Merge branch 'master' into master

Author: stephendwolff

.readthedocs.yml

@@ -0,0 +1,10 @@
+version: 2
+
+sphinx:
+  builder: htmldir
+  configuration: docs/conf.py
+
+python:
+  version: 3.7
+  install:
+    - requirements: requirements.txt

.travis.yml

@@ -1,16 +1,18 @@
 language: python
 matrix:
   include:
+    - python: 3.8
+      env: TOXENV=py38
+    - python: 3.7
+      env: TOXENV=py37
     - python: 3.6
-      env: TOXENV=py
+      env: TOXENV=py36
     - python: 3.5
-      env: TOXENV=py
-    - python: 3.4
-      env: TOXENV=py
+      env: TOXENV=py35
     - python: 2.7
-      env: TOXENV=py
+      env: TOXENV=py27
     - python: pypy
-      env: TOXENV=py
+      env: TOXENV=pypy
 sudo: false
 install:
     - pip install -U pip

README.md

@@ -3,10 +3,8 @@
 [![Coverage Status](https://coveralls.io/repos/github/vimalloc/flask-jwt-extended/badge.svg?branch=master)](https://coveralls.io/github/vimalloc/flask-jwt-extended?branch=master)
 [![PyPI version](https://badge.fury.io/py/Flask-JWT-Extended.svg)](https://badge.fury.io/py/Flask-JWT-Extended)
 [![Documentation Status](https://readthedocs.org/projects/flask-jwt-extended/badge/)](http://flask-jwt-extended.readthedocs.io/en/latest/)
-[![Join the chat at https://gitter.im/flask-jwt-extended/Lobby](https://badges.gitter.im/flask-jwt-extended/Lobby.svg)](https://gitter.im/flask-jwt-extended/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
 ### Features
-
 Flask-JWT-Extended not only adds support for using JSON Web Tokens (JWT) to Flask for protecting views,
 but also many helpful (and **optional**) features  built in to make working with JSON Web Tokens
 easier. These include:
@@ -19,23 +17,20 @@ easier. These include:
 * Token revoking/blacklisting
 * Storing tokens in cookies and CSRF protection
 
-
 ### Usage
-[View the documentation online](http://flask-jwt-extended.readthedocs.io/en/latest/)
-
+[View the documentation online](https://flask-jwt-extended.readthedocs.io/en/stable/)
 
 ### Changelog
 You can view the changelog [here](https://github.com/vimalloc/flask-jwt-extended/releases).
 This project follows [semantic versioning](https://semver.org/).
 
 ### Chatting
-Come chat with the community or ask questions at https://gitter.im/flask-jwt-extended/Lobby.
-
+Come chat with the community or ask questions at https://discord.gg/EJBsbFd
 
 ### Local Development
 We require 100% code coverage in our unit tests. You can run the tests locally
 with `tox` which will print out a code coverage report. Creating a pull request
-will run the tests against python 2.7, 3.4, 3.5, 3.6, and PyPy.
+will run the tests against python 2.7, 3.5, 3.6, 3.7, 3.8 and PyPy.
 ```
 $ tox
 ```

docs/conf.py

@@ -34,6 +34,7 @@
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
+    'pallets_sphinx_themes',
     'sphinx.ext.autodoc',
     'sphinx.ext.intersphinx',
     'sphinx.ext.ifconfig',

docs/options.rst

@@ -157,6 +157,14 @@ These are only applicable if ``JWT_TOKEN_LOCATION`` is set to use cookies and
                                   Only applicable if ``JWT_CSRF_IN_COOKIES`` is ``True``
 ``JWT_REFRESH_CSRF_COOKIE_PATH``  Path of the CSRF refresh cookie. Defaults to ``'/'``.
                                   Only applicable if ``JWT_CSRF_IN_COOKIES`` is ``True``
+``JWT_CSRF_CHECK_FORM``           When no CSRF token can be found in the header, check the form data. Defaults to
+                                  ``False``.
+``JWT_ACCESS_CSRF_FIELD_NAME``    Name of the form field that should contain the CSRF double submit value for access
+                                  tokens when no header is present. Only applicable if ``JWT_CSRF_CHECK_FORM`` is
+                                  ``True``. Defaults to ``'csrf_token'``.
+``JWT_REFRESH_CSRF_FIELD_NAME``   Name of the form field that should contain the CSRF double submit value for refresh
+                                  tokens when no header is present. Only applicable if ``JWT_CSRF_CHECK_FORM`` is
+                                  ``True``. Defaults to ``'csrf_token'``.
 ================================= =========================================
 
 

docs/tokens_in_cookies.rst

@@ -78,3 +78,39 @@ to the caller, like such:
       set_access_cookies(resp, access_token)
       set_refresh_cookies(resp, refresh_token)
       return resp, 200
+
+
+Typically JWT is used with API servers using JSON payloads, often via AJAX. However you may have an endpoint that
+receives POST requests directly from an HTML form. Without AJAX, you can't set the CSRF headers to pass your token to
+the server. In this scenario you can send the token in a hidden form field. To accomplish this, first configure JWT to
+check the form for CSRF tokens. Now it's not necessary to send the csrf in a separate cookie, you can render it
+directly into your HTML template:
+
+
+.. code-block:: python
+
+  app.config['JWT_CSRF_CHECK_FORM'] = True
+
+  ...
+
+  @app.route('/protected', methods=['GET', 'POST'])
+  @jwt_optional
+  def protected():
+    if request.method == "GET":
+        return render_template(
+            "form.html", csrf_token=(get_raw_jwt() or {}).get("csrf")
+        )
+    else:
+      # handle POST request
+      current_user = get_jwt_identity()
+
+
+In the HTML template, pass the token back to the server via a hidden input.
+
+.. code-block:: html
+
+  <form method="POST">
+    ...
+    <input name="csrf_token" type="hidden" value="{{ csrf_token }}">
+    <button>Submit</button>
+  </form>

flask_jwt_extended/__init__.py

@@ -1,14 +1,15 @@
 from .jwt_manager import JWTManager
-from .view_decorators import (
-    fresh_jwt_required, jwt_optional, jwt_refresh_token_required, jwt_required,
-    verify_fresh_jwt_in_request, verify_jwt_in_request,
-    verify_jwt_in_request_optional, verify_jwt_refresh_token_in_request
-)
 from .utils import (
     create_access_token, create_refresh_token, current_user, decode_token,
     get_csrf_token, get_current_user, get_jti, get_jwt_claims, get_jwt_identity,
     get_raw_jwt, set_access_cookies, set_refresh_cookies, unset_access_cookies,
-    unset_jwt_cookies, unset_refresh_cookies
+    unset_jwt_cookies, unset_refresh_cookies, get_unverified_jwt_headers,
+    get_raw_jwt_header
+)
+from .view_decorators import (
+    fresh_jwt_required, jwt_optional, jwt_refresh_token_required, jwt_required,
+    verify_fresh_jwt_in_request, verify_jwt_in_request,
+    verify_jwt_in_request_optional, verify_jwt_refresh_token_in_request
 )
 
-__version__ = '3.19.0'
+__version__ = '3.24.1'

flask_jwt_extended/config.py

@@ -184,6 +184,18 @@ def refresh_csrf_header_name(self):
         return self._get_depreciated_csrf_header_name() or \
                current_app.config['JWT_REFRESH_CSRF_HEADER_NAME']
 
+    @property
+    def csrf_check_form(self):
+        return current_app.config['JWT_CSRF_CHECK_FORM']
+
+    @property
+    def access_csrf_field_name(self):
+        return current_app.config['JWT_ACCESS_CSRF_FIELD_NAME']
+
+    @property
+    def refresh_csrf_field_name(self):
+        return current_app.config['JWT_REFRESH_CSRF_FIELD_NAME']
+
     @property
     def access_expires(self):
         delta = current_app.config['JWT_ACCESS_TOKEN_EXPIRES']
@@ -316,6 +328,14 @@ def json_encoder(self):
     def audience(self):
         return current_app.config['JWT_DECODE_AUDIENCE']
 
+    @property
+    def encode_issuer(self):
+        return current_app.config['JWT_ENCODE_ISSUER']
+
+    @property
+    def decode_issuer(self):
+        return current_app.config['JWT_DECODE_ISSUER']
+
     @property
     def leeway(self):
         return current_app.config['JWT_DECODE_LEEWAY']

flask_jwt_extended/default_callbacks.py

@@ -22,6 +22,17 @@ def default_user_claims_callback(userdata):
     return {}
 
 
+def default_jwt_headers_callback(default_headers):
+    """
+    By default header typically consists of two parts: the type of the token,
+    which is JWT, and the signing algorithm being used, such as HMAC SHA256
+    or RSA. But we don't set the default header here we set it as empty which
+    further by default set while encoding the token
+    :return: default we set None here
+    """
+    return None
+
+
 def default_user_identity_callback(userdata):
     """
     By default, we use the passed in object directly as the jwt identity.

flask_jwt_extended/jwt_manager.py

@@ -1,7 +1,11 @@
 import datetime
 from warnings import warn
 
-from jwt import ExpiredSignatureError, InvalidTokenError, InvalidAudienceError
+from jwt import (
+    ExpiredSignatureError, InvalidTokenError, InvalidAudienceError,
+    InvalidIssuerError, DecodeError
+)
+
 try:
     from flask import _app_ctx_stack as ctx_stack
 except ImportError:  # pragma: no cover
@@ -19,8 +23,8 @@
     default_unauthorized_callback, default_needs_fresh_token_callback,
     default_revoked_token_callback, default_user_loader_error_callback,
     default_claims_verification_callback, default_verify_claims_failed_callback,
-    default_decode_key_callback, default_encode_key_callback
-)
+    default_decode_key_callback, default_encode_key_callback,
+    default_jwt_headers_callback)
 from flask_jwt_extended.tokens import (
     encode_refresh_token, encode_access_token
 )
@@ -61,6 +65,7 @@ def __init__(self, app=None):
         self._verify_claims_failed_callback = default_verify_claims_failed_callback
         self._decode_key_callback = default_decode_key_callback
         self._encode_key_callback = default_encode_key_callback
+        self._jwt_additional_header_callback = default_jwt_headers_callback
 
         # Register this extension with the flask app now (if it is provided)
         if app is not None:
@@ -101,7 +106,7 @@ def handle_expired_error(e):
             except TypeError:
                 msg = (
                     "jwt.expired_token_loader callback now takes the expired token "
-                    "as an additional paramter. Example: expired_callback(token)"
+                    "as an additional parameter. Example: expired_callback(token)"
                 )
                 warn(msg, DeprecationWarning)
                 return self._expired_token_callback()
@@ -110,6 +115,10 @@ def handle_expired_error(e):
         def handle_invalid_header_error(e):
             return self._invalid_token_callback(str(e))
 
+        @app.errorhandler(DecodeError)
+        def handle_invalid_header_error(e):
+            return self._invalid_token_callback(str(e))
+
         @app.errorhandler(InvalidTokenError)
         def handle_invalid_token_error(e):
             return self._invalid_token_callback(str(e))
@@ -126,6 +135,10 @@ def handle_wrong_token_error(e):
         def handle_invalid_audience_error(e):
             return self._invalid_token_callback(str(e))
 
+        @app.errorhandler(InvalidIssuerError)
+        def handle_invalid_issuer_error(e):
+            return self._invalid_token_callback(str(e))
+
         @app.errorhandler(RevokedTokenError)
         def handle_revoked_token_error(e):
             return self._revoked_token_callback()
@@ -185,6 +198,9 @@ def _set_default_configuration_options(app):
         app.config.setdefault('JWT_REFRESH_CSRF_COOKIE_NAME', 'csrf_refresh_token')
         app.config.setdefault('JWT_ACCESS_CSRF_COOKIE_PATH', '/')
         app.config.setdefault('JWT_REFRESH_CSRF_COOKIE_PATH', '/')
+        app.config.setdefault('JWT_CSRF_CHECK_FORM', False)
+        app.config.setdefault('JWT_ACCESS_CSRF_FIELD_NAME', 'csrf_token')
+        app.config.setdefault('JWT_REFRESH_CSRF_FIELD_NAME', 'csrf_token')
 
         # How long an a token will live before they expire.
         app.config.setdefault('JWT_ACCESS_TOKEN_EXPIRES', datetime.timedelta(minutes=15))
@@ -214,6 +230,8 @@ def _set_default_configuration_options(app):
         app.config.setdefault('JWT_IDENTITY_CLAIM', 'identity')
         app.config.setdefault('JWT_USER_CLAIMS', 'user_claims')
         app.config.setdefault('JWT_DECODE_AUDIENCE', None)
+        app.config.setdefault('JWT_ENCODE_ISSUER', None)
+        app.config.setdefault('JWT_DECODE_ISSUER', None)
         app.config.setdefault('JWT_DECODE_LEEWAY', 0)
 
         app.config.setdefault('JWT_CLAIMS_IN_REFRESH_TOKEN', False)
@@ -439,13 +457,33 @@ def encode_key_loader(self, callback):
         self._encode_key_callback = callback
         return callback
 
-    def _create_refresh_token(self, identity, expires_delta=None, user_claims=None):
+    def additional_headers_loader(self, callback):
+        """
+        This decorator sets the callback function for adding custom headers to an
+        access token when :func:`~flask_jwt_extended.create_access_token` is
+        called. By default, two headers will be added the type of the token, which is JWT,
+        and the signing algorithm being used, such as HMAC SHA256 or RSA.
+
+        *HINT*: The callback function must be a function that takes **no** argument,
+        which is the object passed into
+        :func:`~flask_jwt_extended.create_access_token`, and returns the custom
+        claims you want included in the access tokens. This returned claims
+        must be *JSON serializable*.
+        """
+        self._jwt_additional_header_callback = callback
+        return callback
+
+    def _create_refresh_token(self, identity, expires_delta=None, user_claims=None,
+                              headers=None):
         if expires_delta is None:
             expires_delta = config.refresh_expires
 
         if user_claims is None and config.user_claims_in_refresh_token:
             user_claims = self._user_claims_callback(identity)
 
+        if headers is None:
+            headers = self._jwt_additional_header_callback(identity)
+
         refresh_token = encode_refresh_token(
             identity=self._user_identity_callback(identity),
             secret=self._encode_key_callback(identity),
@@ -455,17 +493,22 @@ def _create_refresh_token(self, identity, expires_delta=None, user_claims=None):
             csrf=config.csrf_protect,
             identity_claim_key=config.identity_claim_key,
             user_claims_key=config.user_claims_key,
-            json_encoder=config.json_encoder
+            json_encoder=config.json_encoder,
+            headers=headers
         )
         return refresh_token
 
-    def _create_access_token(self, identity, fresh=False, expires_delta=None, user_claims=None):
+    def _create_access_token(self, identity, fresh=False, expires_delta=None,
+                             user_claims=None, headers=None):
         if expires_delta is None:
             expires_delta = config.access_expires
 
         if user_claims is None:
             user_claims = self._user_claims_callback(identity)
 
+        if headers is None:
+            headers = self._jwt_additional_header_callback(identity)
+
         access_token = encode_access_token(
             identity=self._user_identity_callback(identity),
             secret=self._encode_key_callback(identity),
@@ -476,6 +519,8 @@ def _create_access_token(self, identity, fresh=False, expires_delta=None, user_c
             csrf=config.csrf_protect,
             identity_claim_key=config.identity_claim_key,
             user_claims_key=config.user_claims_key,
-            json_encoder=config.json_encoder
+            json_encoder=config.json_encoder,
+            headers=headers,
+            issuer=config.encode_issuer,
         )
         return access_token