Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Invalid JWT errors not thrown for decorated optional routes

See original GitHub issue

I’m migrating from flask-jwt and make extensive use of decorated required and optional routes. My tests also have extensive coverage for invalid JWT cases. I’ve confirmed that invalid JWTs are handled correctly for jwt_required() routes, but not fully for jwt_required(optional=True) routes. Note that I use “JWT” as my prefix instead of “Bearer”. I’ve also seen that flask-jwt-extended test cases do not cover these types of cases for optional routes.

Specifically these routes are allowed access for these invalid tokens. It is obviously important that any type of error for a submitted token (in any location) is rejected even when it is optional.

"JWT "
“JWT xxxx”
“JWT xxxx xxxx”
“JXX”

Issue Analytics

State:
Created 2 years ago
Comments:14 (14 by maintainers)

Top GitHub Comments

1reaction

vimalloccommented, May 2, 2021

I opted to tread Authorization: Bearer as an error like you originally suggested, as well as fixed up the other error cases we discussed.

I also added a JWT_QUERY_STRING_VALUE_PREFIX option that should allow you to support query strings the way you want to.

Both of these have been released in v4.2.0!

1reaction

vimalloc-mavenlinkcommented, Apr 30, 2021

So in a query string param does it expect jwt=“JWT token string” or jwt=“token string”? In my code I’ve used authorization=“JWT token string”. Do you support my approach via some config?

Currently no, it only supports <key>=<token>, but I have no problem adding a configuration option that would make something like <key>=<type> <token> work. There are a couple other PRs in the pipeline already, so I could probably add it sometime this weekend and get a new release cut.

Note that the Authorization header is not null, it is the valid string "JWT ". This is why I think it should be parsed and rejected because no JWT token is actually specified for authorization.

I can see the argument for that. Let me consider it and I’ll figure out exactly what I want to do while working on the other enhancements this weekend.

Cheers 👍