Need way to determine in which allowed location (cookie, header, etc) the JWT was found for the current request

[sammck]

For testing and other reasons, I would like to have protected routes that can be authorized by a JWT either in a cookie (for browser-based access) or in a header (for single-page apps or standalone clients). This works fine, except that the recommended approach for implicit access token refresh:

# Using an `after_request` callback, we refresh any token that is within 30
# minutes of expiring. Change the timedeltas to match the needs of your application.
@app.after_request
def refresh_expiring_jwts(response):
    try:
        exp_timestamp = get_jwt()["exp"]
        now = datetime.now(timezone.utc)
        target_timestamp = datetime.timestamp(now + timedelta(minutes=30))
        if target_timestamp > exp_timestamp:
            access_token = create_access_token(identity=get_jwt_identity())
            set_access_cookies(response, access_token)
        return response
    except (RuntimeError, KeyError):
        # Case where there is not a valid JWT. Just return the original respone
        return response

should be suppressed in the case where the access token jwt was supplied in a header rather than a cookie.

Is there a viable way to make this work in the current implementation? If not, does this sound like a reasonable feature request? I'd be willing to take a stab at a PR.

[vimalloc-mavenlink]

Yeah, a first class support for something like that seems reasonable to me.

If you need something going now, you could add something like this to the top of that method:

# Case where the jwt is not coming in from cookies, so no implicit refresh should happen
if not request.cookies.get(config.access_cookie_name):
    return response

# Rest of the implict refresh function

If you want to take a stab at adding some better first class support for this, my first though would be to add a function in utils.py along the lines of def jwt_request_location (could probably come up with a better name then that). You could hook into the view_decorators which set a bunch of things like _request_ctx_stack.top.jwt = jwt_data so that we don't have to worry about that logic being duplicated over multiple places. Basically the view decorator can just store whatever location it got the JWT from in the context stack, so that it can be pulled back out later via that new utils method.

Let me know if you have any questions or anything 👍