Partially protecting routes

There may be cases where you want to use one endpoint for both protected and unprotected data. In these situations, you can use the jwt_optional() decorator. This will allow the endpoint to be accessed regardless of if a JWT is sent in with the request. If a JWT that is expired or badly constructed is sent in with the request, an error will be returned instead of calling the protected endpoint as if no token was present in the request.

from quart import Quart, jsonify, request
from quart_jwt_extended import (
    JWTManager,
    jwt_optional,
    create_access_token,
    get_jwt_identity,
)

app = Quart(__name__)

# Setup the Quart-JWT-Extended extension
app.config["JWT_SECRET_KEY"] = "super-secret"  # Change this!
jwt = JWTManager(app)


@app.route("/login", methods=["POST"])
async def login():
    username = (await request.get_json()).get("username", None)
    password = (await request.get_json()).get("password", None)
    if not username:
        return {"msg": "Missing username parameter"}, 400
    if not password:
        return {"msg": "Missing password parameter"}, 400

    if username != "test" or password != "test":
        return {"msg": "Bad username or password"}, 401

    access_token = create_access_token(identity=username)
    return dict(access_token=access_token), 200


@app.route("/partially-protected", methods=["GET"])
@jwt_optional
async def partially_protected():
    # If no JWT is sent in with the request, get_jwt_identity()
    # will return None
    current_user = get_jwt_identity()
    if current_user:
        return dict(logged_in_as=current_user), 200
    else:
        return dict(logged_in_as="anonymous user"), 200


if __name__ == "__main__":
    app.run()