImportError: cannot import name 'DecodeError' from 'jwt' (/usr/local/lib/python3.10/dist-packages/jwt/__init__.py) HOT 1
- Documentation examples for double submit removed from latest documentation. HOT 5
- Minimum cryptography version is vulnerable to CVE HOT 1
- Multiple JWT_HEADER_TYPE options HOT 1
- DeprecationWarning: The '__version__' attribute is deprecated and will be removed in Flask 3.1 HOT 1
- Changing Default Behaviors in another file doesnt work with flask-restful HOT 1
- Collections Module Issue
- Flask-JWT-Extended always assuming token is a refresh token HOT 2
- Setting 'kid' claim as part of encode_key_loader HOT 1
- Flask v3 Error Registering Blueprints with Routes Using @jwt_required HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-jwt-extended.