Expiring JWT tokens in Flask











up vote
0
down vote

favorite












I've been using flask-jwt-extended for my application and one of the problems I had was logging a session out and making sure the token is not usable anymore.



I've based my solution on the Blacklist and Token Revoking documentation page with a custom RevokedToken model:



from flask_sqlalchemy import SQLAlchemy


db = SQLAlchemy()


class RevokedToken(db.Model):
"""
Model is used as a storage to keep invalid/revoked tokens.
Currently used for log out functionality.
"""
__tablename__ = 'revoked_tokens'

id = db.Column(db.Integer, primary_key=True)
jti = db.Column(db.String(120))

@classmethod
def is_jti_blacklisted(cls, jti):
query = cls.query.filter_by(jti=jti).first()
return bool(query)


Logout resource:



class LogoutResource(Resource):
@jwt_required
def post(self):
jti = get_raw_jwt()['jti']

# invalidate access token
revoked_token = RevokedToken(jti=jti)
session.add(revoked_token)
session.commit()

return {}, 200


And the token_in_blacklist_loader() jwt function:



from flask_jwt_extended import JWTManager

jwt = JWTManager(app)

@jwt.token_in_blacklist_loader
def check_if_token_in_blacklist(decrypted_token):
jti = decrypted_token['jti']
return models.RevokedToken.is_jti_blacklisted(jti)


This looks straightforward enough, but, as we are talking about authentication, I thought I would ask if anyone sees any flaws or potential improvements to this approach?










share|improve this question


























    up vote
    0
    down vote

    favorite












    I've been using flask-jwt-extended for my application and one of the problems I had was logging a session out and making sure the token is not usable anymore.



    I've based my solution on the Blacklist and Token Revoking documentation page with a custom RevokedToken model:



    from flask_sqlalchemy import SQLAlchemy


    db = SQLAlchemy()


    class RevokedToken(db.Model):
    """
    Model is used as a storage to keep invalid/revoked tokens.
    Currently used for log out functionality.
    """
    __tablename__ = 'revoked_tokens'

    id = db.Column(db.Integer, primary_key=True)
    jti = db.Column(db.String(120))

    @classmethod
    def is_jti_blacklisted(cls, jti):
    query = cls.query.filter_by(jti=jti).first()
    return bool(query)


    Logout resource:



    class LogoutResource(Resource):
    @jwt_required
    def post(self):
    jti = get_raw_jwt()['jti']

    # invalidate access token
    revoked_token = RevokedToken(jti=jti)
    session.add(revoked_token)
    session.commit()

    return {}, 200


    And the token_in_blacklist_loader() jwt function:



    from flask_jwt_extended import JWTManager

    jwt = JWTManager(app)

    @jwt.token_in_blacklist_loader
    def check_if_token_in_blacklist(decrypted_token):
    jti = decrypted_token['jti']
    return models.RevokedToken.is_jti_blacklisted(jti)


    This looks straightforward enough, but, as we are talking about authentication, I thought I would ask if anyone sees any flaws or potential improvements to this approach?










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I've been using flask-jwt-extended for my application and one of the problems I had was logging a session out and making sure the token is not usable anymore.



      I've based my solution on the Blacklist and Token Revoking documentation page with a custom RevokedToken model:



      from flask_sqlalchemy import SQLAlchemy


      db = SQLAlchemy()


      class RevokedToken(db.Model):
      """
      Model is used as a storage to keep invalid/revoked tokens.
      Currently used for log out functionality.
      """
      __tablename__ = 'revoked_tokens'

      id = db.Column(db.Integer, primary_key=True)
      jti = db.Column(db.String(120))

      @classmethod
      def is_jti_blacklisted(cls, jti):
      query = cls.query.filter_by(jti=jti).first()
      return bool(query)


      Logout resource:



      class LogoutResource(Resource):
      @jwt_required
      def post(self):
      jti = get_raw_jwt()['jti']

      # invalidate access token
      revoked_token = RevokedToken(jti=jti)
      session.add(revoked_token)
      session.commit()

      return {}, 200


      And the token_in_blacklist_loader() jwt function:



      from flask_jwt_extended import JWTManager

      jwt = JWTManager(app)

      @jwt.token_in_blacklist_loader
      def check_if_token_in_blacklist(decrypted_token):
      jti = decrypted_token['jti']
      return models.RevokedToken.is_jti_blacklisted(jti)


      This looks straightforward enough, but, as we are talking about authentication, I thought I would ask if anyone sees any flaws or potential improvements to this approach?










      share|improve this question













      I've been using flask-jwt-extended for my application and one of the problems I had was logging a session out and making sure the token is not usable anymore.



      I've based my solution on the Blacklist and Token Revoking documentation page with a custom RevokedToken model:



      from flask_sqlalchemy import SQLAlchemy


      db = SQLAlchemy()


      class RevokedToken(db.Model):
      """
      Model is used as a storage to keep invalid/revoked tokens.
      Currently used for log out functionality.
      """
      __tablename__ = 'revoked_tokens'

      id = db.Column(db.Integer, primary_key=True)
      jti = db.Column(db.String(120))

      @classmethod
      def is_jti_blacklisted(cls, jti):
      query = cls.query.filter_by(jti=jti).first()
      return bool(query)


      Logout resource:



      class LogoutResource(Resource):
      @jwt_required
      def post(self):
      jti = get_raw_jwt()['jti']

      # invalidate access token
      revoked_token = RevokedToken(jti=jti)
      session.add(revoked_token)
      session.commit()

      return {}, 200


      And the token_in_blacklist_loader() jwt function:



      from flask_jwt_extended import JWTManager

      jwt = JWTManager(app)

      @jwt.token_in_blacklist_loader
      def check_if_token_in_blacklist(decrypted_token):
      jti = decrypted_token['jti']
      return models.RevokedToken.is_jti_blacklisted(jti)


      This looks straightforward enough, but, as we are talking about authentication, I thought I would ask if anyone sees any flaws or potential improvements to this approach?







      python authentication flask jwt






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 1 hour ago









      alecxe

      14.5k53277




      14.5k53277



























          active

          oldest

          votes











          Your Answer





          StackExchange.ifUsing("editor", function () {
          return StackExchange.using("mathjaxEditing", function () {
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
          });
          });
          }, "mathjax-editing");

          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "196"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f209582%2fexpiring-jwt-tokens-in-flask%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Code Review Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f209582%2fexpiring-jwt-tokens-in-flask%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          404 Error Contact Form 7 ajax form submitting

          How to know if a Active Directory user can login interactively

          TypeError: fit_transform() missing 1 required positional argument: 'X'