further relegate single-argument decode_key_callback to legacy

Author: acrossen

flask_jwt_extended/default_callbacks.py

@@ -103,7 +103,7 @@ def default_verify_claims_failed_callback():
     return jsonify({config.error_msg_key: 'User claims verification failed'}), 400
 
 
-def default_decode_key_callback(claims):
+def default_decode_key_callback(claims, headers):
     """
     By default, the decode key specified via the JWT_SECRET_KEY or
     JWT_PUBLIC_KEY settings will be used to decode all tokens

flask_jwt_extended/utils.py

@@ -1,5 +1,6 @@
 from flask import current_app
 from werkzeug.local import LocalProxy
+from warnings import warn
 
 try:
     from flask import _app_ctx_stack as ctx_stack
@@ -82,6 +83,11 @@ def decode_token(encoded_token, csrf_value=None):
     try:
         secret = jwt_manager._decode_key_callback(unverified_claims, unverified_headers)
     except TypeError:
+        msg = (
+                "The single-argument (unverified_claims) form of decode_key_callback is deprecated. "
+                "Update your code to use the two-argument form (unverified_claims, unverified_headers)."
+        )
+        warn(msg, DeprecationWarning)
         secret = jwt_manager._decode_key_callback(unverified_claims)
     return decode_jwt(
         encoded_token=encoded_token,

tests/test_decode_tokens.py

@@ -1,6 +1,7 @@
 import jwt
 import pytest
 from datetime import datetime, timedelta
+import warnings
 
 from flask import Flask
 from jwt import ExpiredSignatureError, InvalidSignatureError, InvalidAudienceError
@@ -136,25 +137,36 @@ def test_encode_decode_callback_values(app, default_access_token):
     jwtM = get_jwt_manager(app)
     app.config['JWT_SECRET_KEY'] = 'foobarbaz'
     with app.test_request_context():
-        assert jwtM._decode_key_callback({}) == 'foobarbaz'
+        assert jwtM._decode_key_callback({}, {}) == 'foobarbaz'
         assert jwtM._encode_key_callback({}) == 'foobarbaz'
 
     @jwtM.encode_key_loader
     def get_encode_key_1(identity):
         return 'different secret'
     assert jwtM._encode_key_callback('') == 'different secret'
 
-    # test decode key callback with two arguments (preferred)
     @jwtM.decode_key_loader
     def get_decode_key_1(claims, headers):
         return 'different secret'
     assert jwtM._decode_key_callback({}, {}) == 'different secret'
 
+
+def test_legacy_decode_key_callback(app, default_access_token):
+    jwtM = get_jwt_manager(app)
+    app.config['JWT_SECRET_KEY'] = 'foobarbaz'
+
     # test decode key callback with one argument (backwards compatibility)
-    @jwtM.decode_key_loader
-    def get_decode_key_2(claims):
-        return 'different secret'
-    assert jwtM._decode_key_callback({}) == 'different secret'
+    with warnings.catch_warnings(record=True) as w:
+        warnings.simplefilter("always")
+
+        @jwtM.decode_key_loader
+        def get_decode_key_legacy(claims):
+            return 'foobarbaz'
+        with app.test_request_context():
+            token = encode_token(app, default_access_token)
+            decode_token(token)
+            assert len(w) == 1
+            assert issubclass(w[-1].category, DeprecationWarning)
 
 
 def test_custom_encode_decode_key_callbacks(app, default_access_token):
@@ -176,7 +188,7 @@ def get_encode_key_1(identity):
             decode_token(token)
 
     @jwtM.decode_key_loader
-    def get_decode_key_1(claims):
+    def get_decode_key_1(claims, headers):
         assert claims['identity'] == 'username'
         return 'different secret'