Refactoring

Author: vimalloc

flask_jwt_extended/__init__.py

@@ -1,3 +1,3 @@
 from .jwt_manager import JWTManager
 from .utils import (jwt_identity, jwt_user_claims, jwt_required, fresh_jwt_required,
-                    authenticate, refresh, fresh_authenticate)
+                    create_refresh_access_tokens, refresh_access_token, create_fresh_access_token)

flask_jwt_extended/app.py

@@ -5,7 +5,7 @@
 from flask import Flask, request, jsonify
 
 from flask_jwt_extended import JWTManager, jwt_required, fresh_jwt_required,\
-    authenticate, fresh_authenticate, refresh, jwt_identity, jwt_user_claims
+    create_refresh_access_tokens, create_fresh_access_token, refresh_access_token, jwt_identity, jwt_user_claims
 
 # Example users database
 USERS = {
@@ -27,16 +27,20 @@
 app.secret_key = 'super-secret'
 
 # Enable JWT blacklist / token revoke
-#
+app.config['JWT_BLACKLIST_ENABLED'] = True
+
 # We are going to be using a simple in memory blacklist for this example. In
 # production, you will likely prefer something like redis (it can work with
 # multiple threads and processes, and supports automatic removal of expired
 # tokens so the blacklist doesn't blow up). Check here for available options:
 # http://pythonhosted.org/simplekv/
 blacklist_store = simplekv.memory.DictStore()
-app.config['JWT_BLACKLIST_ENABLED'] = True
 app.config['JWT_BLACKLIST_STORE'] = blacklist_store
-app.config['JWT_BLACKLIST_TOKEN_CHECKS'] = 'refresh'  # only check blacklist for refresh tokens
+
+# Only check the blacklist for refresh token. Available options are:
+#   'all': Check blacklist for access and refresh tokens
+#   'refresh': Check blacklist only for refresh tokens
+app.config['JWT_BLACKLIST_TOKEN_CHECKS'] = 'refresh'
 
 # Optional configuration options
 app.config['JWT_ACCESS_TOKEN_EXPIRES'] = timedelta(hours=1)  # defaults to 15 minutes
@@ -90,7 +94,7 @@ def login():
     if USERS[username]['password'] != password:
         return jsonify({"msg": "Bad username or password"}), 401
 
-    return authenticate(identity=username)
+    return create_refresh_access_tokens(identity=username)
 
 
 # Endpoint for getting a fresh access token for a user
@@ -106,13 +110,13 @@ def fresh_login():
     if USERS[username]['password'] != password:
         return jsonify({"msg": "Bad username or password"}), 401
 
-    return fresh_authenticate(identity=username)
+    return create_fresh_access_token(identity=username)
 
 
 # Endpoint for generating a non-fresh access token from the refresh token
 @app.route('/refresh', methods=['POST'])
 def refresh_token():
-    return refresh()
+    return refresh_access_token()
 
 
 @app.route('/protected', methods=['GET'])

flask_jwt_extended/config.py

@@ -21,6 +21,5 @@
 # See: http://pythonhosted.org/simplekv/index.html#simplekv.TimeToLiveMixin
 BLACKLIST_STORE = None
 
-# blacklist check requests. Possible values are all, refresh, and None
-# TODO when accessing this value in app.config, make sure it is one of the expected values
-BLACKLIST_TOKEN_CHECKS = None
+# blacklist check requests. Possible values are all and refresh
+BLACKLIST_TOKEN_CHECKS = 'refresh'

flask_jwt_extended/utils.py

@@ -188,12 +188,14 @@ def _check_blacklist(jwt_data):
     token_type = jwt_data['type']
     jti = jwt_data['jti']
 
+    # Only check access tokens if BLACKLIST_TOKEN_CHECKS is set to 'all`
     if token_type == 'access' and _blacklist_checks() == 'all':
         token_status = store[jti]
         if token_status != 'active':
             raise RevokedTokenError('{} has been revoked'.format)
 
-    if token_type == 'refresh' and _blacklist_checks() in ('all', 'refresh'):
+    # Always check refresh tokens
+    if token_type == 'refresh':
         token_status = store[jti]
         if token_status != 'active':
             raise RevokedTokenError('{} has been revoked'.format)
@@ -264,7 +266,7 @@ def wrapper(*args, **kwargs):
     return wrapper
 
 
-def authenticate(identity):
+def create_refresh_access_tokens(identity):
     # Token settings
     config = current_app.config
     access_expire_delta = config.get('JWT_ACCESS_TOKEN_EXPIRES', ACCESS_EXPIRES)
@@ -285,8 +287,21 @@ def authenticate(identity):
     return jsonify(ret), 200
 
 
+def create_fresh_access_token(identity):
+    # Token options
+    secret = _get_secret_key()
+    config = current_app.config
+    access_expire_delta = config.get('JWT_ACCESS_TOKEN_EXPIRES', ACCESS_EXPIRES)
+    algorithm = config.get('JWT_ALGORITHM', ALGORITHM)
+    user_claims = current_app.jwt_manager.user_claims_callback(identity)
+    access_token = _encode_access_token(identity, secret, algorithm, access_expire_delta,
+                                        fresh=True, user_claims=user_claims)
+    ret = {'access_token': access_token}
+    return jsonify(ret), 200
+
+
 @_handle_callbacks_on_error
-def refresh():
+def refresh_access_token():
     # Get the JWT
     jwt_data = _decode_jwt_from_request()
 
@@ -310,19 +325,6 @@ def refresh():
     return jsonify(ret), 200
 
 
-def fresh_authenticate(identity):
-    # Token options
-    secret = _get_secret_key()
-    config = current_app.config
-    access_expire_delta = config.get('JWT_ACCESS_TOKEN_EXPIRES', ACCESS_EXPIRES)
-    algorithm = config.get('JWT_ALGORITHM', ALGORITHM)
-    user_claims = current_app.jwt_manager.user_claims_callback(identity)
-    access_token = _encode_access_token(identity, secret, algorithm, access_expire_delta,
-                                        fresh=True, user_claims=user_claims)
-    ret = {'access_token': access_token}
-    return jsonify(ret), 200
-
-
 def _get_secret_key():
     key = current_app.config.get('SECRET_KEY', None)
     if not key:
@@ -339,7 +341,11 @@ def _get_blacklist_store():
 
 
 def _blacklist_checks():
-    return current_app.config.get('JWT_BLACKLIST_TOKEN_CHECKS', BLACKLIST_TOKEN_CHECKS)
+    config = current_app.config
+    check_type = config.get('JWT_BLACKLIST_TOKEN_CHECKS', BLACKLIST_TOKEN_CHECKS)
+    if check_type not in ('all', 'refresh'):
+        raise RuntimeError('Invalid option for JWT_BLACKLIST_TOKEN_CHECKS')
+    return check_type
 
 
 def _store_supports_ttl(store):