[英]Flask-JWT-Extended: @jwt_refresh_token_required annotation does not work
I have a login resource ( /login
endpoint), following Oleg Agapov's tutorial :我有一个登录资源(
/login
端点),遵循 Oleg Agapov 的教程:
class UserLogin(Resource):
def post(self):
data = parser.parse_args()
current_user = User.find_by_email(data['email'])
if not current_user:
return {'message': 'User {} doesn\'t exist'.format(data['email'])}
if User.verify_hash(data['password'], current_user.password):
refresh_token = create_refresh_token(identity = data['email'])
return {
'message': 'Logged in as {}'.format(current_user.email),
'refresh_token': refresh_token
}
else:
return {'message': 'Wrong credentials'}
Calling this endpoint with correct credentials I do get the response back:使用正确的凭据调用此端点,我确实得到了响应:
{
"message": "Logged in as test@gmail.com",
"refresh_token": "eyJ0eXAiOiJKV1.............TheVeryLongRefreshTokenString...........JfkRatZ2NaA72Tl4b9C4-e3d6kXA"
}
Now, I have a test resource on the /secret
endpoint:现在,我在
/secret
端点上有一个测试资源:
class SecretResource(Resource):
@jwt_refresh_token_required
def get(self):
return {
'answer': 42
}
Calling this endpoint with the refresh_token
included as a Bearer header in the request should return:使用请求中包含的作为承载 header 的
refresh_token
调用此端点应返回:
{
"answer": 42
}
Without the @jwt_refresh_token_required
annotation (without sending any tokens) this is exactly what I get.如果没有
@jwt_refresh_token_required
注释(不发送任何令牌),这正是我得到的。 But I need the annotation to secure my endpoint with some token requirement.但是我需要注释来保护我的端点并满足一些令牌要求。
Only it doesn't work.只是它不起作用。 Using the
Authentication: Bearer *Refresh_Token*
header I only get:使用
Authentication: Bearer *Refresh_Token*
header 我只得到:
{
"message": "Internal Server Error"
}
I know access_token
should be used for this, but I did not wanted it for its 15 minutes expiration time.我知道
access_token
应该用于此,但我不希望它的 15 分钟到期时间。 I don't see why would it be a problem since we are doing the same to refresh the access_token
itself with an endpoint requiring a refresh_token
.我不明白为什么会出现问题,因为我们正在使用需要
refresh_token
的端点来刷新access_token
本身。 I can be wrong of course.我当然可能是错的。
This is the snippet from the poject_folder
root folder's __init__.py
where the revocation is checked:这是
poject_folder
根文件夹的__init__.py
的片段,其中检查了撤销:
@jwt.token_in_blacklist_loader
def check_if_token_in_blacklist(decrypted_token):
jti = decrypted_token['jti']
return poject_folder.Model.RevokedTokenModel.is_jti_blacklisted(jti)
What am I missing here?我在这里想念什么?
As @vimalloc has suggested, I needed to add正如@vimalloc所建议的,我需要添加
app.config['PROPAGATE_EXCEPTIONS'] = True
while configuring the application object to see the actual error, causing the code to break and return a code 500在配置应用程序 object 时查看实际错误,导致代码中断并返回代码 500
The answer is embarrassingly simple, the token checking callback function in the __init__.py
file was referencing itself so I had to remove the project_folder
prefix:答案非常简单,
__init__.py
init__.py 文件中的令牌检查回调 function 正在引用自身,因此我不得不删除project_folder
前缀:
From this:由此:
@jwt.token_in_blacklist_loader
def check_if_token_in_blacklist(decrypted_token):
jti = decrypted_token['jti']
return poject_folder.Model.RevokedTokenModel.is_jti_blacklisted(jti)
To this:对此:
@jwt.token_in_blacklist_loader
def check_if_token_in_blacklist(decrypted_token):
jti = decrypted_token['jti']
return Model.RevokedTokenModel.is_jti_blacklisted(jti)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.