python - Flask-jwt-extended:装饰器 @jwt.token_in_blacklist_loader 始终撤销 token

Question

在我的 app.py 中，我初始化了flask-jwt-extended，如下所示:

# Setup the Flask-JWT-Extended extension
app.config['RESTPLUS_MASK_SWAGGER'] = False # remove default X-Fields field in swagger
app.config['JWT_SECRET_KEY'] = 'super-secret'  # Change this!
app.config['JWT_BLACKLIST_ENABLED'] = True
app.config['JWT_BLACKLIST_TOKEN_CHECKS'] = ['access', 'refresh']
jwt = JWTManager(app)

然后我在登录中使用代码片段创建 token :

            expires = datetime.timedelta(minutes=10)
            access_token = create_access_token(identity=payload['email'], fresh=True, expires_delta=expires)
            refresh_token = create_refresh_token(identity=payload['email'])

奇怪的是，如果我将装饰器 @jwt.token_in_blacklist_loader 添加到某个端点，我总是收到“ token 已被撤销”错误消息。

@jwt.token_in_blacklist_loader
@api.route('/')
class UserList(Resource):
    @jwt_required
    @api.doc('list_users')
    @api.marshal_list_with(user)
    def get(self):
        '''Get all users'''
        users = UserApi.query.all()
        return users

据我所知，这个装饰器是检查 token 是否被列入黑名单，而我只是从登录中创建一个新 token ，创建新 token 并检查 token 是否被列入黑名单的最佳实践是什么？

Answer 1

摘自flask-jwt-extended的文档:

This decorator sets the callback function that will be called when a protected endpoint is accessed and will check if the JWT has been been revoked. By default, this callback is not used.

HINT: The callback must be a function that takes one argument, which is the decoded JWT (python dictionary), and returns True if the token has been blacklisted (or is otherwise considered revoked), or False otherwise.

token_in_blacklist_loader 装饰器用于在访问 protected 端点时设置回调函数。您应该在检查您的 token 是否被列入黑名单的函数上使用此装饰器。使用内存保存黑名单 token 的简单示例:

blacklist = set()
@jwt.token_in_blacklist_loader
def check_if_token_in_blacklist(decrypted_token):
    jti = decrypted_token['jti']
    return jti in blacklist

有关更多信息，请查看此处的示例:https://flask-jwt-extended.readthedocs.io/en/stable/blacklist_and_token_revoking/