在 Flask 中刷新 JWT returns "Only access tokens are allowed"
Refreshing JWT in Flask returns "Only access tokens are allowed"
我在刷新 JWT 令牌时遇到一个奇怪的问题,我似乎无法找到在线解决方案。
我的简单登录方法:
@app.route("/api/login", methods=['POST'])
def app_login():
json = request.json
form = AppLoginForm.from_json(json)
password = json.get('password')
mobile = cleanup(json.get('mobile'))
user_found = User.query.filter(and_(User.mobile == mobile, or_(User.user_type == UserType.dashboard_user.value, User.user_type == UserType.end_user.value, User.user_type == UserType.dashboard_and_end_user.value))).first()
if user_found: #found
if bc.check_password_hash(user_found.password, password):
access_token = create_access_token(identity=user_found.mobile)
refresh_token = create_refresh_token(identity=user_found.mobile)
return send_response(True, None, { "access_token":access_token,"refresh_token":refresh_token }, 200)
else:
return send_response(False,[messages.WRONG_PASS], None, 406, {"case": UserLoginMeta.wrong_password.value})
我刷新JWT令牌的简单方法:
@app.route('/api/refresh', methods=['POST'])
@jwt_refresh_token_required
def refresh_token():
''' refresh token endpoint '''
current_user = get_jwt_identity()
return send_response(True,None, [{ "access_token":create_access_token(identity=current_user)}])
使用刷新令牌以正常方式调用它失败,使用访问令牌调用它也失败:
发送访问令牌 -> 给出 {"msg":"Only refresh tokens are allowed"}
curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MTAzNDczNDksIm5iZiI6MTYxMDM0NzM0OSwianRpIjoiODk4YjU1YmQtZjQzOS00OTE4LTkzZWQtN2UwMDNlZmEyM2M0IiwiZXhwIjoxNjEwNzc5MzQ5LCJpZGVudGl0eSI6Ijk2NjU0MTgyMjY3OSIsImZyZXNoIjpmYWxzZSwidHlwZSI6ImFjY2VzcyIsInVzZXJfY2xhaW1zIjp7ImlkZW50aXR5IjoiOTY2NTQxODIyNjc5IiwiZGV2aWNlIjp7ImlkIjoxMDk3NCwiSU1FSTEiOiIzNTI3MTQ0ODAxMjU2NzMiLCJJTUVJMiI6IjM1MjcxNDQ4MDE3NzY3NCIsInVuaXF1ZV9kZXZpY2VfaWQiOiJEZXNlcnQyMDAwMDAwMTY2In0sIndhcnJhbnR5Ijp7ImlkIjoyNjgsInNlcmlhbF9udW1iZXIiOiJXLTI3MzciLCJzdGF0dXMiOjIsInN0YXR1c190ZXh0IjoiQWN0aXZlIiwiZXhwaXJ5X2RhdGUiOiIyMDIzLzAxLzA2IiwibW9udGhzX2xlZnQiOjI0LCJkYXlzX2xlZnQiOjV9LCJhem9tX2NhcmUiOm51bGwsInVzZXIiOnsiaWQiOjM5OSwibW9iaWxlIjoiOTY2NTQxODIyNjc5IiwiZW1haWwiOiJhLm5hd2FmQGF6b210ZWNoLmNvbSIsImZpcnN0X25hbWUiOiJBYmVlciIsImxhc3RfbmFtZSI6Ik5hd2FmIn19fQ.PkFwQfIwStFkt3pCkZK919H203rDpLOD-96kcNEcRHw" -X POST http://localhost:5000/api/refresh
发送刷新令牌 -> 给出 {"msg":"Only access tokens are allowed"}
curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MTAzNDczNDksIm5iZiI6MTYxMDM0NzM0OSwianRpIjoiNDQxNzViNDYtNDZmZi00ZDUxLThmYzQtZTYwNjY4ZDlmNTU1IiwiZXhwIjoxNjEyOTM5MzQ5LCJpZGVudGl0eSI6Ijk2NjU0MTgyMjY3OSIsInR5cGUiOiJyZWZyZXNoIn0.VdevyrbAJL78TwNrPIPlWnyiB3swCtbg9cLwCMvmU8w" -X POST http://localhost:5000/api/refresh
这是为什么?
找到原因了。
我在 @app.before_request 上实现了一个处理程序方法,但我的逻辑被破坏了,它覆盖了刷新令牌的正常行为。
我去掉后,还可以
我在刷新 JWT 令牌时遇到一个奇怪的问题,我似乎无法找到在线解决方案。
我的简单登录方法:
@app.route("/api/login", methods=['POST'])
def app_login():
json = request.json
form = AppLoginForm.from_json(json)
password = json.get('password')
mobile = cleanup(json.get('mobile'))
user_found = User.query.filter(and_(User.mobile == mobile, or_(User.user_type == UserType.dashboard_user.value, User.user_type == UserType.end_user.value, User.user_type == UserType.dashboard_and_end_user.value))).first()
if user_found: #found
if bc.check_password_hash(user_found.password, password):
access_token = create_access_token(identity=user_found.mobile)
refresh_token = create_refresh_token(identity=user_found.mobile)
return send_response(True, None, { "access_token":access_token,"refresh_token":refresh_token }, 200)
else:
return send_response(False,[messages.WRONG_PASS], None, 406, {"case": UserLoginMeta.wrong_password.value})
我刷新JWT令牌的简单方法:
@app.route('/api/refresh', methods=['POST'])
@jwt_refresh_token_required
def refresh_token():
''' refresh token endpoint '''
current_user = get_jwt_identity()
return send_response(True,None, [{ "access_token":create_access_token(identity=current_user)}])
使用刷新令牌以正常方式调用它失败,使用访问令牌调用它也失败:
发送访问令牌 -> 给出 {"msg":"Only refresh tokens are allowed"}
curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MTAzNDczNDksIm5iZiI6MTYxMDM0NzM0OSwianRpIjoiODk4YjU1YmQtZjQzOS00OTE4LTkzZWQtN2UwMDNlZmEyM2M0IiwiZXhwIjoxNjEwNzc5MzQ5LCJpZGVudGl0eSI6Ijk2NjU0MTgyMjY3OSIsImZyZXNoIjpmYWxzZSwidHlwZSI6ImFjY2VzcyIsInVzZXJfY2xhaW1zIjp7ImlkZW50aXR5IjoiOTY2NTQxODIyNjc5IiwiZGV2aWNlIjp7ImlkIjoxMDk3NCwiSU1FSTEiOiIzNTI3MTQ0ODAxMjU2NzMiLCJJTUVJMiI6IjM1MjcxNDQ4MDE3NzY3NCIsInVuaXF1ZV9kZXZpY2VfaWQiOiJEZXNlcnQyMDAwMDAwMTY2In0sIndhcnJhbnR5Ijp7ImlkIjoyNjgsInNlcmlhbF9udW1iZXIiOiJXLTI3MzciLCJzdGF0dXMiOjIsInN0YXR1c190ZXh0IjoiQWN0aXZlIiwiZXhwaXJ5X2RhdGUiOiIyMDIzLzAxLzA2IiwibW9udGhzX2xlZnQiOjI0LCJkYXlzX2xlZnQiOjV9LCJhem9tX2NhcmUiOm51bGwsInVzZXIiOnsiaWQiOjM5OSwibW9iaWxlIjoiOTY2NTQxODIyNjc5IiwiZW1haWwiOiJhLm5hd2FmQGF6b210ZWNoLmNvbSIsImZpcnN0X25hbWUiOiJBYmVlciIsImxhc3RfbmFtZSI6Ik5hd2FmIn19fQ.PkFwQfIwStFkt3pCkZK919H203rDpLOD-96kcNEcRHw" -X POST http://localhost:5000/api/refresh
发送刷新令牌 -> 给出 {"msg":"Only access tokens are allowed"}
curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MTAzNDczNDksIm5iZiI6MTYxMDM0NzM0OSwianRpIjoiNDQxNzViNDYtNDZmZi00ZDUxLThmYzQtZTYwNjY4ZDlmNTU1IiwiZXhwIjoxNjEyOTM5MzQ5LCJpZGVudGl0eSI6Ijk2NjU0MTgyMjY3OSIsInR5cGUiOiJyZWZyZXNoIn0.VdevyrbAJL78TwNrPIPlWnyiB3swCtbg9cLwCMvmU8w" -X POST http://localhost:5000/api/refresh
这是为什么?
找到原因了。
我在 @app.before_request 上实现了一个处理程序方法,但我的逻辑被破坏了,它覆盖了刷新令牌的正常行为。
我去掉后,还可以