Tokens

Question

Tokens

hackzaid opened this issue a year ago · comments

When you create a new token, is it just my code or something wrong with codebase that the refresh token returns as a null value?

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.........",
  "refresh_token": null
}

And when revoking the access_token, I always get this error:

return _unicodify_header_value(self.environ[f"HTTP_{key}"])
KeyError: 'HTTP_AUTHORIZATION'

Can't seem to find where it's originating from.

Hack Zaid · Answer 1 · Sat Jun 10 2023 20:03:33 GMT+0800 (China Standard Time)

The revoking now works after modifying the endpoint to this:

@tokens.route('/tokens', methods=['DELETE'])
@authenticate(token_auth) <<< added this line here
@response(EmptySchema, status_code=204, description='Token revoked')
@other_responses({401: 'Invalid access token'})
def revoke():
    """Revoke an access token"""

Is this a recommended way or there is a better way to handling revoking tokens?

Miguel Grinberg · Answer 2 · Sun Jun 11 2023 02:40:43 GMT+0800 (China Standard Time)

Without the code I have no way to know what to debug this problem. This is the APIFairy project, which is generic and has nothing to do with tokens. You seem to be asking about a project in particular, maybe something based on my microblog-api example?

Hack Zaid · Answer 3 · Sun Jun 11 2023 02:58:16 GMT+0800 (China Standard Time)

Clearly @miguelgrinberg I am expanding my project from the microblog-API example.

This is the endpoint that handles "create access and refresh tokens" as copied from the microblog-API project

@tokens.route('/tokens', methods=['POST'])
@authenticate(basic_auth)
@response(token_schema)
@other_responses({401: 'Invalid username or password'})
def new():
    """Create new access and refresh tokens

    The refresh token is returned in the body of the request or as a hardened
    cookie, depending on configuration. A cookie should be used when the
    client is running in an insecure environment such as a web browser, and
    cannot adequately protect the refresh token against unauthorized access.
    """
    user = basic_auth.current_user()
    token = user.generate_auth_token()
    db.session.add(token)
    Token.clean()  # keep token table clean of old tokens
    db.session.commit()
    return token_response(token)

Miguel Grinberg · Answer 4 · Sun Jun 11 2023 06:42:50 GMT+0800 (China Standard Time)

Okay, I think I understand. I agree, it makes sense to add the @authenticate decorator on the revoke token endpoint. It isn't strictly necessary, but from an OpenAPI standpoint it should be added so that the documentation reflects that the token is required. Will go ahead and add it.

Hack Zaid · Answer 5 · Sun Jun 11 2023 06:59:55 GMT+0800 (China Standard Time)

Before you close this off, my first raised issue hasn't been resolved. The issue of the refresh token returning null value. Can you please look into it too or suggest on what can be done to have the refresh token returned along with the access token Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Miguel Grinberg ***@***.***> Sent: Sunday, June 11, 2023 1:46:22 AM To: miguelgrinberg/microblog-api ***@***.***> Cc: Hack Zaid ***@***.***>; Author ***@***.***> Subject: Re: [miguelgrinberg/microblog-api] Tokens (Issue #24) Closed #24<#24> as completed via 4c5d5aa<4c5d5aa>. — Reply to this email directly, view it on GitHub<#24 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AGIUMNWVJMV7FSV7AZMY65TXKT2L5ANCNFSM6AAAAAAZB54YOM>. You are receiving this because you authored the thread.Message ID: ***@***.***>

Miguel Grinberg · Answer 6 · Sun Jun 11 2023 07:13:21 GMT+0800 (China Standard Time)

Sorry, forgot to reply to that.

I suggest you read the code to understand how refresh tokens work (and the documentation for the endpoint). These can be returned in the body of the response, or in a secure cookie. You must have your application configured to return it in the secure cookie, which is more secure.