flask-jwt-extended:装饰器@jwt.token_in_blacklist_loader 总是撤销令牌
[英]flask-jwt-extended: decorator @jwt.token_in_blacklist_loader always revoked token
问题描述
in my app.py I initialized flask-jwt-extended as follow:
在我的 app.py 中,我初始化了 flask-jwt-extended 如下:
# Setup the Flask-JWT-Extended extension
app.config['RESTPLUS_MASK_SWAGGER'] = False # remove default X-Fields field in swagger
app.config['JWT_SECRET_KEY'] = 'super-secret' # Change this!
app.config['JWT_BLACKLIST_ENABLED'] = True
app.config['JWT_BLACKLIST_TOKEN_CHECKS'] = ['access', 'refresh']
jwt = JWTManager(app)
then I create token in login with snippet:然后我使用代码段在登录中创建令牌:
expires = datetime.timedelta(minutes=10)
access_token = create_access_token(identity=payload['email'], fresh=True, expires_delta=expires)
refresh_token = create_refresh_token(identity=payload['email'])
strangely if I add decorator @jwt.token_in_blacklist_loader to a certain endpoint I always received "Token has been revoked" error message.奇怪的是,如果我将装饰器 @jwt.token_in_blacklist_loader 添加到某个端点,我总是收到“令牌已被撤销”错误消息。
@jwt.token_in_blacklist_loader
@api.route('/')
class UserList(Resource):
@jwt_required
@api.doc('list_users')
@api.marshal_list_with(user)
def get(self):
'''Get all users'''
users = UserApi.query.all()
return users
As far as I know this decorator is to check whether or not the token is blacklisted and I just create a new token from login, what is the best practice to create a new token & check whether the token is blacklisted or not?据我所知,这个装饰器是检查令牌是否被列入黑名单,我只是从登录创建一个新令牌,创建新令牌并检查令牌是否被列入黑名单的最佳实践是什么?
2 个解决方案
解决方案1
5 2020-01-02 11:34:47
From the documentation of flask-jwt-extended :从flask-jwt-extended的文档flask-jwt-extended :
This decorator sets the callback function that will be called when a protected endpoint is accessed and will check if the JWT has been been revoked.
HINT: The callback must be a function that takes one argument, which is the decoded JWT (python dictionary), and returns
Trueif the token has been blacklisted (or is otherwise considered revoked), orFalseotherwise.True否则返回False。
The token_in_blacklist_loader decorator use to set the callback function when a protected endpoint is accessed. token_in_blacklist_loader装饰器用于在访问受保护端点时设置回调函数。 You should use this decorator on the function that checks your token wether blacklisted or not.您应该在检查您的令牌是否被列入黑名单的函数上使用此装饰器。 The simple example using memory for saving blacklisted tokens:使用内存保存列入黑名单的令牌的简单示例:
blacklist = set()
@jwt.token_in_blacklist_loader
def check_if_token_in_blacklist(decrypted_token):
jti = decrypted_token['jti']
return jti in blacklist
For further information check the sample here: https://flask-jwt-extended.readthedocs.io/en/stable/blacklist_and_token_revoking/有关更多信息,请查看此处的示例: https : //flask-jwt-extended.readthedocs.io/en/stable/blacklist_and_token_revoking/
解决方案2
1 2020-07-13 11:13:02
Did you remember to add the newly generated access_token (from the refresh_token) to the Blacklist database?记得将新生成的access_token(来自refresh_token)添加到黑名单数据库中吗? All tokens absent from Blacklist db are assumed to be revoked... Blacklist db 中不存在的所有令牌都被假定为被撤销......
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.