Skip to content

Conversation

@scornz
Copy link

@scornz scornz commented Jul 28, 2021

Added the ability to create tokens with types other than "access" and "refresh", among some other intuitive changes. This is done in such a way that will not introduce any breaking changes. This is useful in such scenarios such as password reset emails, where a JWT needs to be provided to authenticate the user, but an access token and refresh token don't fulfill that purpose.

Summary of changes

  • Added create_custom_token with an additional parameter token_type
  • Modified verify_jwt_in_request/jwt_required to allow for the additional specification of a token_type
  • Modified verify_token_type to check for custom token types, and modified the resulting error messages accordingly.
    • A few tests were modified in order to satisfy these changed error messages.
  • Added tests for custom types.
  • Swapped the default for non-refresh token expiry time when encoding tokens. This was done to match the way defaults are handled when decoding tokens. Custom tokens will default to access token expiry time if an expires_delta is not provided, instead of the refresh token expiry time as before.

@vimalloc
Copy link
Owner

vimalloc commented Aug 2, 2021

Sorry it's taking me so long to look at this, had a bunch of stuff going on. I'll try to get a proper look at this in the next few days.

Copy link
Owner

@vimalloc vimalloc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few comments! The code itself seems totally reasonable, the only thing I'm kind of stuck on is how having both refresh and token_type as options might be confusing for the API? Still thinking about that though.

Comment on lines +38 to +40
def verify_jwt_in_request(
optional=False, fresh=False, refresh=False, locations=None, token_type="access"
):
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I like having refresh and token_type in here, that seems confusing to understand from a top level API point of view. I'm not entirely sue how that could be handled without a breaking change though. Hmm... 🤔 🤔 🤔

# Test refresh token access to jwt_required
response = test_client.get(url, headers=make_headers(refresh_token))
assert response.status_code == 422
assert response.get_json() == {"msg": "Token of type refresh is not allowed"}
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a big deal, but I wonder if the error message should say what token type is allowed instead of this specific token is now allowed? Might make for more discoverable errors?

Comment on lines +31 to +32
elif not refresh and decoded_token["type"] != token_type:
raise WrongTokenError(f"Token of type { decoded_token['type'] } is not allowed")
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this might be a breaking change. I believe some people are using JWTs from other sources that set the type to other fields, and we implictly treat those as access tokens right now.

I haven't fully thought this out, but I wonder if we instead set token_type to null in the view decorators and verify_jwt_in_request, and then we preserve the old logic here unless a token_type is actually specified?

@josepaiva94
Copy link

This would be a nice to have feature. Will it be merged?

@vimalloc
Copy link
Owner

This would be a nice to have feature. Will it be merged?

Not as is. The breaking change would need to be addressed, and I’m still not sure I like how the API looks for this change, but would be open to feedback on that front. If anyone wants to continue working on this I’m not necessarily opposed to it 👍

@jaycuse
Copy link

jaycuse commented Jun 11, 2022

I agree this would be nice to have. Found this PR while looking into making a "registration" type token to build out a registration flow using JWT. Based on @tgross35's comments in an other PR, I agree it probably won't be the most used feature and I think it's reasonable to make it slightly less accessible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants