diff -pruN 4.4.2-2/debian/changelog 4.4.3-1/debian/changelog --- 4.4.2-2/debian/changelog 2022-07-13 21:28:43.000000000 +0000 +++ 4.4.3-1/debian/changelog 2022-08-01 17:56:03.000000000 +0000 @@ -1,3 +1,12 @@ +python-flask-jwt-extended (4.4.3-1) unstable; urgency=medium + + * New upstream version. + * d/patches/use_response_data_in_tests.patch: Add patch to use + TestReponse.data instead of TestResponse.text. 'text' property was added + in version 2.1 of python-werkzeug and that version is not in Debian yet. + + -- Emmanuel Arias Mon, 01 Aug 2022 14:56:03 -0300 + python-flask-jwt-extended (4.4.2-2) unstable; urgency=medium * Source-only upload. diff -pruN 4.4.2-2/debian/patches/series 4.4.3-1/debian/patches/series --- 4.4.2-2/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ 4.4.3-1/debian/patches/series 2022-08-01 17:56:03.000000000 +0000 @@ -0,0 +1 @@ +use_response_data_in_tests.patch diff -pruN 4.4.2-2/debian/patches/use_response_data_in_tests.patch 4.4.3-1/debian/patches/use_response_data_in_tests.patch --- 4.4.2-2/debian/patches/use_response_data_in_tests.patch 1970-01-01 00:00:00.000000000 +0000 +++ 4.4.3-1/debian/patches/use_response_data_in_tests.patch 2022-08-01 17:56:03.000000000 +0000 @@ -0,0 +1,23 @@ +Description: Use response.data instead of response.text + The property text for TestResponse was added in werkzeug on + version 2.1 and this version is not in Debian yet. +Author: Emmanuel Arias +Index: python-flask-jwt-extended/tests/test_add_context_processor.py +=================================================================== +--- python-flask-jwt-extended.orig/tests/test_add_context_processor.py 2022-08-01 15:33:43.816027744 -0300 ++++ python-flask-jwt-extended/tests/test_add_context_processor.py 2022-08-02 23:37:01.882488496 -0300 +@@ -34,7 +34,7 @@ + + access_headers = {"Authorization": "Bearer {}".format(access_token)} + response = test_client.get("/context_current_user", headers=access_headers) +- assert response.text == "test_user" ++ assert response.data == b"test_user" + + + def test_no_add_context_processor(app): +@@ -51,4 +51,4 @@ + + access_headers = {"Authorization": "Bearer {}".format(access_token)} + response = test_client.get("/context_current_user", headers=access_headers) +- assert response.text == "" ++ assert response.data == b"" diff -pruN 4.4.2-2/docs/options.rst 4.4.3-1/docs/options.rst --- 4.4.2-2/docs/options.rst 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/docs/options.rst 2022-07-27 21:40:35.000000000 +0000 @@ -8,24 +8,73 @@ For example: app.config["OPTION_NAME"] = option_value -General Options: -~~~~~~~~~~~~~~~~ +Overview: +~~~~~~~~~ -.. py:data:: JWT_TOKEN_LOCATION +- `General Options:`_ - Where to look for a JWT when processing a request. The available options - are ``"headers"``, ``"cookies"``, ``"query_string"``, and ``"json"``. + * `JWT_ACCESS_TOKEN_EXPIRES`_ + * `JWT_ALGORITHM`_ + * `JWT_DECODE_ALGORITHMS`_ + * `JWT_DECODE_AUDIENCE`_ + * `JWT_DECODE_ISSUER`_ + * `JWT_DECODE_LEEWAY`_ + * `JWT_ENCODE_AUDIENCE`_ + * `JWT_ENCODE_ISSUER`_ + * `JWT_ENCODE_NBF`_ + * `JWT_ERROR_MESSAGE_KEY`_ + * `JWT_IDENTITY_CLAIM`_ + * `JWT_PRIVATE_KEY`_ + * `JWT_PUBLIC_KEY`_ + * `JWT_REFRESH_TOKEN_EXPIRES`_ + * `JWT_SECRET_KEY`_ + * `JWT_TOKEN_LOCATION`_ + +- `Header Options:`_ + + * `JWT_HEADER_NAME`_ + * `JWT_HEADER_TYPE`_ + +- `Cookie Options:`_ + + * `JWT_ACCESS_COOKIE_NAME`_ + * `JWT_ACCESS_COOKIE_PATH`_ + * `JWT_COOKIE_CSRF_PROTECT`_ + * `JWT_COOKIE_DOMAIN`_ + * `JWT_COOKIE_SAMESITE`_ + * `JWT_COOKIE_SECURE`_ + * `JWT_REFRESH_COOKIE_NAME`_ + * `JWT_REFRESH_COOKIE_PATH`_ + * `JWT_SESSION_COOKIE`_ + +- `Cross Site Request Forgery Options:`_ + + * `JWT_ACCESS_CSRF_COOKIE_NAME`_ + * `JWT_ACCESS_CSRF_COOKIE_PATH`_ + * `JWT_ACCESS_CSRF_FIELD_NAME`_ + * `JWT_ACCESS_CSRF_HEADER_NAME`_ + * `JWT_CSRF_CHECK_FORM`_ + * `JWT_CSRF_IN_COOKIES`_ + * `JWT_CSRF_METHODS`_ + * `JWT_REFRESH_CSRF_COOKIE_NAME`_ + * `JWT_REFRESH_CSRF_COOKIE_PATH`_ + * `JWT_REFRESH_CSRF_FIELD_NAME`_ + * `JWT_REFRESH_CSRF_HEADER_NAME`_ + +- `Query String Options:`_ - You can pass in a list to check more then one location, for example - ``["headers", "cookies"]``. The order of the list sets the precedence of - where JWTs will be looked for. + * `JWT_QUERY_STRING_NAME`_ + * `JWT_QUERY_STRING_VALUE_PREFIX`_ - This can be overridden on a per-route basis by using the ``locations`` - argument in :func:`flask_jwt_extended.jwt_required`. +- `JSON Body Options:`_ - Default: ``"headers"`` + * `JWT_JSON_KEY`_ + * `JWT_REFRESH_JSON_KEY`_ +General Options: +~~~~~~~~~~~~~~~~ +.. _JWT_ACCESS_TOKEN_EXPIRES: .. py:data:: JWT_ACCESS_TOKEN_EXPIRES How long an access token should be valid before it expires. This can be a @@ -42,22 +91,7 @@ General Options: Default: ``datetime.timedelta(minutes=15)`` -.. py:data:: JWT_REFRESH_TOKEN_EXPIRES - - How long a refresh token should be valid before it expires. This can be a - `datetime.timedelta `_, - `dateutil.relativedelta `_, - or a number of seconds (``Integer``). - - If set to ``False`` tokens will never expire. **This is dangerous and should - be avoided in most case** - - This can be overridden on a per token basis by passing the ``expires_delta`` - argument to :func:`flask_jwt_extended.create_refresh_token` - - Default: ``datetime.timedelta(days=30)`` - - +.. _JWT_ALGORITHM: .. py:data:: JWT_ALGORITHM Which algorithm to sign the JWT with. See `PyJWT `_ @@ -66,6 +100,7 @@ General Options: Default: ``"HS256"`` +.. _JWT_DECODE_ALGORITHMS: .. py:data:: JWT_DECODE_ALGORITHMS Which algorithms to use when decoding a JWT. See `PyJWT `_ @@ -76,111 +111,156 @@ General Options: Default: ``["HS256"]`` -.. py:data:: JWT_SECRET_KEY +.. _JWT_DECODE_AUDIENCE: +.. py:data:: JWT_DECODE_AUDIENCE - The secret key used to encode and decode JWTs when using a symmetric signing - algorithm (such as ``HS*``). It should be a long random string of bytes, - although unicode is accepted too. For example, copy the output of this to - your config. + The string or list of audiences (``aud``) expected in a JWT when decoding it. - .. code-block :: + Default: ``None`` - $ python -c 'import os; print(os.urandom(16))' - b'_5#y2L"F4Q8z\n\xec]/' - If this value is not set, Flask's `SECRET_KEY `_ - is used instead. +.. _JWT_DECODE_ISSUER: +.. py:data:: JWT_DECODE_ISSUER - **Do not reveal the secret key when posting questions or committing code.** + The issuer (``iss``) you expect in a JWT when decoding it. - Note: there is ever a need to invalidate all issued tokens (e.g. a security flaw was found, - or the revoked token database was lost), this can be easily done by changing the JWT_SECRET_KEY - (or Flask's SECRET_KEY, if JWT_SECRET_KEY is unset). + Default: ``None`` - Default: ``None`` +.. _JWT_DECODE_LEEWAY: +.. py:data:: JWT_DECODE_LEEWAY + + The number of seconds a token will be considered valid before the Not Before + Time (`nbf) and after the Expires Time (`exp`). This can be useful when + dealing with clock drift between clients. + Default: ``0`` -.. py:data:: JWT_PRIVATE_KEY - The secret key used to encode JWTs when using an asymmetric signing - algorithm (such as ``RS*`` or ``ES*``). The key must be in PEM format. +.. _JWT_ENCODE_AUDIENCE: +.. py:data:: JWT_ENCODE_AUDIENCE - **Do not reveal the secret key when posting questions or committing code.** + The string or list of audiences (``aud``) for created JWTs. Default: ``None`` -.. py:data:: JWT_PUBLIC_KEY +.. _JWT_ENCODE_ISSUER: +.. py:data:: JWT_ENCODE_ISSUER - The secret key used to decode JWTs when using an asymmetric signing - algorithm (such as ``RS*`` or ``ES*``). The key must be in PEM format. + The issuer (``iss``) for created JWTs. Default: ``None`` -.. py:data:: JWT_DECODE_AUDIENCE +.. _JWT_ENCODE_NBF: +.. py:data:: JWT_ENCODE_NBF - The string or list of audiences (``aud``) expected in a JWT when decoding it. + The not before (``nbf``) claim which defines that a JWT MUST NOT be accepted for processing during decode. - Default: ``None`` + Default: ``True`` -.. py:data:: JWT_ENCODE_AUDIENCE +.. _JWT_ERROR_MESSAGE_KEY: +.. py:data:: JWT_ERROR_MESSAGE_KEY - The string or list of audiences (``aud``) for created JWTs. + The key for error messages in a JSON response returned by this extension. - Default: ``None`` + Default: ``"msg"`` -.. py:data:: JWT_DECODE_ISSUER +.. _JWT_IDENTITY_CLAIM: +.. py:data:: JWT_IDENTITY_CLAIM - The issuer (``iss``) you expect in a JWT when decoding it. + The claim in a JWT that is used as the source of identity. + + Default: ``"sub"`` + + +.. _JWT_PRIVATE_KEY: +.. py:data:: JWT_PRIVATE_KEY + + The secret key used to encode JWTs when using an asymmetric signing + algorithm (such as ``RS*`` or ``ES*``). The key must be in PEM format. + + **Do not reveal the secret key when posting questions or committing code.** Default: ``None`` -.. py:data:: JWT_ENCODE_ISSUER +.. _JWT_PUBLIC_KEY: +.. py:data:: JWT_PUBLIC_KEY - The issuer (``iss``) for created JWTs. + The secret key used to decode JWTs when using an asymmetric signing + algorithm (such as ``RS*`` or ``ES*``). The key must be in PEM format. Default: ``None`` -.. py:data:: JWT_ENCODE_NBF +.. _JWT_REFRESH_TOKEN_EXPIRES: +.. py:data:: JWT_REFRESH_TOKEN_EXPIRES - The not before (``nbf``) claim which defines that a JWT MUST NOT be accepted for processing during decode. + How long a refresh token should be valid before it expires. This can be a + `datetime.timedelta `_, + `dateutil.relativedelta `_, + or a number of seconds (``Integer``). - Default: ``True`` + If set to ``False`` tokens will never expire. **This is dangerous and should + be avoided in most case** + This can be overridden on a per token basis by passing the ``expires_delta`` + argument to :func:`flask_jwt_extended.create_refresh_token` -.. py:data:: JWT_DECODE_LEEWAY + Default: ``datetime.timedelta(days=30)`` - The number of seconds a token will be considered valid before the Not Before - Time (`nbf) and after the Expires Time (`exp`). This can be useful when - dealing with clock drift between clients. - Default: ``0`` +.. _JWT_SECRET_KEY: +.. py:data:: JWT_SECRET_KEY + The secret key used to encode and decode JWTs when using a symmetric signing + algorithm (such as ``HS*``). It should be a long random string of bytes, + although unicode is accepted too. For example, copy the output of this to + your config. -.. py:data:: JWT_IDENTITY_CLAIM + .. code-block :: - The claim in a JWT that is used as the source of identity. + $ python -c 'import os; print(os.urandom(16))' + b'_5#y2L"F4Q8z\n\xec]/' - Default: ``"sub"`` + If this value is not set, Flask's `SECRET_KEY `_ + is used instead. + **Do not reveal the secret key when posting questions or committing code.** -.. py:data:: JWT_ERROR_MESSAGE_KEY + Note: there is ever a need to invalidate all issued tokens (e.g. a security flaw was found, + or the revoked token database was lost), this can be easily done by changing the JWT_SECRET_KEY + (or Flask's SECRET_KEY, if JWT_SECRET_KEY is unset). - The key for error messages in a JSON response returned by this extension. - Default: ``"msg"`` + Default: ``None`` + + +.. _JWT_TOKEN_LOCATION: +.. py:data:: JWT_TOKEN_LOCATION + + Where to look for a JWT when processing a request. The available options + are ``"headers"``, ``"cookies"``, ``"query_string"``, and ``"json"``. + + You can pass in a list to check more then one location, for example + ``["headers", "cookies"]``. The order of the list sets the precedence of + where JWTs will be looked for. + + This can be overridden on a per-route basis by using the ``locations`` + argument in :func:`flask_jwt_extended.jwt_required`. + + Default: ``"headers"`` Header Options: ~~~~~~~~~~~~~~~ These are only applicable if a route is configured to accept JWTs via headers. +.. _JWT_HEADER_NAME: .. py:data:: JWT_HEADER_NAME What header should contain the JWT in a request @@ -188,6 +268,7 @@ These are only applicable if a route is Default: ``"Authorization"`` +.. _JWT_HEADER_TYPE: .. py:data:: JWT_HEADER_TYPE What type of header the JWT is in. If this is an empty string, the header @@ -200,17 +281,45 @@ Cookie Options: ~~~~~~~~~~~~~~~ These are only applicable if a route is configured to accept JWTs via cookies. -.. py:data:: JWT_COOKIE_SECURE +.. _JWT_ACCESS_COOKIE_NAME: +.. py:data:: JWT_ACCESS_COOKIE_NAME - Controls if the ``secure`` flag should be placed on cookies created by this - extension. If a cookie is marked as ``secure`` it will only be sent by the - web browser over an HTTPS connection. + The name of the cookie that will hold the access token. - **This should always be True in production.** + Default: ``"access_token_cookie"`` - Default: ``False`` +.. _JWT_ACCESS_COOKIE_PATH: +.. py:data:: JWT_ACCESS_COOKIE_PATH + + The path for the access cookies + + Default: ``"/"`` + + +.. _JWT_COOKIE_CSRF_PROTECT: +.. py:data:: JWT_COOKIE_CSRF_PROTECT + + Controls if Cross Site Request Forgery (CSRF) protection is enabled when using + cookies. + + **This should always be True in production** + + Default: ``True`` + + +.. _JWT_COOKIE_DOMAIN: +.. py:data:: JWT_COOKIE_DOMAIN + + Value to use for cross domain cookies. For example, if ``JWT_COOKIE_DOMAIN`` is + ``".example.com"``, the cookies will be set so they are readable by the domains + www.example.com, foo.example.com etc. Otherwise, a cookie will only be + readable by the domain that set it. + Default: ``None`` + + +.. _JWT_COOKIE_SAMESITE: .. py:data:: JWT_COOKIE_SAMESITE Controls how the cookies should be sent in a cross-site browsing context. @@ -225,13 +334,19 @@ These are only applicable if a route is Default: ``None``, which is treated as ``"Lax"`` by browsers. -.. py:data:: JWT_ACCESS_COOKIE_NAME +.. _JWT_COOKIE_SECURE: +.. py:data:: JWT_COOKIE_SECURE - The name of the cookie that will hold the access token. + Controls if the ``secure`` flag should be placed on cookies created by this + extension. If a cookie is marked as ``secure`` it will only be sent by the + web browser over an HTTPS connection. - Default: ``"access_token_cookie"`` + **This should always be True in production.** + + Default: ``False`` +.. _JWT_REFRESH_COOKIE_NAME: .. py:data:: JWT_REFRESH_COOKIE_NAME The name of the cookie that will hold the refresh token. @@ -242,13 +357,7 @@ These are only applicable if a route is Default: ``"refresh_token_cookie"`` -.. py:data:: JWT_ACCESS_COOKIE_PATH - - The path for the access cookies - - Default: ``"/"`` - - +.. _JWT_REFRESH_COOKIE_PATH: .. py:data:: JWT_REFRESH_COOKIE_PATH The path for the refresh cookies @@ -259,16 +368,7 @@ These are only applicable if a route is Default: ``"/"`` -.. py:data:: JWT_COOKIE_DOMAIN - - Value to use for cross domain cookies. For example, if ``JWT_COOKIE_DOMAIN`` is - ``".example.com"``, the cookies will be set so they are readable by the domains - www.example.com, foo.example.com etc. Otherwise, a cookie will only be - readable by the domain that set it. - - Default: ``None`` - - +.. _JWT_SESSION_COOKIE: .. py:data:: JWT_SESSION_COOKIE Controls if the cookies will be set as session cookies, which are deleted when @@ -277,29 +377,38 @@ These are only applicable if a route is Default: ``True`` -.. py:data:: JWT_COOKIE_CSRF_PROTECT +Cross Site Request Forgery Options: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +These are only applicable if a route is configured to accept JWTs via cookies and +``JWT_COOKIE_CSRF_PROTECT`` is ``True``. - Controls if Cross Site Request Forgery (CSRF) protection is enabled when using - cookies. +.. _JWT_ACCESS_CSRF_COOKIE_NAME: +.. py:data:: JWT_ACCESS_CSRF_COOKIE_NAME - **This should always be True in production** + The name of the cookie that contains the CSRF double submit token. Only + applicable if ``JWT_CSRF_IN_COOKIES`` is ``True`` - Default: ``True`` + Default: ``csrf_access_token`` -Cross Site Request Forgery Options -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -These are only applicable if a route is configured to accept JWTs via cookies and -``JWT_COOKIE_CSRF_PROTECT`` is ``True``. +.. _JWT_ACCESS_CSRF_COOKIE_PATH: +.. py:data:: JWT_ACCESS_CSRF_COOKIE_PATH + The path of the access CSRF double submit cookie. -.. py:data:: JWT_CSRF_METHODS + Default: ``"/"`` - A list of HTTP methods that we should do CSRF checks on. - Default: ``["POST", "PUT", "PATCH", "DELETE"]`` +.. _JWT_ACCESS_CSRF_FIELD_NAME: +.. py:data:: JWT_ACCESS_CSRF_FIELD_NAME + Name of the form field that should contain the CSRF double submit token for + an access token. Only applicable if ``JWT_CSRF_CHECK_FORM`` is ``True`` + Default: ``"csrf_token"`` + + +.. _JWT_ACCESS_CSRF_HEADER_NAME: .. py:data:: JWT_ACCESS_CSRF_HEADER_NAME The name of the header on an incoming request that should contain the CSRF @@ -308,17 +417,15 @@ These are only applicable if a route is Default: ``"X-CSRF-TOKEN"`` -.. py:data:: JWT_REFRESH_CSRF_HEADER_NAME - - The name of the header on an incoming request that should contain the CSRF - double submit token. +.. _JWT_CSRF_CHECK_FORM: +.. py:data:: JWT_CSRF_CHECK_FORM - Note: We generally do not recommend using refresh tokens with cookies. See - :ref:`Implicit Refreshing With Cookies`. + Controls if form data should also be check for the CSRF double submit token. - Default: ``"X-CSRF-TOKEN"`` + Default: ``False`` +.. _JWT_CSRF_IN_COOKIES: .. py:data:: JWT_CSRF_IN_COOKIES Controls if the CSRF double submit token will be stored in additional cookies. @@ -329,14 +436,15 @@ These are only applicable if a route is Default: ``True`` -.. py:data:: JWT_ACCESS_CSRF_COOKIE_NAME +.. _JWT_CSRF_METHODS: +.. py:data:: JWT_CSRF_METHODS - The name of the cookie that contains the CSRF double submit token. Only - applicable if ``JWT_CSRF_IN_COOKIES`` is ``True`` + A list of HTTP methods that we should do CSRF checks on. - Default: ``csrf_access_token`` + Default: ``["POST", "PUT", "PATCH", "DELETE"]`` +.. _JWT_REFRESH_CSRF_COOKIE_NAME: .. py:data:: JWT_REFRESH_CSRF_COOKIE_NAME The name of the cookie that contains the CSRF double submit token. Only @@ -348,13 +456,7 @@ These are only applicable if a route is Default: ``csrf_refresh_token`` -.. py:data:: JWT_ACCESS_CSRF_COOKIE_PATH - - The path of the access CSRF double submit cookie. - - Default: ``"/"`` - - +.. _JWT_REFRESH_CSRF_COOKIE_PATH: .. py:data:: JWT_REFRESH_CSRF_COOKIE_PATH The path of the refresh CSRF double submit cookie. @@ -365,36 +467,35 @@ These are only applicable if a route is Default: ``"/"`` -.. py:data:: JWT_CSRF_CHECK_FORM - - Controls if form data should also be check for the CSRF double submit token. - - Default: ``False`` - - -.. py:data:: JWT_ACCESS_CSRF_FIELD_NAME +.. _JWT_REFRESH_CSRF_FIELD_NAME: +.. py:data:: JWT_REFRESH_CSRF_FIELD_NAME Name of the form field that should contain the CSRF double submit token for - an access token. Only applicable if ``JWT_CSRF_CHECK_FORM`` is ``True`` + a refresh token. Only applicable if ``JWT_CSRF_CHECK_FORM`` is ``True`` + + Note: We generally do not recommend using refresh tokens with cookies. See + :ref:`Implicit Refreshing With Cookies`. Default: ``"csrf_token"`` -.. py:data:: JWT_REFRESH_CSRF_FIELD_NAME +.. _JWT_REFRESH_CSRF_HEADER_NAME: +.. py:data:: JWT_REFRESH_CSRF_HEADER_NAME - Name of the form field that should contain the CSRF double submit token for - a refresh token. Only applicable if ``JWT_CSRF_CHECK_FORM`` is ``True`` + The name of the header on an incoming request that should contain the CSRF + double submit token. Note: We generally do not recommend using refresh tokens with cookies. See :ref:`Implicit Refreshing With Cookies`. - Default: ``"csrf_token"`` + Default: ``"X-CSRF-TOKEN"`` Query String Options: ~~~~~~~~~~~~~~~~~~~~~ These are only applicable if a route is configured to accept JWTs via query string. +.. _JWT_QUERY_STRING_NAME: .. py:data:: JWT_QUERY_STRING_NAME What query string parameter should contain the JWT. @@ -402,6 +503,7 @@ These are only applicable if a route is Default: ``"jwt"`` +.. _JWT_QUERY_STRING_VALUE_PREFIX: .. py:data:: JWT_QUERY_STRING_VALUE_PREFIX An optional prefix string that should show up before the JWT in a @@ -417,6 +519,7 @@ JSON Body Options: ~~~~~~~~~~~~~~~~~~ These are only applicable if a route is configured to accept JWTs via the JSON body. +.. _JWT_JSON_KEY: .. py:data:: JWT_JSON_KEY What key should contain the access token in the JSON body of a request. @@ -424,6 +527,7 @@ These are only applicable if a route is Default: ``"access_token"`` +.. _JWT_REFRESH_JSON_KEY: .. py:data:: JWT_REFRESH_JSON_KEY What key should contain the refresh token in the JSON body of a request. diff -pruN 4.4.2-2/docs/token_locations.rst 4.4.3-1/docs/token_locations.rst --- 4.4.2-2/docs/token_locations.rst 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/docs/token_locations.rst 2022-07-27 21:40:35.000000000 +0000 @@ -115,7 +115,7 @@ out as invalid too. Lets look at how to Note that there are additional CSRF options, such as looking for the double submit token in a form, changing cookie paths, etc, that can be used to tailor things to the needs of your application. See -:ref:`Cross Site Request Forgery Options` for details. +:ref:`Cross Site Request Forgery Options:` for details. Query String diff -pruN 4.4.2-2/docs/v4_upgrade_guide.rst 4.4.3-1/docs/v4_upgrade_guide.rst --- 4.4.2-2/docs/v4_upgrade_guide.rst 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/docs/v4_upgrade_guide.rst 2022-07-27 21:40:35.000000000 +0000 @@ -124,6 +124,8 @@ API Changes will now always be put in the JWT regardless of if it is an access or refresh tokens. If you don't want additional claims in your refresh tokens, do not include any additional claims when creating the refresh token. +- Removed ``UserLoadError`` from ``flask_jwt_extended.exceptions``. Use ``UserLookupError`` instead. + New Stuff ~~~~~~~~~ diff -pruN 4.4.2-2/flask_jwt_extended/__init__.py 4.4.3-1/flask_jwt_extended/__init__.py --- 4.4.2-2/flask_jwt_extended/__init__.py 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/flask_jwt_extended/__init__.py 2022-07-27 21:40:35.000000000 +0000 @@ -19,4 +19,4 @@ from .utils import unset_refresh_cookies from .view_decorators import jwt_required as jwt_required from .view_decorators import verify_jwt_in_request as verify_jwt_in_request -__version__ = "4.4.2" +__version__ = "4.4.3" diff -pruN 4.4.2-2/flask_jwt_extended/internal_utils.py 4.4.3-1/flask_jwt_extended/internal_utils.py --- 4.4.2-2/flask_jwt_extended/internal_utils.py 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/flask_jwt_extended/internal_utils.py 2022-07-27 21:40:35.000000000 +0000 @@ -1,14 +1,17 @@ from typing import Any +from typing import TYPE_CHECKING from flask import current_app -from flask_jwt_extended import JWTManager from flask_jwt_extended.exceptions import RevokedTokenError from flask_jwt_extended.exceptions import UserClaimsVerificationError from flask_jwt_extended.exceptions import WrongTokenError +if TYPE_CHECKING: # pragma: no cover + from flask_jwt_extended import JWTManager -def get_jwt_manager() -> JWTManager: + +def get_jwt_manager() -> "JWTManager": try: return current_app.extensions["flask-jwt-extended"] except KeyError: # pragma: no cover diff -pruN 4.4.2-2/flask_jwt_extended/jwt_manager.py 4.4.3-1/flask_jwt_extended/jwt_manager.py --- 4.4.2-2/flask_jwt_extended/jwt_manager.py 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/flask_jwt_extended/jwt_manager.py 2022-07-27 21:40:35.000000000 +0000 @@ -42,6 +42,7 @@ from flask_jwt_extended.exceptions impor from flask_jwt_extended.tokens import _decode_jwt from flask_jwt_extended.tokens import _encode_jwt from flask_jwt_extended.typing import ExpiresDelta +from flask_jwt_extended.utils import current_user_context_processor class JWTManager(object): @@ -54,7 +55,7 @@ class JWTManager(object): to your app in a factory function. """ - def __init__(self, app: Flask = None) -> None: + def __init__(self, app: Flask = None, add_context_processor: bool = False) -> None: """ Create the JWTManager instance. You can either pass a flask application in directly here to register this extension with the flask app, or @@ -62,6 +63,10 @@ class JWTManager(object): :param app: The Flask Application object + :param add_context_processor: + Controls if `current_user` is should be added to flasks template + context (and thus be available for use in Jinja templates). Defaults + to ``False``. """ # Register the default error handler callback methods. These can be # overridden with the appropriate loader decorators @@ -85,20 +90,27 @@ class JWTManager(object): # Register this extension with the flask app now (if it is provided) if app is not None: - self.init_app(app) + self.init_app(app, add_context_processor) - def init_app(self, app: Flask) -> None: + def init_app(self, app: Flask, add_context_processor: bool = False) -> None: """ Register this extension with the flask app. :param app: The Flask Application object + :param add_context_processor: + Controls if `current_user` is should be added to flasks template + context (and thus be available for use in Jinja templates). Defaults + to ``False``. """ # Save this so we can use it later in the extension if not hasattr(app, "extensions"): # pragma: no cover app.extensions = {} app.extensions["flask-jwt-extended"] = self + if add_context_processor: + app.context_processor(current_user_context_processor) + # Set all the default configurations for this extension self._set_default_configuration_options(app) self._set_error_handler_callbacks(app) diff -pruN 4.4.2-2/flask_jwt_extended/utils.py 4.4.3-1/flask_jwt_extended/utils.py --- 4.4.2-2/flask_jwt_extended/utils.py 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/flask_jwt_extended/utils.py 2022-07-27 21:40:35.000000000 +0000 @@ -11,7 +11,7 @@ from flask_jwt_extended.config import co from flask_jwt_extended.internal_utils import get_jwt_manager # Proxy to access the current user -current_user = LocalProxy(lambda: get_current_user()) +current_user: Any = LocalProxy(lambda: get_current_user()) def get_jwt() -> dict: @@ -456,3 +456,7 @@ def unset_refresh_cookies(response: Resp path=config.refresh_csrf_cookie_path, samesite=config.cookie_samesite, ) + + +def current_user_context_processor() -> Any: + return {"current_user": get_current_user()} diff -pruN 4.4.2-2/flask_jwt_extended/view_decorators.py 4.4.3-1/flask_jwt_extended/view_decorators.py --- 4.4.2-2/flask_jwt_extended/view_decorators.py 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/flask_jwt_extended/view_decorators.py 2022-07-27 21:40:35.000000000 +0000 @@ -85,6 +85,10 @@ def verify_jwt_in_request( if request.method in config.exempt_methods: return None + # Should be impossible to hit, this makes mypy checks happy + if not _request_ctx_stack.top: # pragma: no cover + raise RuntimeError("No _request_ctx_stack.top present, aborting") + try: jwt_data, jwt_header, jwt_location = _decode_jwt_from_request( locations, fresh, refresh=refresh, verify_type=verify_type diff -pruN 4.4.2-2/.github/workflows/coverage.yml 4.4.3-1/.github/workflows/coverage.yml --- 4.4.2-2/.github/workflows/coverage.yml 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/.github/workflows/coverage.yml 2022-07-27 21:40:35.000000000 +0000 @@ -10,9 +10,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.x - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: python-version: '3.10' - name: Install Dependencies diff -pruN 4.4.2-2/.github/workflows/documentation.yml 4.4.3-1/.github/workflows/documentation.yml --- 4.4.2-2/.github/workflows/documentation.yml 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/.github/workflows/documentation.yml 2022-07-27 21:40:35.000000000 +0000 @@ -10,9 +10,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.x - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: python-version: '3.10' - name: Install Dependencies diff -pruN 4.4.2-2/.github/workflows/lint.yml 4.4.3-1/.github/workflows/lint.yml --- 4.4.2-2/.github/workflows/lint.yml 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/.github/workflows/lint.yml 2022-07-27 21:40:35.000000000 +0000 @@ -10,9 +10,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.x - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: python-version: '3.10' - name: Install Dependencies diff -pruN 4.4.2-2/.github/workflows/publish_flask_jwt_extended.yml 4.4.3-1/.github/workflows/publish_flask_jwt_extended.yml --- 4.4.2-2/.github/workflows/publish_flask_jwt_extended.yml 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/.github/workflows/publish_flask_jwt_extended.yml 2022-07-27 21:40:35.000000000 +0000 @@ -13,9 +13,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: python-version: '3.x' - name: Install dependencies diff -pruN 4.4.2-2/.github/workflows/type_check.yml 4.4.3-1/.github/workflows/type_check.yml --- 4.4.2-2/.github/workflows/type_check.yml 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/.github/workflows/type_check.yml 2022-07-27 21:40:35.000000000 +0000 @@ -10,12 +10,12 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python: [3.6, 3.7, 3.8, 3.9, '3.10'] + python: [3.7, 3.8, 3.9, '3.10'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python }} - name: Install Dependencies diff -pruN 4.4.2-2/.github/workflows/unit_tests.yml 4.4.3-1/.github/workflows/unit_tests.yml --- 4.4.2-2/.github/workflows/unit_tests.yml 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/.github/workflows/unit_tests.yml 2022-07-27 21:40:35.000000000 +0000 @@ -10,12 +10,12 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python: [3.6, 3.7, 3.8, 3.9, '3.10', pypy3] + python: [3.7, 3.8, 3.9, '3.10', 'pypy3.9'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python }} - name: Install Dependencies diff -pruN 4.4.2-2/README.md 4.4.3-1/README.md --- 4.4.2-2/README.md 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/README.md 2022-07-27 21:40:35.000000000 +0000 @@ -52,7 +52,7 @@ tox A subset of checks can also be ran by adding an argument to tox. The available arguments are: -- py36, py37, py38, py39, py310, pypy3 +- py37, py38, py39, py310, pypy3 - Run unit tests on the given python version - mypy - Run mypy type checking diff -pruN 4.4.2-2/setup.py 4.4.3-1/setup.py --- 4.4.2-2/setup.py 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/setup.py 2022-07-27 21:40:35.000000000 +0000 @@ -35,7 +35,7 @@ setup( "typing_extensions>=3.7.4; python_version<'3.8'", # typing.Literal ], extras_require={"asymmetric_crypto": ["cryptography>=3.3.1"]}, - python_requires=">=3.6,<4", + python_requires=">=3.7,<4", classifiers=[ "Development Status :: 5 - Production/Stable", "Environment :: Web Environment", diff -pruN 4.4.2-2/tests/test_add_context_processor.py 4.4.3-1/tests/test_add_context_processor.py --- 4.4.2-2/tests/test_add_context_processor.py 1970-01-01 00:00:00.000000000 +0000 +++ 4.4.3-1/tests/test_add_context_processor.py 2022-07-27 21:40:35.000000000 +0000 @@ -0,0 +1,54 @@ +import pytest +from flask import Flask +from flask import render_template_string + +from flask_jwt_extended import create_access_token +from flask_jwt_extended import jwt_required +from flask_jwt_extended import JWTManager + + +@pytest.fixture(scope="function") +def app(): + app = Flask(__name__) + app.config["JWT_SECRET_KEY"] = "foobarbaz" + + @app.route("/context_current_user", methods=["GET"]) + @jwt_required() + def context_current_user(): + return render_template_string("{{ current_user }}") + + return app + + +def test_add_context_processor(app): + jwt_manager = JWTManager(app, add_context_processor=True) + + @jwt_manager.user_lookup_loader + def user_lookup_callback(_jwt_header, _jwt_data): + return "test_user" + + test_client = app.test_client() + + with app.test_request_context(): + access_token = create_access_token("username") + + access_headers = {"Authorization": "Bearer {}".format(access_token)} + response = test_client.get("/context_current_user", headers=access_headers) + assert response.text == "test_user" + + +def test_no_add_context_processor(app): + jwt_manager = JWTManager(app) + + @jwt_manager.user_lookup_loader + def user_lookup_callback(_jwt_header, _jwt_data): + return "test_user" + + test_client = app.test_client() + + with app.test_request_context(): + access_token = create_access_token("username") + + access_headers = {"Authorization": "Bearer {}".format(access_token)} + response = test_client.get("/context_current_user", headers=access_headers) + assert response.text == "" diff -pruN 4.4.2-2/tox.ini 4.4.3-1/tox.ini --- 4.4.2-2/tox.ini 2022-06-27 17:09:42.000000000 +0000 +++ 4.4.3-1/tox.ini 2022-07-27 21:40:35.000000000 +0000 @@ -4,7 +4,7 @@ # and then run "tox" from this directory. [tox] -envlist = py36,py37,py38,py39,py310,pypy3,mypy,coverage,style,docs +envlist = py37,py38,py39,py310,pypy3.9,mypy,coverage,style,docs [testenv] commands =