moving more github docs to read the docs

Author: rlam3

docs/__init__.py

@@ -0,0 +1,53 @@
+Adding Custom Data (Claims) to the Access Token
+===============================================
+
+You may want to store additional information in the access token. Perhaps you want to save the access roles this user has so you can access them in the view functions (without having to make a database call each time). This can be done with the user_claims_loader decorator, and accessed later with the 'get_jwt_claims()' method (in a protected endpoint).
+
+
+.. code-block:: python
+
+  from flask import Flask, jsonify, request
+  from flask_jwt_extended import JWTManager, jwt_required, create_access_token, \
+      get_jwt_claims
+
+  app = Flask(__name__)
+  app.secret_key = 'super-secret'  # Change this!
+  jwt = JWTManager(app)
+
+
+  # Using the user_claims_loader, we can specify a method that will be called
+  # when creating access tokens, and add these claims to the said token. This
+  # method is passed the identity of who the token is being created for, and
+  # must return data that is json serializable
+  @jwt.user_claims_loader
+  def add_claims_to_access_token(identity):
+      return {
+          'hello': identity,
+          'foo': ['bar', 'baz']
+      }
+
+
+  @app.route('/login', methods=['POST'])
+  def login():
+      username = request.json.get('username', None)
+      password = request.json.get('password', None)
+      if username != 'test' and password != 'test':
+          return jsonify({"msg": "Bad username or password"}), 401
+
+      ret = {'access_token': create_access_token(username)}
+      return jsonify(ret), 200
+
+
+  # In a protected view, get the claims you added to the jwt with the
+  # get_jwt_claims() method
+  @app.route('/protected', methods=['GET'])
+  @jwt_required
+  def protected():
+      claims = get_jwt_claims()
+      return jsonify({
+          'hello_is': claims['hello'],
+          'foo_is': claims['foo']
+      }), 200
+
+  if __name__ == '__main__':
+      app.run()

docs/add_custom_data_claims.rst

@@ -0,0 +1,118 @@
+Blacklist and Token Revoking
+============================
+
+This supports optional blacklisting and token revoking out of the box. This will allow you to revoke a specific token so a user can no longer access your endpoints. In order to revoke a token, we need some storage where we can save a list of all the tokens we have created, as well as if they have been revoked or not. In order to make the underlying storage as agnostic as possible, we use simplekv to provide assess to a variety of backends.
+
+In production, it is important to use a backend that can have some sort of persistent storage, so we don't 'forget' that we revoked a token if the flask process is restarted. We also need something that can be safely used by the multiple thread and processes running your application. At present we believe redis is a good fit for this. It has the added benefit of removing expired tokens from the store automatically, so it wont blow up into something huge.
+
+We also have choose what tokens we want to check against the blacklist. We could check all tokens (refresh and access), or only the refresh tokens. There are pros and cons to either way (extra overhead on jwt_required endpoints vs someone being able to use an access token freely until it expires). In this example, we are going to only check refresh tokens, and set the access tokes to a small expires time to help minimize damage that could be done with a stolen access token.
+
+.. code-block:: python
+
+  from datetime import timedelta
+  
+
+  import simplekv
+  import simplekv.memory
+  from flask import Flask, request, jsonify
+
+  from flask_jwt_extended import JWTManager, jwt_required, \
+      get_jwt_identity, revoke_token, unrevoke_token, \
+      get_stored_tokens, get_all_stored_tokens, create_access_token, \
+      create_refresh_token, jwt_refresh_token_required
+
+  # Setup flask
+  app = Flask(__name__)
+  app.secret_key = 'super-secret'
+
+  # Configure access token expires time
+  app.config['JWT_ACCESS_TOKEN_EXPIRES'] = timedelta(minutes=5)
+
+  # Enable and configure the JWT blacklist / token revoke. We are using an in
+  # memory store for this example. In production, you should use something
+  # persistant (such as redis, memcached, sqlalchemy). See here for options:
+  # http://pythonhosted.org/simplekv/
+  app.config['JWT_BLACKLIST_ENABLED'] = True
+  app.config['JWT_BLACKLIST_STORE'] = simplekv.memory.DictStore()
+  app.config['JWT_BLACKLIST_TOKEN_CHECKS'] = 'refresh'
+
+  jwt = JWTManager(app)
+
+
+  @app.route('/login', methods=['POST'])
+  def login():
+      username = request.json.get('username', None)
+      password = request.json.get('password', None)
+      if username != 'test' and password != 'test':
+          return jsonify({"msg": "Bad username or password"}), 401
+
+      ret = {
+          'access_token': create_access_token(identity=username),
+          'refresh_token': create_refresh_token(identity=username)
+      }
+      return jsonify(ret), 200
+
+
+  @app.route('/refresh', methods=['POST'])
+  @jwt_refresh_token_required
+  def refresh():
+      current_user = get_jwt_identity()
+      ret = {
+          'access_token': create_access_token(identity=current_user)
+      }
+      return jsonify(ret), 200
+
+
+  # Endpoint for listing tokens that have the same identity as you
+  @app.route('/auth/tokens', methods=['GET'])
+  @jwt_required
+  def list_identity_tokens():
+      username = get_jwt_identity()
+      return jsonify(get_stored_tokens(username)), 200
+
+
+  # Endpoint for listing all tokens. In your app, you should either not expose
+  # this endpoint, or put some addition security on top of it so only trusted users,
+  # (administrators, etc) can access it
+  @app.route('/auth/all-tokens')
+  def list_all_tokens():
+      return jsonify(get_all_stored_tokens()), 200
+
+
+  # Endpoint for allowing users to revoke their tokens
+  @app.route('/auth/tokens/revoke/<string:jti>', methods=['PUT'])
+  @jwt_required
+  def change_jwt_revoke_state(jti):
+      username = jwt_get_identity()
+      try:
+          token_data = get_stored_token(jti)
+          if token_data['token']['identity'] != username:
+              raise KeyError
+          revoke_token(jti)
+          return jsonify({"msg": "Token successfully revoked"}), 200
+      except KeyError:
+          return jsonify({'msg': 'Token not found'}), 404
+
+
+  # Endpoint for allowing users to unrevoke their tokens
+  @app.route('/auth/tokens/unrevoke/<string:jti>', methods=['PUT'])
+  @jwt_required
+  def change_jwt_unrevoke_state(jti):
+      username = jwt_get_identity()
+      try:
+          token_data = get_stored_token(jti)
+          if token_data['token']['identity'] != username:
+              raise KeyError
+          unrevoke_token(jti)
+          return jsonify({"msg": "Token successfully unrevoked"}), 200
+      except KeyError:
+          return jsonify({'msg': 'Token not found'}), 404
+
+
+  @app.route('/protected', methods=['GET'])
+  @jwt_required
+  def protected():
+      return jsonify({'hello': 'world'})
+
+  if __name__ == '__main__':
+      app.run()

docs/blacklist_and_token_revoking.rst

@@ -0,0 +1,60 @@
+Changing Default Behaviors
+==========================
+
+
+We provide what we think are sensible behaviors when attempting to access a protected endpoint. If the access token is not valid for any reason (missing, expired, tampered with, etc) we will return json in the format of {'msg': 'why accessing endpoint failed'} along with an appropriate http status code (generally 401 or 422). However, you may want to customize what you returned in these situations. We can do that with the jwt_manager _loader functions.
+
+
+.. code-block:: python
+
+  from flask import Flask, jsonify, request
+  from flask_jwt_extended import JWTManager, jwt_required, create_access_token
+
+  app = Flask(__name__)
+  app.secret_key = 'super-secret'  # Change this!
+  jwt = JWTManager(app)
+
+
+  # Use the expired_token_loader to call this function whenever an expired but
+  # otherwise valid access token tries to access an endpoint
+  @jwt.expired_token_loader
+  def my_expired_token_callback():
+      return jsonify({
+          'status': 401,
+          'sub_status': 101,
+          'msg': 'The token has expired'
+      }), 200
+
+
+  @app.route('/login', methods=['POST'])
+  def login():
+      username = request.json.get('username', None)
+      password = request.json.get('password', None)
+      if username != 'test' and password != 'test':
+          return jsonify({"msg": "Bad username or password"}), 401
+
+      ret = {'access_token': create_access_token(username)}
+      return jsonify(ret), 200
+
+
+  @app.route('/protected', methods=['GET'])
+  @jwt_required
+  def protected():
+      return jsonify({'hello': 'world'}), 200
+
+  if __name__ == '__main__':
+      app.run()
+
+
+
+************************************
+Loader functions are:
+************************************
+
+.. automodule:: jwt_manager.py
+  :members:
+
+.. literalinclude:: ../flask_jwt_extended/jwt_manager.py
+  :language: python
+  :emphasize-lines: 60-122
+  :linenos:

docs/changing_default_behavior.rst

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 #
 import sphinx_rtd_theme
-
+import sys, os
 # flask-jwt-extended documentation build configuration file, created by
 # sphinx-quickstart on Thu Oct  6 13:07:36 2016.
 #
@@ -18,9 +18,14 @@
 # add these directories to sys.path here. If the directory is relative to the
 # documentation root, use os.path.abspath to make it absolute, like shown here.
 #
-# import os
-# import sys
+
+
 # sys.path.insert(0, os.path.abspath('.'))
+sys.path.insert(0, os.path.abspath('../../..'))
+sys.path.insert(0, os.path.abspath('../flask_jwt_extended/'))
+# sys.path.insert(0, os.path.abspath('../../flask-jwt-extended/flask_jwt_extended/'))
+
+print sys.path
 
 # -- General configuration ------------------------------------------------
 
@@ -31,8 +36,13 @@
 # Add any Sphinx extension module names here, as strings. They can be
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
-extensions = []
-
+extensions = [
+    'sphinx.ext.autodoc',
+    'sphinx.ext.intersphinx',
+    'sphinx.ext.ifconfig',
+    'sphinx.ext.viewcode',
+    'sphinx.ext.autosummary'
+]
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
 

docs/conf.py

@@ -18,7 +18,7 @@ Welcome to flask-jwt-extended's documentation!
    changing_default_behavior
    options
    blacklist_and_token_revoking
-   testing_and_code_coverage
+   testing_and_coverage
 
 
 

docs/index.rst

@@ -0,0 +1,56 @@
+Refresh Tokens
+==============
+
+Flask-JWT-Extended supports refresh tokens out of the box. These are longer lived token which cannot access a jwt_required protected endpoint, but can be used to create new access tokens once an old access token has expired. By setting the access tokens to a shorter lifetime (see Options below), and utilizing fresh tokens for critical views (see Fresh Tokens below) we can help reduce the damage done if an access token is stolen. Here is an example of how you might use them in your application:
+
+
+.. code-block:: python
+
+  from flask import Flask, jsonify, request
+  from flask_jwt_extended import JWTManager, jwt_required, create_access_token, \
+      jwt_refresh_token_required, create_refresh_token, get_jwt_identity
+
+  app = Flask(__name__)
+  app.secret_key = 'super-secret'  # Change this!
+  jwt = JWTManager(app)
+
+
+  @app.route('/login', methods=['POST'])
+  def login():
+      username = request.json.get('username', None)
+      password = request.json.get('password', None)
+      if username != 'test' and password != 'test':
+          return jsonify({"msg": "Bad username or password"}), 401
+
+      # Use create_access_token() and create_refresh_token() to create our
+      # access and refresh tokens
+      ret = {
+          'access_token': create_access_token(identity=username),
+          'refresh_token': create_refresh_token(identity=username)
+      }
+      return jsonify(ret), 200
+
+
+  # The jwt_refresh_token_required decorator insures a valid refresh token is
+  # present in the request before calling this endpoint. We can use the
+  # get_jwt_identity() function to get the identity of the refresh toke, and use
+  # the create_access_token() function again to make a new access token for this
+  # identity.
+  @app.route('/refresh', methods=['POST'])
+  @jwt_refresh_token_required
+  def refresh():
+      current_user = get_jwt_identity()
+      ret = {
+          'access_token': create_access_token(identity=current_user)
+      }
+      return jsonify(ret), 200
+
+
+  @app.route('/protected', methods=['GET'])
+  @jwt_required
+  def protected():
+      username = get_jwt_identity()
+      return jsonify({'hello': 'from {}'.format(username)}), 200
+
+  if __name__ == '__main__':
+      app.run()

docs/options.rst

@@ -0,0 +1,8 @@
+Testing and Code Coverage
+=========================
+
+We run all the unit tests with tox. This will test against python2.7, and 3.5 (although not tested, python3.3 and 3.4 should also be fully supported). This will also print out a code coverage report.
+
+.. code-block:: bash
+
+  $ tox