Basic UsageΒΆ
In its simplest form, there is not much to using quart_jwt_extended. You use
create_access_token()
to make new access JWTs,
the jwt_required()
decorator to protect endpoints,
and get_jwt_identity()
function to get the identity
of a JWT in a protected endpoint.
from quart import Quart, jsonify, request
from quart_jwt_extended import (
JWTManager,
jwt_required,
create_access_token,
get_jwt_identity,
)
app = Quart(__name__)
# Setup the Quart-JWT-Extended extension
app.config["JWT_SECRET_KEY"] = "super-secret" # Change this!
jwt = JWTManager(app)
# Provide a method to create access tokens. The create_access_token()
# function is used to actually generate the token, and you can return
# it to the caller however you choose.
@app.route("/login", methods=["POST"])
async def login():
if not request.is_json:
return {"msg": "Missing JSON in request"}, 400
username = (await request.get_json()).get("username", None)
password = (await request.get_json()).get("password", None)
if not username:
return {"msg": "Missing username parameter"}, 400
if not password:
return {"msg": "Missing password parameter"}, 400
if username != "test" or password != "test":
return {"msg": "Bad username or password"}, 401
# Identity can be any data that is json serializable
access_token = create_access_token(identity=username)
return dict(access_token=access_token), 200
# Protect a view with jwt_required, which requires a valid access token
# in the request to access.
@app.route("/protected", methods=["GET"])
@jwt_required
async def protected():
# Access the identity of the current user with get_jwt_identity
current_user = get_jwt_identity()
return dict(logged_in_as=current_user), 200
if __name__ == "__main__":
app.run()
To access a jwt_required protected view, all we have to do is send in the JWT with the request. By default, this is done with an authorization header that looks like:
Authorization: Bearer <access_token>
We can see this in action using CURL:
$ curl http://localhost:5000/protected
{
"msg": "Missing Authorization Header"
}
$ curl -H "Content-Type: application/json" -X POST \
-d '{"username":"test","password":"test"}' http://localhost:5000/login
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6dHJ1ZSwianRpIjoiZjhmNDlmMjUtNTQ4OS00NmRjLTkyOWUtZTU2Y2QxOGZhNzRlIiwidXNlcl9jbGFpbXMiOnt9LCJuYmYiOjE0NzQ0NzQ3OTEsImlhdCI6MTQ3NDQ3NDc5MSwiaWRlbnRpdHkiOiJ0ZXN0IiwiZXhwIjoxNDc0NDc1NjkxLCJ0eXBlIjoiYWNjZXNzIn0.vCy0Sec61i9prcGIRRCbG8e9NV6_wFH2ICFgUGCLKpc"
}
$ export ACCESS="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6dHJ1ZSwianRpIjoiZjhmNDlmMjUtNTQ4OS00NmRjLTkyOWUtZTU2Y2QxOGZhNzRlIiwidXNlcl9jbGFpbXMiOnt9LCJuYmYiOjE0NzQ0NzQ3OTEsImlhdCI6MTQ3NDQ3NDc5MSwiaWRlbnRpdHkiOiJ0ZXN0IiwiZXhwIjoxNDc0NDc1NjkxLCJ0eXBlIjoiYWNjZXNzIn0.vCy0Sec61i9prcGIRRCbG8e9NV6_wFH2ICFgUGCLKpc"
$ curl -H "Authorization: Bearer $ACCESS" http://localhost:5000/protected
{
"logged_in_as": "test"
}
NOTE: Remember to change the secret key of your application, and ensure that no one is able to view it. The JSON Web Tokens are signed with the secret key, so if someone gets that, they can create arbitrary tokens, and in essence log in as any user.