Partially protecting routesΒΆ
There may be cases where you want to use one endpoint for both protected
and unprotected data. In these situations, you can use the
jwt_optional()
decorator. This will allow the endpoint
to be accessed regardless of if a JWT is sent in with the request. If a JWT
that is expired or badly constructed is sent in with the request, an error will
be returned instead of calling the protected endpoint as if no token was
present in the request.
from flask import Flask, jsonify, request
from flask_jwt_extended import (
JWTManager, jwt_optional, create_access_token,
get_jwt_identity
)
app = Flask(__name__)
# Setup the Flask-JWT-Extended extension
app.config['JWT_SECRET_KEY'] = 'super-secret' # Change this!
jwt = JWTManager(app)
@app.route('/login', methods=['POST'])
def login():
username = request.json.get('username', None)
password = request.json.get('password', None)
if not username:
return jsonify({"msg": "Missing username parameter"}), 400
if not password:
return jsonify({"msg": "Missing password parameter"}), 400
if username != 'test' or password != 'test':
return jsonify({"msg": "Bad username or password"}), 401
access_token = create_access_token(identity=username)
return jsonify(access_token=access_token), 200
@app.route('/partially-protected', methods=['GET'])
@jwt_optional
def partially_protected():
# If no JWT is sent in with the request, get_jwt_identity()
# will return None
current_user = get_jwt_identity()
if current_user:
return jsonify(logged_in_as=current_user), 200
else:
return jsonify(logged_in_as='anonymous user'), 200
if __name__ == '__main__':
app.run()