Merge pull request #23 from portrain/fix/jwt-access-revoke

Fix/jwt access revoke

Author: vimalloc

docs/options.rst

@@ -48,6 +48,6 @@ The available options are:
 ``JWT_BLACKLIST_ENABLED``         Enable/disable token blacklisting and revoking. Defaults to ``False``
 ``JWT_BLACKLIST_STORE``           Where to save created and revoked tokens. `See here
                                   <http://pythonhosted.org/simplekv/>`_ for options.
-``JWT_BLACKLIST_CHECKS``          What token types to check against the blacklist. Options are
+``JWT_BLACKLIST_TOKEN_CHECKS``    What token types to check against the blacklist. Options are
                                   ``'refresh'`` or  ``'all'``. Defaults to ``'refresh'``. Only used if blacklisting is enabled.
 ================================= =========================================

examples/blacklist.py

@@ -56,13 +56,19 @@ def refresh():
     return jsonify(ret), 200
 
 
-# Endpoint for revoking a token when logging out
-@app.route('/logout', method=['POST'])
+# Endpoint for revoking an access token when logging out.
+# Please make sure JWT_BLACKLIST_TOKEN_CHECKS is set to 'all'
+@app.route('/logout', methods=['POST'])
 @jwt_required
 def logout():
     jwt = get_raw_jwt()
     jti = jwt['jti']
-    revoke_token(jti)
+    try:
+        revoke_token(jti)
+    except KeyError:
+        return jsonify({
+            'msg': 'Requires access tokens to be blacklisted'
+        }), 500
     return jsonify({"msg": "Successfully logged out"}), 200
 
 

flask_jwt_extended/utils.py

@@ -30,15 +30,15 @@ def get_jwt_identity():
     Returns the identity of the JWT in this context. If no JWT is present,
     None is returned.
     """
-    return getattr(ctx_stack.top, 'jwt_identity', None)
+    return get_raw_jwt().get('identity', None)
 
 
 def get_jwt_claims():
     """
     Returns the dictionary of custom use claims in this JWT. If no custom user
     claims are present, an empty dict is returned
     """
-    return getattr(ctx_stack.top, 'jwt_user_claims', {})
+    return get_raw_jwt().get('user_claims', {})
 
 
 def get_raw_jwt():
@@ -241,8 +241,6 @@ def wrapper(*args, **kwargs):
 
         # Save the jwt in the context so that it can be accessed later by
         # the various endpoints that is using this decorator
-        ctx_stack.top.jwt_identity = jwt_data['identity']
-        ctx_stack.top.jwt_user_claims = jwt_data['user_claims']
         ctx_stack.top.jwt = jwt_data
         return fn(*args, **kwargs)
     return wrapper
@@ -277,8 +275,6 @@ def wrapper(*args, **kwargs):
 
         # Save the jwt in the context so that it can be accessed later by
         # the various endpoints that is using this decorator
-        ctx_stack.top.jwt_identity = jwt_data['identity']
-        ctx_stack.top.jwt_user_claims = jwt_data['user_claims']
         ctx_stack.top.jwt = jwt_data
         return fn(*args, **kwargs)
     return wrapper
@@ -306,7 +302,6 @@ def wrapper(*args, **kwargs):
 
         # Save the jwt in the context so that it can be accessed later by
         # the various endpoints that is using this decorator
-        ctx_stack.top.jwt_identity = jwt_data['identity']
         ctx_stack.top.jwt = jwt_data
         return fn(*args, **kwargs)
     return wrapper

tests/test_blacklist.py

@@ -7,7 +7,7 @@
 from flask import Flask, jsonify, request
 from flask_jwt_extended.blacklist import _get_token_ttl, get_stored_token
 from flask_jwt_extended.utils import _encode_refresh_token, _decode_jwt, \
-    fresh_jwt_required, get_jwt_identity
+    fresh_jwt_required, get_jwt_identity, get_raw_jwt
 
 from flask_jwt_extended import JWTManager, create_access_token, \
     get_all_stored_tokens, get_stored_tokens, revoke_token, unrevoke_token, \
@@ -71,6 +71,14 @@ def refresh():
             ret = {'access_token': create_access_token(username, fresh=False)}
             return jsonify(ret), 200
 
+        @self.app.route('/auth/logout', methods=['POST'])
+        @jwt_required
+        def logout():
+            jti = get_raw_jwt()['jti']
+            revoke_token(jti)
+            ret = {"msg": "Successfully logged out"}
+            return jsonify(ret), 200
+
         @self.app.route('/protected', methods=['POST'])
         @jwt_required
         def protected():
@@ -284,6 +292,28 @@ def test_revoked_refresh_token(self):
         self.assertEqual(status, 200)
         self.assertIn('access_token', data)
 
+    def test_login_logout(self):
+        # Check access and refresh tokens
+        self.app.config['JWT_BLACKLIST_TOKEN_CHECKS'] = 'all'
+
+        # Login
+        access_token, refresh_token = self._login('test12345')
+
+        # Verify we can access the protected endpoint
+        status, data = self._jwt_post('/protected', access_token)
+        self.assertEqual(status, 200)
+        self.assertEqual(data, {'hello': 'world'})
+
+        # Logout
+        status, data = self._jwt_post('/auth/logout', access_token)
+        self.assertEqual(status, 200)
+        self.assertEqual(data, {'msg': 'Successfully logged out'})
+
+        # Verify that we cannot access the protected endpoint anymore
+        status, data = self._jwt_post('/protected', access_token)
+        self.assertEqual(status, 401)
+        self.assertEqual(data, {'msg': 'Token has been revoked'})
+
     def test_bad_blacklist_settings(self):
         app = Flask(__name__)
         app.testing = True  # Propagate exceptions