flask_praetorian package¶
Submodules¶
flask_praetorian.base module¶
-
class
flask_praetorian.base.
Praetorian
(app=None, user_class=None, is_blacklisted=None, encode_jwt_token_hook=None, refresh_jwt_token_hook=None)¶ Bases:
object
Comprises the implementation for the flask-praetorian flask extension. Provides a tool that allows password authentication and token provision for applications and designated endpoints
-
authenticate
(username, password)¶ Verifies that a password matches the stored password for that username. If verification passes, the matching user instance is returned
-
encode_eternal_jwt_token
(user, **custom_claims)¶ This utility function encodes a jwt token that never expires
Note
This should be used sparingly since the token could become a security concern if it is ever lost. If you use this method, you should be sure that your application also implements a blacklist so that a given token can be blocked should it be lost or become a security concern
-
encode_jwt_token
(user, override_access_lifespan=None, override_refresh_lifespan=None, bypass_user_check=False, is_registration_token=False, is_reset_token=False, **custom_claims)¶ Encodes user data into a jwt token that can be used for authorization at protected endpoints
Param: override_access_lifespan: Override’s the instance’s access lifespan to set a custom duration after which the new token’s accessability will expire. May not exceed the refresh_lifespan Param: override_refresh_lifespan: Override’s the instance’s refresh lifespan to set a custom duration after which the new token’s refreshability will expire. Param: bypass_user_check: Override checking the user for being real/active. Used for registration token generation. Param: is_registration_token: Indicates that the token will be used only for email-based registration Param: custom_claims: Additional claims that should be packed in the payload. Note that any claims supplied here must be JSON compatible types
-
encrypt_password
(raw_password)¶ - NOTE This should be deprecated as its an incorrect definition for
- what is actually being done – we are hashing, not encrypting
-
error_handler
(error)¶ Provides a flask error handler that is used for PraetorianErrors (and derived exceptions).
-
extract_jwt_token
(token, access_type=<AccessType.access: 'ACCESS'>)¶ Extracts a data dictionary from a jwt token
-
get_user_from_registration_token
(token)¶ Gets a user based on the registration token that is supplied. Verifies that the token is a regisration token and that the user can be properly retrieved
-
hash_password
(raw_password)¶ Hashes a plaintext password using the stored passlib password context
-
init_app
(app=None, user_class=None, is_blacklisted=None, encode_jwt_token_hook=None, refresh_jwt_token_hook=None)¶ Initializes the Praetorian extension
Param: app: The flask app to bind this extension to
Param: user_class: The class used to interact with user data
Param: is_blacklisted: A method that may optionally be used to check the token against a blacklist when access or refresh is requested should take the jti for the token to check as a single argument. Returns True if the jti is blacklisted, False otherwise. By default, always returns False.
Parameters: - encode_jwt_token_hook – A method that may optionally be called right before an encoded jwt is generated. Should take payload_parts which contains the ingredients for the jwt.
- refresh_jwt_token_hook – A method that may optionally be called right before an encoded jwt is refreshed. Should take payload_parts which contains the ingredients for the jwt.
-
pack_header_for_user
(user, override_access_lifespan=None, override_refresh_lifespan=None, **custom_claims)¶ Encodes a jwt token and packages it into a header dict for a given user
Param: user: The user to package the header for Param: override_access_lifespan: Override’s the instance’s access lifespan to set a custom duration after which the new token’s accessability will expire. May not exceed the refresh_lifespan Param: override_refresh_lifespan: Override’s the instance’s refresh lifespan to set a custom duration after which the new token’s refreshability will expire. Param: custom_claims: Additional claims that should be packed in the payload. Note that any claims supplied here must be JSON compatible types
-
read_token
()¶ Tries to unpack the token from the current flask request in the locations configured by JWT_PLACES. Check-Order is defined by the value order in JWT_PLACES.
Unpacks a jwt token from the current flask request
-
read_token_from_header
()¶ Unpacks a jwt token from the current flask request
-
refresh_jwt_token
(token, override_access_lifespan=None)¶ Creates a new token for a user if and only if the old token’s access permission is expired but its refresh permission is not yet expired. The new token’s refresh expiration moment is the same as the old token’s, but the new token’s access expiration is refreshed
Param: token: The existing jwt token that needs to be replaced with a new, refreshed token Param: override_access_lifespan: Override’s the instance’s access lifespan to set a custom duration after which the new token’s accessability will expire. May not exceed the refresh lifespan
-
send_registration_email
(email, user=None, template=None, confirmation_sender=None, confirmation_uri=None, subject=None, override_access_lifespan=None)¶ - Sends a registration email to a new user, containing a time expiring
- token usable for validation. This requires your application is initialized with a mail extension, which supports Flask-Mail’s Message() object and a send() method.
- Returns a dict containing the information sent, along with the
- result from mail send.
Param: user: The user object to tie claim to (username, id, email, etc) Param: template: HTML Template for confirmation email. If not provided, a stock entry is used Param: confirmation_sender: The sender that shoudl be attached to the confirmation email. Overrides the PRAETORIAN_CONFIRMATION_SENDER config setting Param: confirmation_uri: The uri that should be visited to complete email registration. Should usually be a uri to a frontend or external service that calls a ‘finalize’ method in the api to complete registration. Will override the PRAETORIAN_CONFIRMATION_URI config setting Param: subject: The registration email subject. Will override the PRAETORIAN_CONFIRMATION_SUBJECT config setting. Param: override_access_lifespan: Overrides the JWT_ACCESS_LIFESPAN to set an access lifespan for the registration token.
-
send_reset_email
(email, template=None, reset_sender=None, reset_uri=None, subject=None, override_access_lifespan=None)¶ - Sends a password reset email to a user, containing a time expiring
- token usable for validation. This requires your application is initialized with a mail extension, which supports Flask-Mail’s Message() object and a send() method.
- Returns a dict containing the information sent, along with the
- result from mail send.
Param: email: The email address to attempt to send to Param: template: HTML Template for reset email. If not provided, a stock entry is used Param: confirmation_sender: The sender that shoudl be attached to the reset email. Overrides the PRAETORIAN_RESET_SENDER config setting Param: confirmation_uri: The uri that should be visited to complete password reset. Should usually be a uri to a frontend or external service that calls the ‘validate_reset_token()’ method in the api to complete reset. Will override the PRAETORIAN_RESET_URI config setting Param: subject: The reset email subject. Will override the PRAETORIAN_RESET_SUBJECT config setting. Param: override_access_lifespan: Overrides the JWT_ACCESS_LIFESPAN to set an access lifespan for the registration token.
-
send_token_email
(email, user=None, template=None, action_sender=None, action_uri=None, subject=None, override_access_lifespan=None, custom_token=None)¶ - Sends an email to a user, containing a time expiring
- token usable for several actions. This requires your application is initialized with a mail extension, which supports Flask-Mail’s Message() object and a send() method.
- Returns a dict containing the information sent, along with the
- result from mail send.
Param: email: The email address to use (username, id, email, etc) Param: user: The user object to tie claim to (username, id, email, etc) Param: template: HTML Template for confirmation email. If not provided, a stock entry is used Param: action_sender: The sender that should be attached to the confirmation email. Param: action_uri: The uri that should be visited to complete the token action. Param: subject: The email subject. Param: override_access_lifespan: Overrides the JWT_ACCESS_LIFESPAN to set an access lifespan for the registration token. Param: custom_token: The token to be carried as the email’s payload
-
validate_reset_token
(token)¶ Validates a password reset request based on the reset token that is supplied. Verifies that the token is a reset token and that the user can be properly retrieved
-
verify_and_update
(user=None, password=None)¶ - Validate a password hash contained in the user object is
- hashed with the defined hash scheme (PRAETORIAN_HASH_SCHEME).
- If not, raise an Exception of LegacySchema, unless the
- password arguement is provided, in which case an attempt to call user.save() will be made, updating the hashed password to the currently desired hash scheme (PRAETORIAN_HASH_SCHEME).
Param: user: The user object to tie claim to (username, id, email, etc). MUST include the hashed password field, defined as user.password
Param: password: The user’s provide password from login. If present, this is used to validate
and then attempt to update with the new PRAETORIAN_HASH_SCHEME scheme.
-
flask_praetorian.decorators module¶
-
flask_praetorian.decorators.
auth_accepted
(method)¶ This decorator is used to allow an authenticated user to be identified while being able to access a flask route, and adds the current user to the current flask context.
-
flask_praetorian.decorators.
auth_required
(method)¶ This decorator is used to ensure that a user is authenticated before being able to access a flask route. It also adds the current user to the current flask context.
-
flask_praetorian.decorators.
roles_accepted
(*accepted_rolenames)¶ This decorator ensures that any uses accessing the decorated route have one of the needed roles to access it. If an @auth_required decorator is not supplied already, this decorator will implicitly check @auth_required first
-
flask_praetorian.decorators.
roles_required
(*required_rolenames)¶ This decorator ensures that any uses accessing the decorated route have all the needed roles to access it. If an @auth_required decorator is not supplied already, this decorator will implicitly check @auth_required first
flask_praetorian.exceptions module¶
-
exception
flask_praetorian.exceptions.
AuthenticationError
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The entered user’s password did not match the stored password
-
exception
flask_praetorian.exceptions.
BlacklistedError
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The jwt token has been blacklisted and may not be used any more
-
status_code
= 403¶
-
-
exception
flask_praetorian.exceptions.
ClaimCollisionError
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
” Custom claims to pack into the JWT payload collide with reserved claims
-
exception
flask_praetorian.exceptions.
ConfigurationError
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
There was a problem with the configuration
-
exception
flask_praetorian.exceptions.
EarlyRefreshError
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The jwt token has not yet expired for access and may not be refreshed
-
status_code
= 425¶
-
-
exception
flask_praetorian.exceptions.
ExpiredAccessError
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The jwt token has expired for access and must be refreshed
-
exception
flask_praetorian.exceptions.
ExpiredRefreshError
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The jwt token has expired for refresh. An entirely new token must be issued
-
exception
flask_praetorian.exceptions.
InvalidRegistrationToken
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The supplied registration token is invalid
-
exception
flask_praetorian.exceptions.
InvalidResetToken
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The supplied registration token is invalid
-
exception
flask_praetorian.exceptions.
InvalidTokenHeader
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The token contained in the header is invalid
-
exception
flask_praetorian.exceptions.
InvalidUserError
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The user is no longer valid and is now not authorized
-
status_code
= 403¶
-
-
exception
flask_praetorian.exceptions.
LegacyScheme
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The processed hash is using an outdated scheme
-
exception
flask_praetorian.exceptions.
MissingClaimError
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The jwt token is missing a required claim
-
exception
flask_praetorian.exceptions.
MissingRoleError
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The token is missing a required role
-
status_code
= 403¶
-
-
exception
flask_praetorian.exceptions.
MissingToken
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The header is missing the required jwt token
-
exception
flask_praetorian.exceptions.
MissingUserError
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
The user could not be identified
-
exception
flask_praetorian.exceptions.
MisusedRegistrationToken
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
Attempted to use a registration token for normal access
-
exception
flask_praetorian.exceptions.
MisusedResetToken
(message)¶ Bases:
flask_praetorian.exceptions.PraetorianError
Attempted to use a password reset token for normal access
-
exception
flask_praetorian.exceptions.
PraetorianError
(message)¶ Bases:
flask_buzz.FlaskBuzz
Provides a custom exception class for flask-praetorian based on flask-buzz. flask-buzz on gitub
-
status_code
= 401¶
-