flask-security icon indicating copy to clipboard operation
flask-security copied to clipboard

Published 20 hours ago verified publisher icon mattupstate

Use JWT (JSON Web Tokens) for token authentication

Open mattupstate opened this issue 11 years ago • 31 comments

I started work on another extension that adds basic JWT features to a Flask application over at https://github.com/mattupstate/flask-jwt this is a much better implementation for token authentication than what is baked into flask-security at the moment.

mattupstate avatar Jan 24 '14 15:01 mattupstate

So port it over and replace current tokens implementation?

svenstaro avatar Apr 13 '14 12:04 svenstaro

@svenstaro +1

klinkin avatar Apr 13 '14 12:04 klinkin

+1

Diaoul avatar May 27 '14 22:05 Diaoul

+1 linked to #250

arnuschky avatar May 31 '14 09:05 arnuschky

+1

jquacinella avatar May 31 '14 17:05 jquacinella

+1

ryanolson avatar Jun 27 '14 01:06 ryanolson

+1

kevgliss avatar Jul 01 '14 05:07 kevgliss

@mattupstate What's the status on this? Need help?

joostdevries avatar Oct 29 '14 10:10 joostdevries

+1

mr337 avatar Jan 12 '15 00:01 mr337

+1

pdonorio avatar May 21 '15 20:05 pdonorio

+1

pafmaf avatar Aug 22 '15 19:08 pafmaf

+1

zet4 avatar Sep 02 '15 15:09 zet4

+1

mikekhristo avatar Oct 10 '15 20:10 mikekhristo

+1

renejahn avatar Nov 09 '15 20:11 renejahn

@mattupstate I'm using Flask-Security and Flask-JWT in my project:

This is my use case:

  • I have a website in angular that use the Flask-JWT for Token based authentication
  • I have another website (just for backend, management, admin stuff) that uses the same User model but uses Flask-Security

I have an interesting problem, Flask-JWT and Flask-Security are probably sharing some headers or session or cookies, so if I logged in one website using Flask-JWT, and then I log in in the other, I will be disconnected from the other website

Do you have an ideia do fix this?

Best

sibelius avatar Jan 19 '16 20:01 sibelius

any updates on this? I think Flask-JWT could just plug into Flask-Security. or what's the plan?

would love to help.

genxstylez avatar Jan 20 '16 08:01 genxstylez

Would like to help too, this issue is really important!

pdonorio avatar Jan 20 '16 09:01 pdonorio

+1 This would be awesome - would love to help.

tomazberisa avatar Feb 02 '16 16:02 tomazberisa

Really guys, stop +1ing, Github has reactions since forever!

zet4 avatar Apr 26 '16 19:04 zet4

+1

woshihaoren avatar May 12 '16 10:05 woshihaoren

+1 for free speech

dland512 avatar Feb 09 '17 22:02 dland512

I read flask-jwt swapped out pyjwt for itsdangerous. Is this bug obsolete?

mixmastamyk avatar Jun 08 '17 06:06 mixmastamyk

@mixmastamyk You can achieve more or less the same with pyjwt and itsdangerous.

The general question is how do you see the integration with Flask-JWT? What are you missing on Flask-Security side?

jirikuncar avatar Jun 13 '17 16:06 jirikuncar

Well, to integrate with flask-restless turned out to be easy. But, figuring out how to piece the parts together took days of reading docs and pulling together clues from stack overflow and github. The results of which are in this tiny file: https://github.com/mixmastamyk/flask-skeleton/blob/master/main/auth.py

With that in place, there's the following not-fantastic code in the main.py file:

from auth import rest_preprocessors
from flask_restless import APIManager
api = APIManager(app, flask_sqlalchemy_db=db, preprocessors=rest_preprocessors)  # protects api

@app.before_request
def before_request():
    ''' Every request should be logged-in, thanks. '''
    endpoint = request.endpoint
    if not current_user.is_authenticated and endpoint:  # sometimes None
        if ((endpoint not in SKIP_LOGIN) and
            (not endpoint.startswith('security.')) and
            (not endpoint.endswith('api')) ):
                return redirect(url_for('security.login', next=request.path))

Perhaps there's a better way to route the different auth methods.

mixmastamyk avatar Jun 14 '17 21:06 mixmastamyk

@mixmastamyk I would just replace endpoint.startswith('security.') with request.blueprint == app.config['SECURITY_BLUEPRINT_NAME'] to be completely sure.

jirikuncar avatar Jun 19 '17 08:06 jirikuncar

Ok, thanks.

mixmastamyk avatar Jun 19 '17 17:06 mixmastamyk

Any update on using Flask JWT Extended with flask-security?

smn-snkl avatar Jan 15 '19 14:01 smn-snkl

@mixmastamyk The file you have linked is no longer visible. Have you by any chance worked on jwt integration into flask-security any more?

jminardi avatar Feb 25 '20 03:02 jminardi

@jminardi Actually I've stopped using JWT due to the potential security issues. I could probably dig up that file if you are still interested.

mixmastamyk avatar Feb 26 '20 22:02 mixmastamyk

I found it:

from flask_security.utils import verify_password
from flask_jwt import JWT, jwt_required

from ... import app, user_datastore

# user_datastore = SQLAlchemyUserDatastore(db, models.Users, models.Roles)

def auth_handler(username, password):
    user = user_datastore.find_user(email=username)
    if username == user.email and verify_password(password, user.password):
        return user

def load_user(payload):
    user = user_datastore.find_user(id=payload['identity'])
    return user

@jwt_required()
def example_function(*args, **kwargs):
    pass

jwt = JWT(app, auth_handler, load_user)

mixmastamyk avatar Feb 26 '20 23:02 mixmastamyk