Add access control feature

I create refresh token with private_claims,like this {"username":"test"},After refreshing token,I found the private_claims's keys has a dot prefix，like this {".username":"test"}
The bug code as fllows:

for k, v in private_claims.items():
    payload[f"{private_claim_prefix}.{k}"] = v

Maybe this is correct:

for k, v in private_claims.items():
    payload[private_claim_prefix + k] = v

internally used _get_raw_jwt_from_request has parameter is_access and refresh_jwt_required should make it False.

Fix Plan

• use acl_claim config instead of hard coded key

Problem

This library supports csrf protection when using cookies. There's csrf-read part in tokens.py and decorators.py. But, when I looked into source code, I couldn't find csrf-write part, and its' impossible to write csrf in create_access_token and create_refresh_token functions.

Proposed Solution

It would be solved if we can add csrf claims when encoding jwt.

1.0 version with few major changes.

New Build System

• adding poetry for dependencies management and packaging
• adding github action for PR, push, deploy

New Docs

• deprecate sphinx
• find new docs tool

Refactoring

• Refactor config
  • currently depends on sanic app's config directly
  • To Be: depends on proxy object of sanic config that proxied when "before server start"
• Add support for 3.5
• change the way of pass creds to handlers

New Feature

• Cookie support
  • Reading cookie
  • Writing cookie
• CSRF support
• blacklist support with redis
• Callbacks for error handler

Even though jwt_optional should ignore errors if error is not token validity related. but jwt_optional dosent ignore InvalidHeaderError

• blacklist storage backend interface feature(including redis support)
• separated blacklist for access/refresh
• options related with this
• blacklist check option for decorators

https://gist.github.com/NovemberOscar/e75822ac896c548b0de9eb2f9febf6a4

from the doc about Storing Private Claims

propagated Token object contains private claims in Token.private_claims. prefix is not exist on this time.

It seems also prefix still exists

bug code:

if private_claims:
   
    for k, v in private_claims:
        
        payload[f"{private_claim_prefix}.{k}"] = v

should:

if private_claims:
   
    for k, v in private_claims.items():
        
        payload[f"{private_claim_prefix}.{k}"] = v

I want to use the latest code, but the one in pypi was updated on Nov 13, 2018. Could you update it, thank you very much.

flask-jwt-extended supports using cookie as jwt token storage, has utility function like set_access_cookie, set_refresh_cookie, and config options like JWT_COOKIE_CSRF_PROTECT.

I'm developing website using Nuxt (Vue SSR Framework), and I want to use cookie for authentication in server-side rather than localStorage. But I don't think this project supports it now. Do you have any plan for this?

Issue
This module has dependency on sanic, jwt, etc. But, when i installing this package with requirements.txt (which has sanic in it) in clean virtual environment with no packages, it raises ModuleNotFoundError (sanic, and jwt either).

Proposed Solution
I think it's because __version__ import part in setup.py. When importing __version__, it also tries JWT Manager (which imports sanic and jwt). I came up with two solutions.

1. writes versions directly in requirements.txt
2. read __version__ with f.read() like sanic I also uploaded picture of that part that part in Sanic below.

Fixed in: ba34671

What's up, I create the token without any problem in the login, but when I try to enter "protected" (following the example of the documentation) I get this error:
"Missing header \"Authorization\""

한국분이신거 같아서, 한글로 작성합니다..
flask-jwt-extended에 익숙해져있어서 sanic에도 비슷한게 없나 찾던 와중에
발견하였습니다. 감사합니다~

current prefix option is JWT_HEADER_TYPE. and this is not so clear, so have to rename it to JWT_HEADER_PREFIX.

but we have to keep legacy JWT_HEADER_TYPE option for legacy support. and make JWT_HEADER_TYPE option setter to raise a deprecated warning when it used

• denylist?

I wanted to add Pagination with relay into my query.

The query fetches posts from user.
The following is the working of graphene.Union - to include Authentication as given in the documentation.

class PostObject(SQLAlchemyObjectType):
    class Meta:
        model = Post
        interfaces = (graphene.relay.Node, )


class ProtectedPost(graphene.Union):
    class Meta:
        types = (PostObject, AuthInfoField)

And the query is as follows:

 class Query(graphene.ObjectType):
    node = graphene.relay.Node.Field()
    my_posts = graphene.List(ProtectedPost)

However to add Pagination support, I have to add relay connection. So instead of using graphene.List , I have to use SQLAlchemyConnectionField.
my_posts = SQLAlchemyConnectionField(ProtectedPost).

But this gives the following error on starting the application :
SQLALchemyConnectionField only accepts SQLAlchemyObjectType types, not ProtectedPost

What to do if we want to include Relay ?

When we tries to decode JWT that have iss or aud, PyJWT decode function will throw error because we don't supply audience or issuer parametrer.

we have to make PyJWT to don't validate audience and issuer. validating audience or issuer is user's job.

Reported by @neruyzo

Fixed in: 8813681

I got some error when i add my own blacklist class
RuntimeWarning: coroutine 'TokenBlacklist.is_blacklisted' was never awaited

Anyone can help?

thanks.

app.config["JWT_REFRESH_HEADER_NAME"], defaults to None

it needs to specify refresh token header like X-Refresh-Token

if this option is not set, jwt_refresh_token_required decorator use JWT_HEADER_NAME as same as jwt_required

Hello guys.

i'm using the blacklist_enable config property as true and blacklist class is RedisBlacklist, running along sanic with default config:

    manager.config.use_blacklist = True
     manager.config.blacklist_class = RedisBlacklist
     manager.config.blacklist_init_kwargs = {
        "connection_info": {
            "address": "redis://:@127.0.0.1:6379",
            "minsize" : 5,
            "maxsize" : 10
        }
    }

However when i'm using token.revoke() method in any endpoint it crashes and throws : tuple or str expected. Is anyone having the same issue or knows how to solve this?

Problem

sanic_jwt_extend.jwt_required only works for function view.
It does not work for class based view like HTTPMethodView.

Expected Behavior

it should work for HTTPMethodView. It contains request object in the second args

Proposed Solution

I created _get_request function, which checks the type of args and get request object.

I pull requested it, but if you don't like it, feel free to change it.

While using decorators in class-based we get an error.

TypeError: post() got an unexpected keyword argument 'token'

class RestView(HTTPMethodView):
    decorators = [jwt_required()]

    async def post(self, request):
        self.__request_data = request.json
        print("POST API")
        return {}

app.add_route(Test.as_view(), '/test')

And another thing is while initializing role for a user it takes only one role.

access_token = JWT.create_access_token(identity=username, role='staff')

Actually it should take a list of roles.

access_token = JWT.create_access_token(identity=username, role=['staff', 'admin'])