Comments (6)
It seems to work for me. Did you make any changes which would cause flask reloader to kick in after generating your access/refresh tokens? In that example app, the blacklist is enabled, but we are storing the token data in memory, so if the flask app restarts, your token is still valid, but it cannot find it in the blacklist store (this is why redis/memcached/sqlalchemy should be used in prod).
curl -H "Content-Type: application/json" -X POST -d '{"username":"test1","password":"abc123"}' http://localhost:5000/auth/login
{
"access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NzQzMTA0MjksImZyZXNoIjp0cnVlLCJpYXQiOjE0NzQzMDY4MjksImp0aSI6IjNiNzgzOGI4LTg3MWEtNGRiMi1iOWI1LTkyOTVhZTJlZTAwMiIsImlkZW50aXR5IjoidGVzdDEiLCJ0eXBlIjoiYWNjZXNzIiwidXNlcl9jbGFpbXMiOnsidHlwZSI6InRlY2huaWNpYW4iLCJpcCI6IjEyNy4wLjAuMSJ9LCJuYmYiOjE0NzQzMDY4Mjl9.KKyMvgei_1d60q6Dw_r-fT0co004M5PxrZuhmbfre5VQKjqghnMvf7kTECyHQQHh8uV7O5AURo1ImJWmHS1oqw",
"refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NzQ5MTE2MjksImlhdCI6MTQ3NDMwNjgyOSwianRpIjoiZTJjM2Q4ODAtMDIxYy00NDE5LTg4OWItNGM1ZjY2ODljMjU2IiwiaWRlbnRpdHkiOiJ0ZXN0MSIsInR5cGUiOiJyZWZyZXNoIiwibmJmIjoxNDc0MzA2ODI5fQ.5KWz0IR28Z__bVnQZ6WhD1BQoSBYUPDaSfgsvky3eURZDkLqbdRRaTMUOer5p2LIRb-2bI7NSXzvn7R83WkZPw"
}
export ACCESS="eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NzQzMTA0MjksImZyZXNoIjp0cnVlLCJpYXQiOjE0NzQzMDY4MjksImp0aSI6IjNiNzgzOGI4LTg3MWEtNGRiMi1iOWI1LTkyOTVhZTJlZTAwMiIsImlkZW50aXR5IjoidGVzdDEiLCJ0eXBlIjoiYWNjZXNzIiwidXNlcl9jbGFpbXMiOnsidHlwZSI6InRlY2huaWNpYW4iLCJpcCI6IjEyNy4wLjAuMSJ9LCJuYmYiOjE0NzQzMDY4Mjl9.KKyMvgei_1d60q6Dw_r-fT0co004M5PxrZuhmbfre5VQKjqghnMvf7kTECyHQQHh8uV7O5AURo1ImJWmHS1oqw"
export REFRESH="eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NzQ5MTE2MjksImlhdCI6MTQ3NDMwNjgyOSwianRpIjoiZTJjM2Q4ODAtMDIxYy00NDE5LTg4OWItNGM1ZjY2ODljMjU2IiwiaWRlbnRpdHkiOiJ0ZXN0MSIsInR5cGUiOiJyZWZyZXNoIiwibmJmIjoxNDc0MzA2ODI5fQ.5KWz0IR28Z__bVnQZ6WhD1BQoSBYUPDaSfgsvky3eURZDkLqbdRRaTMUOer5p2LIRb-2bI7NSXzvn7R83WkZPw"
curl -H "Authorization: Bearer $REFRESH" -X POST http://localhost:5000/auth/refresh
{
"access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NzQzMTA0NTcsImZyZXNoIjpmYWxzZSwiaWF0IjoxNDc0MzA2ODU3LCJqdGkiOiIzMjZiYjkwOC02NmFjLTRiYTUtODJlZC04Y2RiNzNmMjZkZmIiLCJpZGVudGl0eSI6InRlc3QxIiwidHlwZSI6ImFjY2VzcyIsInVzZXJfY2xhaW1zIjp7InR5cGUiOiJ0ZWNobmljaWFuIiwiaXAiOiIxMjcuMC4wLjEifSwibmJmIjoxNDc0MzA2ODU3fQ.8jglk7h_9JEWmengK1WYJ7L1d5XbGla1e9K4kSkUHpRnW7HCLUwuka_TiKyRYtUmQbLYbAWK_sbGwF-n9iaSiQ"
}
from flask-jwt-extended.
Oh, you mean if no token was supplied to the call. Yeah, that is the default handler for that error case. You can change it with the invalid_token_loader decorator. See this file https://github.com/vimalloc/flask-jwt-extended/blob/master/flask_jwt_extended/jwt_manager.py
from flask-jwt-extended.
That said, I think that can be done better. I'll look at it more today.
from flask-jwt-extended.
Actually, now that I'm actually sitting down and looking at it, I am unable to duplicate it. Can you verify it wasn't a flask refresh thing?
from flask-jwt-extended.
I'm using PAW and terminal and still able to reproduce it. I'm not sure what flask refresh thing you are referring to.
MYUSERNAME$ curl -H "Content-Type: application/json" -X POST -d '{"username":"test1","password":"abc123"}' http://localhost:5001/auth/login
{
"access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2NsYWltcyI6eyJpcCI6IjEyNy4wLjAuMSIsInR5cGUiOiJyZXN0cmljdGVkIn0sImp0aSI6IjAyOTNmYWE2LTRjMjYtNGJhMS1hNmRjLWUzMDYzNDExNzg2YiIsImV4cCI6MTQ3NDMxOTA0MiwiZnJlc2giOnRydWUsImlhdCI6MTQ3NDMxNTQ0MiwidHlwZSI6ImFjY2VzcyIsIm5iZiI6MTQ3NDMxNTQ0MiwiaWRlbnRpdHkiOiJ0ZXN0MSJ9.LbIzIr9DA4XeRoinDOzp9tmM4R8yHR6ZgLwe3_wqZGueJD5fwoYZO4bTu-MqR0wysU2gW43ULrowYlKBMy0_GA",
"refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI2ODhlMzVlYS1iZGFkLTQ0MzYtODQzMi1jMmQ2MjUzMTQzNzEiLCJleHAiOjE0NzQ5MjAyNDIsImlhdCI6MTQ3NDMxNTQ0MiwidHlwZSI6InJlZnJlc2giLCJuYmYiOjE0NzQzMTU0NDIsImlkZW50aXR5IjoidGVzdDEifQ.wDSO6snzoDDKLwlpAktT2Ylh6EHzN0FRNMOkLPjGiDOStSCXkjuIS5wedA3y0KMqzSpv9OvbncyoKLb3cip7uQ"
}
MYUSERNAME$ export ACCESS="eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2NsYWltcyI6eyJpcCI6IjEyNy4wLjAuMSIsInR5cGUiOiJyZXN0cmljdGVkIn0sImp0aSI6IjAyOTNmYWE2LTRjMjYtNGJhMS1hNmRjLWUzMDYzNDExNzg2YiIsImV4cCI6MTQ3NDMxOTA0MiwiZnJlc2giOnRydWUsImlhdCI6MTQ3NDMxNTQ0MiwidHlwZSI6ImFjY2VzcyIsIm5iZiI6MTQ3NDMxNTQ0MiwiaWRlbnRpdHkiOiJ0ZXN0MSJ9.LbIzIr9DA4XeRoinDOzp9tmM4R8yHR6ZgLwe3_wqZGueJD5fwoYZO4bTu-MqR0wysU2gW43ULrowYlKBMy0_GA"
MYUSERNAME$ export REFRESH="eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI2ODhlMzVlYS1iZGFkLTQ0MzYtODQzMi1jMmQ2MjUzMTQzNzEiLCJleHAiOjE0NzQ5MjAyNDIsImlhdCI6MTQ3NDMxNTQ0MiwidHlwZSI6InJlZnJlc2giLCJuYmYiOjE0NzQzMTU0NDIsImlkZW50aXR5IjoidGVzdDEifQ.wDSO6snzoDDKLwlpAktT2Ylh6EHzN0FRNMOkLPjGiDOStSCXkjuIS5wedA3y0KMqzSpv9OvbncyoKLb3cip7uQ"
MYUSERNAME$ curl -H "Authorization: Bearer $REFRESH" -X POST http://localhost:5001/auth/refresh
{
"msg": "Missing or invalid claim: jti"
}
from flask-jwt-extended.
Ok, got it. I'm currently using python3, and it looks like that breaks in python2. It is the isinstance check here:
if 'jti' not in data or not isinstance(data['jti'], str):
raise JWTDecodeError("Missing or invalid claim: jti")
Let me get the unittests done for this, and I'll go through and make sure it's compatiable for both python2 and python3.
Thanks!
from flask-jwt-extended.
Related Issues (20)
- TypeError: check_if_token_in_blacklist() takes 1 positional argument but 2 were given HOT 1
- No 401 on failure HOT 1
- 'JWT_HEADER_TYPE' is being set to "" but not reflecting. I mean I still have to pass 'Bearer <token>'
- Signature verification failed with just generated tokens HOT 1
- Unable to catch errors using flask @app.errorhandler HOT 2
- Implicit refresh with cookies: timeout does not remove JWT/CSRF cookies – was this expected? HOT 1
- How does the CSRF functionality work? HOT 2
- Decoding CSRF Token from cookies does not work HOT 1
- flask-jwt-extended, refresh token HOT 3
- RS512 not supported HOT 2
- Is option JWT_REFRESH_TOKEN_EXPIRES working? HOT 3
- ImportError: cannot import name 'DecodeError' from 'jwt' (/usr/local/lib/python3.10/dist-packages/jwt/__init__.py) HOT 1
- Documentation examples for double submit removed from latest documentation. HOT 5
- Minimum cryptography version is vulnerable to CVE HOT 1
- Multiple JWT_HEADER_TYPE options HOT 1
- DeprecationWarning: The '__version__' attribute is deprecated and will be removed in Flask 3.1 HOT 1
- Changing Default Behaviors in another file doesnt work with flask-restful HOT 1
- Collections Module Issue
- Flask-JWT-Extended always assuming token is a refresh token HOT 2
- Setting 'kid' claim as part of encode_key_loader HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-jwt-extended.