Add callback hook to decode token from arbitrary source

[mjpieters]

Currently, the project will load the JWT data from various sources, depending on what JWT_TOKEN_LOCATION is set to, including cookies, the query string, and in the headers.

I now have a requirement to look for refresh tokens in a JSON POST body. Rather than ask for jet another configurable codepath to be added, can we have a callback instead? The callback would be passed the request type and would have to return the decoded data (using utils.decode_token()) or None if no data for the request type was found.

My callback could then just use:

from flask_jwt_extended import decode_token, JWTManager

jwt = JWTManager()

@jwt.decode_jwt_callback
def decode_jwt_from_json(request_type):
    if request_type != 'refresh':
        return None
    data = request.json or {}
    encoded_token = data.get('refresh_token')   
    if encoded_token is None:
        return None
    return decode_token(encoded_token)

This saves me from having to write a new decorator that then has to remember to verify the token and check the blacklist (if configured).

[vimalloc]

In terms of just grabbing data from the JSON body, there is actually already a PR in the queue right now that would add support for this: #173. If we could get the last little bit of that fixed up I would love to get it merged and a new release cut 👍

In terms of this request, I would be down to add it if someone wanted to submit a PR. It could open the door to allowing different endpoint grabbing the JWT from different locations which could be neat. It would need some care to handle all of the additional checks that happen after the token was decoded (firing user load callback, checking blacklist, access vs refresh token checks, etc).

[mjpieters]

It would need some care to handle all of the additional checks that happen after the token was decoded (firing user load callback, checking blacklist, access vs refresh token checks, etc).

Absolutely! The idea is that the callback is invoked from _decode_jwt_from_request.

[vimalloc]

Yep, that makes sense. We would just need to be able to handle a lot of different options in that decode_token(encoded_token) function, which can be seen here: https://github.com/vimalloc/flask-jwt-extended/blob/master/flask_jwt_extended/view_decorators.py#L22. All of those methods do slightly different things to perform verification, and combining them into a single method would be I think the biggest hurdle to this.

[vimalloc]

Oh wait, I see what your saying. I totally parsed that snippet wrong. Yeah, that could work.

[vimalloc]

The ability to grab a JWT from the JSON body has now been released in version 3.12.0. I'm going to close this for now, but I'll keep toying with the idea of a callback function to grab the JWT, it's a very interesting idea. Cheers! 👍