Enable "jwt_required" to all routes

[OneTesseractInMultiverse]

I'm currently building an application and I was wondering if the is a way of enabling "jwt_required" to all routes by default, and have a way to make exceptions on specific routes I want to allow access without a JWT Token.

[vimalloc]

I haven't done anything like that before. Maybe you could use something like flasks before_request to accomplish this, although I'm not sure how it would work with exceptions to specific routes. You could do it at the blueprint level instead, something like @my_blueprint.before_request, and simply not decorate the blueprints you want excluded. Not as succinct as before_request, but less verbose then adding @jwt_required to every endpoint.

Another option would be to update the library so you could call verify_jwt_required (or something along those lines) as a standalone method instead of @jwt_required as a decorator. Then you could probably do something like:

@app.before_request
def before_request():
    if route not it excluded_routes:
        # Would need to add this function, it would basically do everything that the
        # jwt_required decorator does besides passing in a function and calling that
        # function if the jwt was valid. Then the actual jwt_required decorator could
        # use this same code behind the scenes to keep everything dry.
        verifiy_jwt_required() 

I don't think I'll have time to implementing this for at least a couple weeks, but if you wanted to take a stab at it I would be happy to point you in the right direction and help get it merged into this extension. Otherwise I would be happy to get this added when time allows.

Hope this helps! 👍

[OneTesseractInMultiverse]

Hi, Thank for the very comprehensive explanation! I'm going to try the first approach to see how it goes, but I can definitely help implementing the second approach in the library for a more permanent solution :)

[vimalloc]

Proper way added in v3.9.1. Cheers 👍

[vvksahoo]

Hi vimalloc
i have some similar kind of question. i want use @jwt_required decorator in below mentioned function which will execute before each request. i dont want put @jwt_required on my every protected route methods . If i will use @jwt_required in def before_callback() then problem will be with login route where i am generating token , i dont want to check for login route at this point .
How do i achieve this kind of scenarios in flask?
@app.before_request
@jwt_required
def before_callback():

[vimalloc]

Don’t use the jwt_required decorator. Use the verify_jwt_in_request function (https://flask-jwt-extended.readthedocs.io/en/stable/api.html#flask_jwt_extended.verify_jwt_in_request) in your app.before_request function. You will then need to check if the request is one that should not have the jwt check applied, for example using https://flask.palletsprojects.com/en/1.1.x/api/#flask.Request.url_rule

[vvksahoo]

Hi vimalloc,
Thanks a lot for your response . Now i can achieve the above scenarios but i have few doubts below i am mentioning those .

1: i am returning access_token(create_access_token()) and refresh_token(create_refresh_token()) from /login route . so the qns is what will be the expiry time of both these token if i am not explicitly passing expiry_delta or 'JWT_ACCESS_TOKEN_EXPIRES' .

2:
app.config['JWT_TOKEN_LOCATION'] = 'headers'
app.config['JWT_HEADER_NAME'] = 'my-access-token'
app.config['JWT_HEADER_TYPE'] = 'Bearer'
jwt = JWTManager(app)

i am using postman and passing token through header by giving key as 'my-access-token' and value as 'token from login route' but still i am getting error "Bad my-access-token header. Expected value 'Bearer ' " while debugging got to know flask_jwt_extended\view_decorators.py(193) in this location there is a list called field_values which is expecting 'Bearer' in '0th' index. here i am confused how to pass token through headers.?

[vvksahoo]

if i will pass app.config['JWT_HEADER_TYPE'] = '' then 2nd qns is solved .

[vimalloc]

The default configuration values can be seen here: https://flask-jwt-extended.readthedocs.io/en/stable/options/. In this case, the access token defaults to 15 minutes and the refresh token defaults to 30 days.

[vvksahoo]

Great. Now i am looking for implement logout functionality , i need to token as expired . So how do i do that ? Can you give any suggestion? i was going through your docs https://flask-jwt-extended.readthedocs.io/en/stable/blacklist_and_token_revoking/ but didnt understood logout2() functionality , is it kind of deleting refresh token ? There are two routes /logout and /logout2. When exactly user will hit logout2? so much confused here . It would be great help if clear these doubts .

[shlomiLan]

Update: I changed:

email, password = flask.request.args.get('email'), flask.request.args.get('password')

TO

req_data = json.loads(flask.request.data)
email, password = req_data.get('email'), req_data.get('password')

---

I end-up implementing it in the following way:

Force all view to have jwt token, except public view and static content.

@app.before_request
def check_login():
    if (flask.request.endpoint and 'static' not in flask.request.endpoint
            and not getattr(app.view_functions[flask.request.endpoint], 'is_public', False)):
        try:
            verify_jwt_in_request()
        except NoAuthorizationError as e:
            app.logger.exception(e)
            abort(401)

Public view decorator:

def public_endpoint(function):
    function.is_public = True
    return function

Login view:

@app.route('/login/', methods=['POST'])
@public_endpoint
def login():
    if not flask.request.is_json:
        return flask.jsonify({"msg": "Missing JSON in request"}), 400

    email, password = flask.request.args.get('email'), flask.request.args.get('password')
    try:
        user = Users.objects.get(email=email)
        if user and user.valid_password(password):
            access_token = create_access_token(identity=str(user.id))
            return flask.jsonify(access_token=access_token), 200

    except DoesNotExist:
        app.logger.error('User not found')

    return 'Bad login'