Flask-restful API Authorization. Access current_identity inside decorator

Question

I use flask-restful to create my APIs. I have used flask-jwt for enabling authentication based on JWT. Now I need to do authorization.

I have tried putting my authorization decorator.

test.py (/test api)

from flask_restful import Resource
from flask_jwt import jwt_required

from authorization_helper import authorized_api_user_type


class Test(Resource):

    decorators = [jwt_required(), authorized_api_user_type()]

    def get(self):
        return 'GET OK'

    def post(self):
        return 'POST OK'

Basically to handle the basic authorization, I need to access current_identity and check it's type. Then based on it's type I am gonna decide whether the user is authorized to access the api / resources.

But current_identity appears to be empty in that decorator. So to get it indirectly, I had to see the code of jwt_handler and do the things done there.

authorization_helper.py

from functools import wraps
from flask_jwt import _jwt, JWTError
import jwt
from models import Teacher, Student

def authorized_api_user_type(realm=None, user_type='teacher'):
    def wrapper(fn):
        @wraps(fn)
        def decorator(*args, **kwargs):
            token = _jwt.request_callback()

            if token is None:
                raise JWTError('Authorization Required', 'Request does not contain an access token',
                               headers={'WWW-Authenticate': 'JWT realm="%s"' % realm})

            try:
                payload = _jwt.jwt_decode_callback(token)
            except jwt.InvalidTokenError as e:
                raise JWTError('Invalid token', str(e))

            identity = _jwt.identity_callback(payload)
            if user_type == 'student' and isinstance(identity, Student):
                return fn(*args, **kwargs)
            elif user_type == 'teacher' and isinstance(identity, Teacher):
                return fn(*args, **kwargs)
            # NOTE - By default JWTError throws 401. We needed 404. Hence status_code=404
            raise JWTError('Unauthorized',
                           'You are unauthorized to request the api or access the resource',
                           status_code=404)
        return decorator
    return wrapper

Why can't I just access current_identity in my authorized_api_user_type decorator? What is the RIGHT way of doing authorization in flask-restful?

aGuegu · Accepted Answer · 2016-03-25T02:00:38.013

Here is the combination of quickstarts of both Flask-JWT and Flask-Restful.

from flask import Flask
from flask_restful import Resource, Api, abort
from functools import wraps

app = Flask(__name__)
api = Api(app)

from flask_jwt import JWT, jwt_required, current_identity
from werkzeug.security import safe_str_cmp

class User(object):
    def __init__(self, id, username, password):
        self.id = id
        self.username = username
        self.password = password

    def __str__(self):
        return "User(id='%s')" % self.id

users = [
    User(1, 'user1', 'abcxyz'),
    User(2, 'user2', 'abcxyz'),
]

username_table = {u.username: u for u in users}
userid_table = {u.id: u for u in users}

def authenticate(username, password):
    user = username_table.get(username, None)
    if user and safe_str_cmp(user.password.encode('utf-8'), password.encode('utf-8')):
        return user

def identity(payload):
    user_id = payload['identity']
    return userid_table.get(user_id, None)

app.config['SECRET_KEY'] = 'super-secret'

jwt = JWT(app, authenticate, identity)


def checkuser(func):
    @wraps(func)
    def wrapper(*args, **kwargs):
        if current_identity.username == 'user1':
            return func(*args, **kwargs)
        return abort(401)
    return wrapper

class HelloWorld(Resource):
    decorators = [checkuser, jwt_required()]
    def get(self):
        return {'hello': current_identity.username}

api.add_resource(HelloWorld, '/')

if __name__ == '__main__':
    app.run(debug=True)

POST

{
    "username": "user1",
    "password": "abcxyz"
}

To localhost:5000/auth and get the access_token in response.

Then GET localhost:5000/ with header

Authorization: JWT `the access_token value above`

You would get

{
  "hello": "user1"
}

if you try to access localhost:5000/ with the JWT token of user2, you would get 401.

The decorators are wrapped in this way:

for decorator in self.decorators:
    resource_func = decorator(resource_func)

https://github.com/flask-restful/flask-restful/blob/master/flask_restful/init.py#L445

So the later one in the decorators array gets to run earlier.

For more reference:

https://github.com/rchampa/timetable/blob/master/restful/users.py

https://github.com/mattupstate/flask-jwt/issues/37

Have you read question? Question is about accessing `current_identity` in decorator. — Nikolay Fominyh, Mar 23 '16 at 11:16
`current_identity` is accessible if wrapped by the `jwt_required` decorator. Why do you need a customized decorator? — aGuegu, Mar 24 '16 at 01:29
Decorator can be used for a number of cases. For example - to detect role of user. To avoid rewriting code inside all of your views you can create decorator like "detect_role". Please, read entire question from OP. — Nikolay Fominyh, Mar 24 '16 at 09:38
ok, I got what you mean. I would resolve this problem soon enough (in my own project). I have read the source code of `jwt_required`, the current_identity is injected to the stack within it. So for your own decorator, I think current_identity is accessible if following `jwt_required`. — aGuegu, Mar 25 '16 at 01:22
@NikolayFominyh I have edited my sample with a customized decorator with current_identity in it. Wish it satisfy you, :) — aGuegu, Mar 25 '16 at 01:42
I am unable to GET with the Authorization header - when I use Postman to set a key of Authorization and a value of the token from /auth I get "Invalid JWT header". — Destaq, Aug 03 '20 at 08:51

score 6 · Answer 2 · answered Mar 16 '16 at 19:07

My current solution looks like:

@app.before_request
def detect_something():
    header = request.headers.get('Authorization')
    if header:
        _, token = header.split()
        request.identity = identity(jwt.decode(token,
                                               app.config['SECRET_KEY']))

After it we can access identity in decorator via request.identity. And I removed current_identity everywhere from code. It's still messy way.

what is messy way? what you suggested? – Dejell May 17 '19 at 07:58 — Dejell, May 17 '19 at 07:58

Jay · Answer 3 · 2017-07-21T07:35:18.213

1

Use this:

from flask_jwt import current_identity
@jwt_required()
def get(self):
    return {'current_identity': current_identity.json()}

edited Jul 21 '17 at 07:35

answered Jul 04 '17 at 15:02

Jay

93
8

While answering threads it would be preferable to avoid certain phrases such as, "try this", "use this" etc. – t.m.adam Jul 20 '17 at 03:14
As for 2020, this solution will not work. and will yield: TypeError: jwt_required() missing 1 required positional argument: 'fn' – barshopen Aug 01 '20 at 17:14

Flask-restful API Authorization. Access current_identity inside decorator

3 Answers3