Remove JWT_BLOCKLIST_TOKEN_CHECKS configuration option

This was a pretty bad idea from the get go. However if someone still
wants this functionality, they can check the `jwt_payload["type"]`
in their blocklist callback to ignore access or refresh tokens.

Author: Landon Gilbert-Bland

4.0.0_changelog.md

@@ -8,6 +8,10 @@ Breaking Changes
   to enable the blocklist, do not use the `@jwt.token_in_blocklist_loader` to
   register a callback function.
 
+* `app.config['JWT_BLACKLIST_TOKEN_CHEKCS']` option has been removed. If you don't want
+  to check a given token type against the blocklist, do it by comparing the `jwt_payload["type"]`
+  in your callback function.
+
 * Rename all occurrences of blacklist to blocklist
   - `JWT_BLACKLIST_TOKEN_CHECKS` option is now `JWT_BLOCKLIST_TOKEN_CHECKS`
   - `@jwt.token_in_blacklist_loader` callback is now `@jwt.token_in_blocklist_loader`

flask_jwt_extended/config.py

@@ -213,27 +213,6 @@ def decode_algorithms(self):
             algorithms.append(self.algorithm)
         return algorithms
 
-    @property
-    def blocklist_checks(self):
-        check_type = current_app.config["JWT_BLOCKLIST_TOKEN_CHECKS"]
-        if isinstance(check_type, str):
-            check_type = (check_type,)
-        elif not isinstance(check_type, (Sequence, Set)):
-            raise RuntimeError("JWT_BLOCKLIST_TOKEN_CHECKS must be a sequence or a set")
-        for item in check_type:
-            if item not in ("access", "refresh"):
-                err = 'JWT_BLOCKLIST_TOKEN_CHECKS must be "access" or "refresh"'
-                raise RuntimeError(err)
-        return check_type
-
-    @property
-    def blocklist_access_tokens(self):
-        return "access" in self.blocklist_checks
-
-    @property
-    def blocklist_refresh_tokens(self):
-        return "refresh" in self.blocklist_checks
-
     @property
     def _secret_key(self):
         key = current_app.config["JWT_SECRET_KEY"]

flask_jwt_extended/internal_utils.py

@@ -1,6 +1,5 @@
 from flask import current_app
 
-from flask_jwt_extended.config import config
 from flask_jwt_extended.exceptions import RevokedTokenError
 from flask_jwt_extended.exceptions import UserClaimsVerificationError
 from flask_jwt_extended.exceptions import WrongTokenError
@@ -32,11 +31,6 @@ def verify_token_type(decoded_token, expected_type):
 
 
 def verify_token_not_blocklisted(jwt_header, jwt_data, request_type):
-    if request_type == "access" and not config.blocklist_access_tokens:
-        return
-    if request_type == "refresh" and not config.blocklist_refresh_tokens:
-        return
-
     jwt_manager = get_jwt_manager()
     if jwt_manager._token_in_blocklist_callback(jwt_header, jwt_data):
         raise RevokedTokenError(jwt_header, jwt_data)

flask_jwt_extended/jwt_manager.py

@@ -165,7 +165,6 @@ def _set_default_configuration_options(app):
         app.config.setdefault("JWT_ACCESS_CSRF_FIELD_NAME", "csrf_token")
         app.config.setdefault("JWT_ACCESS_CSRF_HEADER_NAME", "X-CSRF-TOKEN")
         app.config.setdefault("JWT_ALGORITHM", "HS256")
-        app.config.setdefault("JWT_BLOCKLIST_TOKEN_CHECKS", ("access", "refresh"))
         app.config.setdefault("JWT_COOKIE_CSRF_PROTECT", True)
         app.config.setdefault("JWT_COOKIE_DOMAIN", None)
         app.config.setdefault("JWT_COOKIE_SAMESITE", None)

tests/test_blocklist.py

@@ -32,7 +32,6 @@ def refresh_protected():
 @pytest.mark.parametrize("blocklist_type", [["access"], ["refresh", "access"]])
 def test_non_blocklisted_access_token(app, blocklist_type):
     jwt = get_jwt_manager(app)
-    app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = blocklist_type
 
     @jwt.token_in_blocklist_loader
     def check_blocklisted(jwt_header, jwt_data):
@@ -52,7 +51,6 @@ def check_blocklisted(jwt_header, jwt_data):
 @pytest.mark.parametrize("blocklist_type", [["access"], ["refresh", "access"]])
 def test_blocklisted_access_token(app, blocklist_type):
     jwt = get_jwt_manager(app)
-    app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = blocklist_type
 
     @jwt.token_in_blocklist_loader
     def check_blocklisted(jwt_header, jwt_data):
@@ -70,7 +68,6 @@ def check_blocklisted(jwt_header, jwt_data):
 @pytest.mark.parametrize("blocklist_type", [["refresh"], ["refresh", "access"]])
 def test_non_blocklisted_refresh_token(app, blocklist_type):
     jwt = get_jwt_manager(app)
-    app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = blocklist_type
 
     @jwt.token_in_blocklist_loader
     def check_blocklisted(jwt_header, jwt_data):
@@ -90,7 +87,6 @@ def check_blocklisted(jwt_header, jwt_data):
 @pytest.mark.parametrize("blocklist_type", [["refresh"], ["refresh", "access"]])
 def test_blocklisted_refresh_token(app, blocklist_type):
     jwt = get_jwt_manager(app)
-    app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = blocklist_type
 
     @jwt.token_in_blocklist_loader
     def check_blocklisted(jwt_header, jwt_data):
@@ -107,31 +103,6 @@ def check_blocklisted(jwt_header, jwt_data):
     assert response.status_code == 401
 
 
-def test_revoked_token_of_different_type(app):
-    jwt = get_jwt_manager(app)
-    test_client = app.test_client()
-
-    @jwt.token_in_blocklist_loader
-    def check_blocklisted(jwt_header, jwt_data):
-        return True
-
-    with app.test_request_context():
-        access_token = create_access_token("username")
-        refresh_token = create_refresh_token("username")
-
-    app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = ["access"]
-    response = test_client.get(
-        "/refresh_protected", headers=make_headers(refresh_token)
-    )
-    assert response.get_json() == {"foo": "bar"}
-    assert response.status_code == 200
-
-    app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = ["refresh"]
-    response = test_client.get("/protected", headers=make_headers(access_token))
-    assert response.get_json() == {"foo": "bar"}
-    assert response.status_code == 200
-
-
 def test_custom_blocklisted_message(app):
     jwt = get_jwt_manager(app)
 

tests/test_config.py

@@ -59,9 +59,6 @@ def test_default_configs(app):
         assert config.algorithm == "HS256"
         assert config.decode_algorithms == ["HS256"]
         assert config.is_asymmetric is False
-        assert config.blocklist_checks == ("access", "refresh")
-        assert config.blocklist_access_tokens is True
-        assert config.blocklist_refresh_tokens is True
 
         assert config.cookie_max_age is None
 
@@ -109,8 +106,6 @@ def test_override_configs(app, delta_func):
     app.config["JWT_ALGORITHM"] = "HS512"
     app.config["JWT_DECODE_ALGORITHMS"] = ["HS512", "HS256"]
 
-    app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = ("refresh",)
-
     app.config["JWT_IDENTITY_CLAIM"] = "foo"
 
     app.config["JWT_ERROR_MESSAGE_KEY"] = "message"
@@ -160,10 +155,6 @@ class CustomJSONEncoder(JSONEncoder):
         assert config.algorithm == "HS512"
         assert config.decode_algorithms == ["HS512", "HS256"]
 
-        assert config.blocklist_checks == ("refresh",)
-        assert config.blocklist_access_tokens is False
-        assert config.blocklist_refresh_tokens is True
-
         assert config.cookie_max_age == 31540000
 
         assert config.identity_claim_key == "foo"
@@ -293,26 +284,6 @@ def test_invalid_config_options(app):
         with pytest.raises(RuntimeError):
             config.refresh_expires
 
-        app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = "banana"
-        with pytest.raises(RuntimeError):
-            config.blocklist_checks
-
-        app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = 1
-        with pytest.raises(RuntimeError):
-            config.blocklist_checks
-
-        app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = {"token_type": "access"}
-        with pytest.raises(RuntimeError):
-            config.blocklist_checks
-
-        app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = range(99)
-        with pytest.raises(RuntimeError):
-            config.blocklist_checks
-
-        app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = ["access", "banana"]
-        with pytest.raises(RuntimeError):
-            config.blocklist_checks
-
 
 def test_jwt_token_locations_config(app):
     with app.test_request_context():
@@ -340,32 +311,6 @@ def test_jwt_token_locations_config(app):
             assert config.token_location == locations
 
 
-def test_jwt_blocklist_token_checks_config(app):
-    with app.test_request_context():
-        allowed_token_types = ("access", "refresh")
-        allowed_data_structures = (tuple, list, frozenset, set)
-
-        for token_type in allowed_token_types:
-            app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = token_type
-            assert config.blocklist_checks == (token_type,)
-
-        for token_types in (
-            data_structure((token_type,))
-            for data_structure in allowed_data_structures
-            for token_type in allowed_token_types
-        ):
-            app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = token_types
-            assert config.blocklist_checks == token_types
-
-        for token_types in (
-            data_structure(allowed_token_types[:i])
-            for data_structure in allowed_data_structures
-            for i in range(1, len(allowed_token_types))
-        ):
-            app.config["JWT_BLOCKLIST_TOKEN_CHECKS"] = token_types
-            assert config.blocklist_checks == token_types
-
-
 def test_csrf_protect_config(app):
     with app.test_request_context():
         app.config["JWT_TOKEN_LOCATION"] = ["headers"]