扩展中内置了fresh token模式。此模式非常简单,您可以选择将一些访问令牌标记为fresh,而将另一些标记为non-fresh,并使用fresh_jwt_required()装饰器来仅允许新令牌访问某些端点。
这对于允许新令牌做一些关键的事情(如更新电子邮件地址或完成在线购买)是有用的,但是对于非新令牌则会否定这些特性。将新令牌与refresh令牌结合使用可以获得更安全的站点,而不会让用户不断地重新验证,从而造成糟糕的用户体验。
这里是一个例子,你可以利用刷新令牌与fresh token模式:
from flask import Flask, jsonify, request
from flask_jwt_extended import (
JWTManager, jwt_required, create_access_token,
jwt_refresh_token_required, create_refresh_token,
get_jwt_identity, fresh_jwt_required
)
app = Flask(__name__)
app.config['JWT_SECRET_KEY'] = 'super-secret' # Change this!
jwt = JWTManager(app)
# Standard login endpoint. Will return a fresh access token and
# a refresh token
@app.route('/login', methods=['POST'])
def login():
username = request.json.get('username', None)
password = request.json.get('password', None)
if username != 'test' or password != 'test':
return jsonify({"msg": "Bad username or password"}), 401
# create_access_token supports an optional 'fresh' argument,
# which marks the token as fresh or non-fresh accordingly.
# As we just verified their username and password, we are
# going to mark the token as fresh here.
ret = {
'access_token': create_access_token(identity=username, fresh=True),
'refresh_token': create_refresh_token(identity=username)
}
return jsonify(ret), 200
# Refresh token endpoint. This will generate a new access token from
# the refresh token, but will mark that access token as non-fresh,
# as we do not actually verify a password in this endpoint.
@app.route('/refresh', methods=['POST'])
@jwt_refresh_token_required
def refresh():
current_user = get_jwt_identity()
new_token = create_access_token(identity=current_user, fresh=False)
ret = {'access_token': new_token}
return jsonify(ret), 200
# Fresh login endpoint. This is designed to be used if we need to
# make a fresh token for a user (by verifying they have the
# correct username and password). Unlike the standard login endpoint,
# this will only return a new access token, so that we don't keep
# generating new refresh tokens, which entirely defeats their point.
@app.route('/fresh-login', methods=['POST'])
def fresh_login():
username = request.json.get('username', None)
password = request.json.get('password', None)
if username != 'test' or password != 'test':
return jsonify({"msg": "Bad username or password"}), 401
new_token = create_access_token(identity=username, fresh=True)
ret = {'access_token': new_token}
return jsonify(ret), 200
# Any valid JWT can access this endpoint
@app.route('/protected', methods=['GET'])
@jwt_required
def protected():
username = get_jwt_identity()
return jsonify(logged_in_as=username), 200
# Only fresh JWTs can access this endpoint
@app.route('/protected-fresh', methods=['GET'])
@fresh_jwt_required
def protected_fresh():
username = get_jwt_identity()
return jsonify(fresh_logged_in_as=username), 200
if __name__ == '__main__':
app.run()
网友评论