Update redis blocklist example

Landon Gilbert-Bland · Landon Gilbert-Bland · commit a2a2637a84bf · 2021-02-12T09:54:10.000-07:00
diff --git a/docs/blocklist_and_token_revoking.rst b/docs/blocklist_and_token_revoking.rst
@@ -18,14 +18,19 @@ In production, you will want to use some form of persistent storage (database,
 redis, etc) to store your JWTs. It would be bad if your application forgot that
 a JWT was revoked if it was restarted.
 
-If your only requirements are to check if a JWT has been previously revoked,
-our recommendation is to use redis, as it is blazing fast. If you need to keep
-track of information about revoked JWTs (when it was revoked, who revoked it,
-can it be un-revoked, etc), our general recommendation is to utilize your database.
-Ultimately though choice of what persistent storage engine to use will depend on
-your specific application and tech stack.
-
-For more production like examples of toking revoking, check out:
+If your only requirements are to check if a JWT has been revoked, our
+recommendation is to use redis. It is blazing fast, can be configured to persist
+data to disc, and can automatically clear out JWTs after they expire by utilizing
+the Time To Live (TTL) functionality when storing a JWT.
+
+If you need to keep track of information about revoked JWTs our recommendation is
+to utilize a database. This allows you to easily store and utilize metadata for
+revoked tokens, such as when it was revoked, who revoked it, can it be un-revoked,
+etc.
+
+Ultimately the choice of what persistent storage engine to use will depend on
+your specific application and tech stack. For some examples of JWT revoking using
+redist or a database, check out:
 
 - `Redis Example <https://github.com/vimalloc/flask-jwt-extended/blob/master/examples/redis_blocklist.py>`_
 - `Database Example <https://github.com/vimalloc/flask-jwt-extended/tree/master/examples/database_blocklist>`_
diff --git a/examples/redis_blocklist.py b/examples/redis_blocklist.py
@@ -1,137 +1,57 @@
-# Redis is a very quick in memory store. The benefits of using redis is that
-# things will generally speedy, and it can be (mostly) persistent by dumping
-# the data to disk (see: https://redis.io/topics/persistence). The drawbacks
-# to using redis is you have a higher chance of encountering data loss (in
-# this case, 'forgetting' that a token was revoked), when events like
-# power outages occur.
-#
-# When does it make sense to use redis for a blocklist? If you are blocklisting
-# every token on logout, and not doing nothing besides that (such as keeping
-# track of what tokens are blocklisted, providing options to un-revoke
-# blocklisted tokens, or view tokens that are currently active for a user),
-# then redis is a great choice. In the worst case, a few tokens might slip
-# between the cracks in the case of a power outage or other such event, but
-# 99.99% of the time tokens will be properly blocklisted.
-#
-# Redis also has the benefit of supporting an expires time when storing data.
-# Utilizing this, you will not need to manually prune down the stored tokens
-# to keep it from blowing up over time. This code includes how to do this.
-#
-# If you intend to use some other features in your blocklist (tracking
-# what tokens are currently active, option to revoke or unrevoke specific
-# tokens, etc), data integrity is probably more important to you then
-# raw performance. In this case a database solution (such as postgres) is
-# probably a better fit for your blocklist. Check out the "database_blocklist"
-# example for how that might work.
 from datetime import timedelta
 
 import redis
 from flask import Flask
 from flask import jsonify
-from flask import request
 
 from flask_jwt_extended import create_access_token
-from flask_jwt_extended import create_refresh_token
-from flask_jwt_extended import get_jti
 from flask_jwt_extended import get_jwt
-from flask_jwt_extended import get_jwt_identity
-from flask_jwt_extended import jwt_refresh_token_required
 from flask_jwt_extended import jwt_required
 from flask_jwt_extended import JWTManager
 
-app = Flask(__name__)
-app.secret_key = "ChangeMe!"
+ACCESS_EXPIRES = timedelta(hours=1)
 
-# Setup the flask-jwt-extended extension. See:
-ACCESS_EXPIRES = timedelta(minutes=15)
-REFRESH_EXPIRES = timedelta(days=30)
+app = Flask(__name__)
+app.config["JWT_SECRET_KEY"] = "super-secret"  # Change this!
 app.config["JWT_ACCESS_TOKEN_EXPIRES"] = ACCESS_EXPIRES
-app.config["JWT_REFRESH_TOKEN_EXPIRES"] = REFRESH_EXPIRES
 jwt = JWTManager(app)
 
 # Setup our redis connection for storing the blocklisted tokens
-revoked_store = redis.StrictRedis(
+jwt_redis_blocklist = redis.StrictRedis(
     host="localhost", port=6379, db=0, decode_responses=True
 )
 
 
-# Create our function to check if a token has been blocklisted. In this simple
-# case, we will just store the tokens jti (unique identifier) in redis
-# whenever we create a new token (with the revoked status being 'false'). This
-# function will return the revoked status of a token. If a token doesn't
-# exist in this store, we don't know where it came from (as we are adding newly
-# created tokens to our store with a revoked status of 'false'). In this case
-# we will consider the token to be revoked, for safety purposes.
+# Callback function to check if a JWT exists in the redis blocklist
 @jwt.token_in_blocklist_loader
-def check_if_token_is_revoked(decrypted_token):
-    jti = decrypted_token["jti"]
-    entry = revoked_store.get(jti)
-    if entry is None:
-        return True
-    return entry == "true"
+def check_if_token_is_revoked(jwt_header, jwt_payload):
+    jti = jwt_payload["jti"]
+    token_in_redis = jwt_redis_blocklist.get(jti)
+    return token_in_redis is not None
 
 
-@app.route("/auth/login", methods=["POST"])
+@app.route("/login", methods=["POST"])
 def login():
-    username = request.json.get("username", None)
-    password = request.json.get("password", None)
-    if username != "test" or password != "test":
-        return jsonify({"msg": "Bad username or password"}), 401
-
-    # Create our JWTs
-    access_token = create_access_token(identity=username)
-    refresh_token = create_refresh_token(identity=username)
-
-    # Store the tokens in redis with a status of not currently revoked. We
-    # can use the `get_jti()` method to get the unique identifier string for
-    # each token. We can also set an expires time on these tokens in redis,
-    # so they will get automatically removed after they expire. We will set
-    # everything to be automatically removed shortly after the token expires
-    access_jti = get_jti(encoded_token=access_token)
-    refresh_jti = get_jti(encoded_token=refresh_token)
-    revoked_store.set(access_jti, "false", ACCESS_EXPIRES * 1.2)
-    revoked_store.set(refresh_jti, "false", REFRESH_EXPIRES * 1.2)
-
-    ret = {"access_token": access_token, "refresh_token": refresh_token}
-    return jsonify(ret), 201
+    access_token = create_access_token(identity="example_user")
+    return jsonify(access_token=access_token)
 
 
-# A blocklisted refresh tokens will not be able to access this endpoint
-@app.route("/auth/refresh", methods=["POST"])
-@jwt_refresh_token_required
-def refresh():
-    # Do the same thing that we did in the login endpoint here
-    current_user = get_jwt_identity()
-    access_token = create_access_token(identity=current_user)
-    access_jti = get_jti(encoded_token=access_token)
-    revoked_store.set(access_jti, "false", ACCESS_EXPIRES * 1.2)
-    ret = {"access_token": access_token}
-    return jsonify(ret), 201
-
-
-# Endpoint for revoking the current users access token
-@app.route("/auth/access_revoke", methods=["DELETE"])
-@jwt_required
+# Endpoint for revoking the current users access token. Set a Time to Live (TTL)
+# when storing the token so that it will automatically be cleared out of redis
+# after the token expires.
+@app.route("/logout", methods=["DELETE"])
+@jwt_required()
 def logout():
     jti = get_jwt()["jti"]
-    revoked_store.set(jti, "true", ACCESS_EXPIRES * 1.2)
-    return jsonify({"msg": "Access token revoked"}), 200
-
-
-# Endpoint for revoking the current users refresh token
-@app.route("/auth/refresh_revoke", methods=["DELETE"])
-@jwt_refresh_token_required
-def logout2():
-    jti = get_jwt()["jti"]
-    revoked_store.set(jti, "true", REFRESH_EXPIRES * 1.2)
-    return jsonify({"msg": "Refresh token revoked"}), 200
+    jwt_redis_blocklist.set(jti, "", ACCESS_EXPIRES)
+    return jsonify(msg="Access token revoked")
 
 
 # A blocklisted access token will not be able to access this any more
 @app.route("/protected", methods=["GET"])
-@jwt_required
+@jwt_required()
 def protected():
-    return jsonify({"hello": "world"})
+    return jsonify(hello="world")
 
 
 if __name__ == "__main__":
