rscarrera27 / sanic-jwt-extended Goto Github PK
View Code? Open in Web Editor NEW⚡️An open source Sanic extension that provides "extended" JWT support
Home Page: https://sanic-jwt-extended.seonghyeon.dev
License: MIT License
⚡️An open source Sanic extension that provides "extended" JWT support
Home Page: https://sanic-jwt-extended.seonghyeon.dev
License: MIT License
Add access control feature
I create refresh token with private_claims,like this {"username":"test"}
,After refreshing token,I found the private_claims's keys has a dot prefix,like this {".username":"test"}
The bug code as fllows:
for k, v in private_claims.items():
payload[f"{private_claim_prefix}.{k}"] = v
Maybe this is correct:
for k, v in private_claims.items():
payload[private_claim_prefix + k] = v
internally used _get_raw_jwt_from_request
has parameter is_access
and refresh_jwt_required
should make it False.
acl_claim
config instead of hard coded keyThis library supports csrf protection when using cookies. There's csrf-read part in tokens.py and decorators.py. But, when I looked into source code, I couldn't find csrf-write part, and its' impossible to write csrf in create_access_token
and create_refresh_token
functions.
It would be solved if we can add csrf claims when encoding jwt.
1.0 version with few major changes.
Even though jwt_optional
should ignore errors if error is not token validity related. but jwt_optional
dosent ignore InvalidHeaderError
https://gist.github.com/NovemberOscar/e75822ac896c548b0de9eb2f9febf6a4
from the doc about Storing Private Claims
propagated Token object contains private claims in Token.private_claims. prefix is not exist on this time.
It seems also prefix still exists
bug code:
if private_claims:
for k, v in private_claims:
payload[f"{private_claim_prefix}.{k}"] = v
should:
if private_claims:
for k, v in private_claims.items():
payload[f"{private_claim_prefix}.{k}"] = v
I want to use the latest code, but the one in pypi was updated on Nov 13, 2018. Could you update it, thank you very much.
flask-jwt-extended supports using cookie as jwt token storage, has utility function like set_access_cookie
, set_refresh_cookie
, and config options like JWT_COOKIE_CSRF_PROTECT
.
I'm developing website using Nuxt (Vue SSR Framework), and I want to use cookie for authentication in server-side rather than localStorage. But I don't think this project supports it now. Do you have any plan for this?
Issue
This module has dependency on sanic, jwt, etc. But, when i installing this package with requirements.txt
(which has sanic
in it) in clean virtual environment with no packages, it raises ModuleNotFoundError (sanic, and jwt either).
Proposed Solution
I think it's because __version__
import part in setup.py. When importing __version__
, it also tries JWT Manager
(which imports sanic
and jwt
). I came up with two solutions.
__version__
with f.read() like sanic I also uploaded picture of that part that part in Sanic
below.Fixed in: ba34671
What's up, I create the token without any problem in the login, but when I try to enter "protected" (following the example of the documentation) I get this error:
"Missing header \"Authorization\""
한국분이신거 같아서, 한글로 작성합니다..
flask-jwt-extended에 익숙해져있어서 sanic에도 비슷한게 없나 찾던 와중에
발견하였습니다. 감사합니다~
current prefix option is JWT_HEADER_TYPE. and this is not so clear, so have to rename it to JWT_HEADER_PREFIX.
but we have to keep legacy JWT_HEADER_TYPE option for legacy support. and make JWT_HEADER_TYPE option setter to raise a deprecated warning when it used
I wanted to add Pagination with relay into my query.
The query fetches posts from user.
The following is the working of graphene.Union
- to include Authentication as given in the documentation.
class PostObject(SQLAlchemyObjectType):
class Meta:
model = Post
interfaces = (graphene.relay.Node, )
class ProtectedPost(graphene.Union):
class Meta:
types = (PostObject, AuthInfoField)
And the query is as follows:
class Query(graphene.ObjectType):
node = graphene.relay.Node.Field()
my_posts = graphene.List(ProtectedPost)
However to add Pagination support, I have to add relay connection. So instead of using graphene.List
, I have to use SQLAlchemyConnectionField
.
my_posts = SQLAlchemyConnectionField(ProtectedPost).
But this gives the following error on starting the application :
SQLALchemyConnectionField only accepts SQLAlchemyObjectType types, not ProtectedPost
What to do if we want to include Relay ?
When we tries to decode JWT that have iss
or aud
, PyJWT decode function will throw error because we don't supply audience
or issuer
parametrer.
we have to make PyJWT to don't validate audience and issuer. validating audience or issuer is user's job.
Reported by @neruyzo
Fixed in: 8813681
I got some error when i add my own blacklist class
RuntimeWarning: coroutine 'TokenBlacklist.is_blacklisted' was never awaited
Anyone can help?
thanks.
app.config["JWT_REFRESH_HEADER_NAME"], defaults to None
it needs to specify refresh token header like X-Refresh-Token
if this option is not set, jwt_refresh_token_required
decorator use JWT_HEADER_NAME
as same as jwt_required
Hello guys.
i'm using the blacklist_enable config property as true and blacklist class is RedisBlacklist, running along sanic with default config:
manager.config.use_blacklist = True
manager.config.blacklist_class = RedisBlacklist
manager.config.blacklist_init_kwargs = {
"connection_info": {
"address": "redis://:@127.0.0.1:6379",
"minsize" : 5,
"maxsize" : 10
}
}
However when i'm using token.revoke() method in any endpoint it crashes and throws : tuple or str expected. Is anyone having the same issue or knows how to solve this?
Problem
sanic_jwt_extend.jwt_required only works for function view.
It does not work for class based view like HTTPMethodView.
Expected Behavior
it should work for HTTPMethodView. It contains request object in the second args
Proposed Solution
I created _get_request function, which checks the type of args and get request object.
I pull requested it, but if you don't like it, feel free to change it.
While using decorators in class-based we get an error.
TypeError: post() got an unexpected keyword argument 'token'
class RestView(HTTPMethodView):
decorators = [jwt_required()]
async def post(self, request):
self.__request_data = request.json
print("POST API")
return {}
app.add_route(Test.as_view(), '/test')
And another thing is while initializing role for a user it takes only one role.
access_token = JWT.create_access_token(identity=username, role='staff')
Actually it should take a list of roles.
access_token = JWT.create_access_token(identity=username, role=['staff', 'admin'])
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.