U gz]@sddlZddlmZddlmZddlmZddlZddlmZddlmZddlm Z ddlm Z dd lm Z dd lm Z dd lm Z dd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlm Z ddlm!Z!ddlm"Z"ddlm#Z#ddlm$Z$dd lm%Z%dd!lm&Z&dd"lm'Z'dd#lm(Z(dd$lm)Z)dd%l*m+Z+dd&l*m,Z,dd'l-m.Z.dd(l-m/Z/dd)l0m1Z1Gd*d+d+e2Z3dS),N)Any)Callable)Optional)Flask) DecodeError)ExpiredSignatureError)InvalidAudienceError)InvalidIssuerError)InvalidTokenError)MissingRequiredClaimError)config)"default_additional_claims_callback)default_blocklist_callback)default_decode_key_callback)default_encode_key_callback)default_expired_token_callback)default_invalid_token_callback)default_jwt_headers_callback)"default_needs_fresh_token_callback)default_revoked_token_callback)#default_token_verification_callback)*default_token_verification_failed_callback)default_unauthorized_callback)default_user_identity_callback)"default_user_lookup_error_callback) CSRFError)FreshTokenRequired)InvalidHeaderError)InvalidQueryParamError)JWTDecodeError)NoAuthorizationError)RevokedTokenError)UserClaimsVerificationError)UserLookupError)WrongTokenError) _decode_jwt) _encode_jwt) ExpiresDelta)Fresh)current_user_context_processorc@seZdZdZd3eeeddddZd4eeddddZedd d d Z e edd d d Z e e dddZ e e dddZe e dddZe e dddZe e dddZe e dddZe e dddZe e dddZe e ddd Ze e dd!d"Ze e dd#d$Ze e dd%d&Ze e dd'd(Ze e dd)d*Ze e dd+d,Zd5eeeeeed-d.d/Z d6eee!d0d1d2Z"dS)7 JWTManagera& An object used to hold JWT settings and callback functions for the Flask-JWT-Extended extension. Instances of :class:`JWTManager` are *not* bound to specific apps, so you can create one in the main body of your code and then bind it to your app in a factory function. NF)appadd_context_processorreturncCsrt|_t|_t|_t|_t|_ t |_ t |_ t|_t|_t|_t|_t|_d|_t|_t|_|dk rn|||dS)a  Create the JWTManager instance. You can either pass a flask application in directly here to register this extension with the flask app, or call init_app after creating this object (in a factory pattern). :param app: The Flask Application object :param add_context_processor: Controls if `current_user` is should be added to flasks template context (and thus be available for use in Jinja templates). Defaults to ``False``. N)r_decode_key_callbackr_encode_key_callbackr_expired_token_callbackr_invalid_token_callbackr_jwt_additional_header_callbackr_needs_fresh_token_callbackr_revoked_token_callbackr_token_in_blocklist_callbackr_token_verification_callbackr_unauthorized_callbackr _user_claims_callbackr_user_identity_callback_user_lookup_callbackr_user_lookup_error_callbackr#_token_verification_failed_callbackinit_appselfr+r,r@B/tmp/pip-unpacked-wheel-qm6yk1_p/flask_jwt_extended/jwt_manager.py__init__;s$zJWTManager.__init__cCs@t|dsi|_||jd<|r(|t||||dS)aY Register this extension with the flask app. :param app: The Flask Application object :param add_context_processor: Controls if `current_user` is should be added to flasks template context (and thus be available for use in Jinja templates). Defaults to ``False``. extensionszflask-jwt-extendedN)hasattrrCZcontext_processorr)"_set_default_configuration_options_set_error_handler_callbacksr>r@r@rAr=bs    zJWTManager.init_app)r+r-csd|tfdd}|tfdd}|tfdd}|tfdd}|tfd d }|tfd d }|tfd d}|tfdd} |t fdd} |t fdd} |t fdd} |t fdd} |t fdd}|tfdd}|tfdd}|tfdd }dS)!Ncst|SNr7strer?r@rAhandle_csrf_errorzszBJWTManager._set_error_handler_callbacks..handle_csrf_errorcst|SrGr1rIrJrLr@rAhandle_decode_error~szDJWTManager._set_error_handler_callbacks..handle_decode_errorcs|j|jSrG)r0 jwt_headerjwt_datarJrLr@rAhandle_expired_errorszEJWTManager._set_error_handler_callbacks..handle_expired_errorcs|j|jSrG)r3rPrQrJrLr@rAhandle_fresh_token_requiredszLJWTManager._set_error_handler_callbacks..handle_fresh_token_requiredcst|SrGrNrJrLr@rA#handle_missing_required_claim_errorszTJWTManager._set_error_handler_callbacks..handle_missing_required_claim_errorcst|SrGrNrJrLr@rAhandle_invalid_audience_errorszNJWTManager._set_error_handler_callbacks..handle_invalid_audience_errorcst|SrGrNrJrLr@rAhandle_invalid_issuer_errorszLJWTManager._set_error_handler_callbacks..handle_invalid_issuer_errorcst|SrGrNrJrLr@rAhandle_invalid_header_errorszLJWTManager._set_error_handler_callbacks..handle_invalid_header_errorcst|SrGrNrJrLr@rAhandle_invalid_token_errorszKJWTManager._set_error_handler_callbacks..handle_invalid_token_errorcst|SrGrNrJrLr@rAhandle_jwt_decode_errorszHJWTManager._set_error_handler_callbacks..handle_jwt_decode_errorcst|SrGrHrJrLr@rAhandle_auth_errorszBJWTManager._set_error_handler_callbacks..handle_auth_errorcst|SrGrNrJrLr@rA handle_invalid_query_param_errorszQJWTManager._set_error_handler_callbacks..handle_invalid_query_param_errorcs|j|jSrG)r4rPrQrJrLr@rAhandle_revoked_token_errorszKJWTManager._set_error_handler_callbacks..handle_revoked_token_errorcs|j|jSrG)r<rPrQrJrLr@rA handle_failed_token_verificationszQJWTManager._set_error_handler_callbacks..handle_failed_token_verificationcs|j|jSrG)r;rPrQrJrLr@rAhandler_user_lookup_errorszJJWTManager._set_error_handler_callbacks..handler_user_lookup_errorcst|SrGrNrJrLr@rAhandle_wrong_token_errorszIJWTManager._set_error_handler_callbacks..handle_wrong_token_error)Z errorhandlerrrrrr rr rr rr rr!r"r#r$)r?r+rMrOrRrSrTrUrVrWrXrYrZr[r\r]r^r_r@rLrArFys@z'JWTManager._set_error_handler_callbackscCsh|jdtjdd|jdd|jdd|jdd |jd d|jd d |jd d|jdd|jdd|jdd|jdd|jdd|jdd|jdd|jdddddg|jdd|jdd|jd d|jd!d"|jd#d|jd$d|jd%d&|jd'd(|jd)d*|jd+d,|jd-d.|jd/d|jd0d|jd1d2|jd3d4|jd5d6|jd7d|jd8d9|jd:d|jd;d |jd|jd?tjd@dA|jdBd|jdCd|jdDdE|jdFddS)GNZJWT_ACCESS_TOKEN_EXPIRES)minutesZJWT_ACCESS_COOKIE_NAMEZaccess_token_cookieZJWT_ACCESS_COOKIE_PATH/ZJWT_ACCESS_CSRF_COOKIE_NAMEZcsrf_access_tokenZJWT_ACCESS_CSRF_COOKIE_PATHZJWT_ACCESS_CSRF_FIELD_NAMEZ csrf_tokenZJWT_ACCESS_CSRF_HEADER_NAMEz X-CSRF-TOKENZ JWT_ALGORITHMZHS256ZJWT_COOKIE_CSRF_PROTECTTZJWT_COOKIE_DOMAINZJWT_COOKIE_SAMESITEZJWT_COOKIE_SECUREFZJWT_CSRF_CHECK_FORMZJWT_CSRF_IN_COOKIESZJWT_CSRF_METHODSPOSTPUTPATCHDELETEZJWT_DECODE_ALGORITHMSZJWT_DECODE_AUDIENCEZJWT_DECODE_ISSUERZJWT_DECODE_LEEWAYrZJWT_ENCODE_AUDIENCEZJWT_ENCODE_ISSUERZJWT_ERROR_MESSAGE_KEYmsgZJWT_HEADER_NAME AuthorizationZJWT_HEADER_TYPEZBearerZJWT_IDENTITY_CLAIMsubZ JWT_JSON_KEYZ access_tokenZJWT_PRIVATE_KEYZJWT_PUBLIC_KEYZJWT_QUERY_STRING_NAMEjwtZJWT_QUERY_STRING_VALUE_PREFIXZJWT_REFRESH_COOKIE_NAMEZrefresh_token_cookieZJWT_REFRESH_COOKIE_PATHZJWT_REFRESH_CSRF_COOKIE_NAMEZcsrf_refresh_tokenZJWT_REFRESH_CSRF_COOKIE_PATHZJWT_REFRESH_CSRF_FIELD_NAMEZJWT_REFRESH_CSRF_HEADER_NAMEZJWT_REFRESH_JSON_KEYZ refresh_tokenZJWT_REFRESH_TOKEN_EXPIRES)daysZJWT_SECRET_KEYZJWT_SESSION_COOKIEZJWT_TOKEN_LOCATION)headersZJWT_ENCODE_NBF)r setdefaultdatetime timedelta)r+r@r@rArEsZ z-JWTManager._set_default_configuration_options)callbackr-cCs ||_|S)aF This decorator sets the callback function used to add additional claims when creating a JWT. The claims returned by this function will be merged with any claims passed in via the ``additional_claims`` argument to :func:`~flask_jwt_extended.create_access_token` or :func:`~flask_jwt_extended.create_refresh_token`. The decorated function must take **one** argument. The argument is the identity that was used when creating a JWT. The decorated function must return a dictionary of claims to add to the JWT. )r8r?rrr@r@rAadditional_claims_loadersz#JWTManager.additional_claims_loadercCs ||_|S)aK This decorator sets the callback function used to add additional headers when creating a JWT. The headers returned by this function will be merged with any headers passed in via the ``additional_headers`` argument to :func:`~flask_jwt_extended.create_access_token` or :func:`~flask_jwt_extended.create_refresh_token`. The decorated function must take **one** argument. The argument is the identity that was used when creating a JWT. The decorated function must return a dictionary of headers to add to the JWT. )r2rsr@r@rAadditional_headers_loadersz$JWTManager.additional_headers_loadercCs ||_|S)a This decorator sets the callback function for dynamically setting the JWT decode key based on the **UNVERIFIED** contents of the token. Think carefully before using this functionality, in most cases you probably don't need it. The decorated function must take **two** arguments. The first argument is a dictionary containing the header data of the unverified JWT. The second argument is a dictionary containing the payload data of the unverified JWT. The decorated function must return a *string* that is used to decode and verify the token. )r.rsr@r@rAdecode_key_loader szJWTManager.decode_key_loadercCs ||_|S)a This decorator sets the callback function for dynamically setting the JWT encode key based on the tokens identity. Think carefully before using this functionality, in most cases you probably don't need it. The decorated function must take **one** argument. The argument is the identity used to create this JWT. The decorated function must return a *string* which is the secrete key used to encode the JWT. )r/rsr@r@rAencode_key_loader s zJWTManager.encode_key_loadercCs ||_|S)a This decorator sets the callback function for returning a custom response when an expired JWT is encountered. The decorated function must take **two** arguments. The first argument is a dictionary containing the header data of the JWT. The second argument is a dictionary containing the payload data of the JWT. The decorated function must return a Flask Response. )r0rsr@r@rAexpired_token_loader0s zJWTManager.expired_token_loadercCs ||_|S)a This decorator sets the callback function for returning a custom response when an invalid JWT is encountered. This decorator sets the callback function that will be used if an invalid JWT attempts to access a protected endpoint. The decorated function must take **one** argument. The argument is a string which contains the reason why a token is invalid. The decorated function must return a Flask Response. )r1rsr@r@rAinvalid_token_loader@szJWTManager.invalid_token_loadercCs ||_|S)a This decorator sets the callback function for returning a custom response when a valid and non-fresh token is used on an endpoint that is marked as ``fresh=True``. The decorated function must take **two** arguments. The first argument is a dictionary containing the header data of the JWT. The second argument is a dictionary containing the payload data of the JWT. The decorated function must return a Flask Response. )r3rsr@r@rAneeds_fresh_token_loaderQsz#JWTManager.needs_fresh_token_loadercCs ||_|S)a This decorator sets the callback function for returning a custom response when a revoked token is encountered. The decorated function must take **two** arguments. The first argument is a dictionary containing the header data of the JWT. The second argument is a dictionary containing the payload data of the JWT. The decorated function must return a Flask Response. )r4rsr@r@rArevoked_token_loaderbs zJWTManager.revoked_token_loadercCs ||_|S)a This decorator sets the callback function used to check if a JWT has been revoked. The decorated function must take **two** arguments. The first argument is a dictionary containing the header data of the JWT. The second argument is a dictionary containing the payload data of the JWT. The decorated function must be return ``True`` if the token has been revoked, ``False`` otherwise. )r5rsr@r@rAtoken_in_blocklist_loaderrsz$JWTManager.token_in_blocklist_loadercCs ||_|S)a This decorator sets the callback function used to return a custom response when the claims verification check fails. The decorated function must take **two** arguments. The first argument is a dictionary containing the header data of the JWT. The second argument is a dictionary containing the payload data of the JWT. The decorated function must return a Flask Response. )r<rsr@r@rA token_verification_failed_loaders z+JWTManager.token_verification_failed_loadercCs ||_|S)a This decorator sets the callback function used for custom verification of a valid JWT. The decorated function must take **two** arguments. The first argument is a dictionary containing the header data of the JWT. The second argument is a dictionary containing the payload data of the JWT. The decorated function must return ``True`` if the token is valid, or ``False`` otherwise. )r6rsr@r@rAtoken_verification_loadersz$JWTManager.token_verification_loadercCs ||_|S)aF This decorator sets the callback function used to return a custom response when no JWT is present. The decorated function must take **one** argument. The argument is a string that explains why the JWT could not be found. The decorated function must return a Flask Response. )r7rsr@r@rAunauthorized_loaders zJWTManager.unauthorized_loadercCs ||_|S)a This decorator sets the callback function used to convert an identity to a JSON serializable format when creating JWTs. This is useful for using objects (such as SQLAlchemy instances) as the identity when creating your tokens. The decorated function must take **one** argument. The argument is the identity that was used when creating a JWT. The decorated function must return JSON serializable data. )r9rsr@r@rAuser_identity_loaders zJWTManager.user_identity_loadercCs ||_|S)a This decorator sets the callback function used to convert a JWT into a python object that can be used in a protected endpoint. This is useful for automatically loading a SQLAlchemy instance based on the contents of the JWT. The object returned from this function can be accessed via :attr:`~flask_jwt_extended.current_user` or :meth:`~flask_jwt_extended.get_current_user` The decorated function must take **two** arguments. The first argument is a dictionary containing the header data of the JWT. The second argument is a dictionary containing the payload data of the JWT. The decorated function can return any python object, which can then be accessed in a protected endpoint. If an object cannot be loaded, for example if a user has been deleted from your database, ``None`` must be returned to indicate that an error occurred loading the user. )r:rsr@r@rAuser_lookup_loaderszJWTManager.user_lookup_loadercCs ||_|S)a This decorator sets the callback function used to return a custom response when loading a user via :meth:`~flask_jwt_extended.JWTManager.user_lookup_loader` fails. The decorated function must take **two** arguments. The first argument is a dictionary containing the header data of the JWT. The second argument is a dictionary containing the payload data of the JWT. The decorated function must return a Flask Response. )r;rsr@r@rAuser_lookup_error_loadersz#JWTManager.user_lookup_error_loader)identity token_typefresh expires_deltar-c Cs||}|dk r||||}|dk r8|||dkrV|dkrPtj}ntj}ttjtj|tj |||| |tj tj tj |||tjdS)Naccess) algorithmaudienceclaim_overridesZcsrfrrheader_overridesridentity_claim_keyissuer json_encodersecretrZnbf)r2updater8r Zaccess_expiresZrefresh_expiresr&rZencode_audienceZcookie_csrf_protectr9rZ encode_issuerrr/Z encode_nbf) r?rrZclaimsrrrnrrr@r@rA_encode_jwt_from_configs4    z"JWTManager._encode_jwt_from_config) encoded_token allow_expiredr-c Cstj|tjddid}t|}|||}tjtj||tjtjtj |tjdk d }zt f|d|iWSt k r}z ||_ t f|ddi|_ W5d}~XYnXdS)NZverify_signatureF) algorithmsoptions) rr csrf_valuerrrleewayrZ verify_audrT)rjdecoder Zdecode_algorithmsZget_unverified_headerr.Zdecode_audiencerZ decode_issuerrr%rrPrQ) r?rrrZunverified_claimsZunverified_headersrkwargsrKr@r@rA_decode_jwt_from_configs.   z"JWTManager._decode_jwt_from_config)NF)F)NFNN)NF)#__name__ __module__ __qualname____doc__rrboolrBr=rF staticmethodrErrtrurvrwrxryrzr{r|r}r~rrrrrrIr(r'rdictrr@r@r@rAr*1sZ  'A. )r*)4rptypingrrrrjZflaskrrrrr r r Zflask_jwt_extended.configr Z$flask_jwt_extended.default_callbacksr rrrrrrrrrrrrrZflask_jwt_extended.exceptionsrrrrrr r!r"r#r$Zflask_jwt_extended.tokensr%r&Zflask_jwt_extended.typingr'r(Zflask_jwt_extended.utilsr)objectr*r@r@r@rAsT