Currently it looks as though websockets wont work with the standard require_jwt_auth() even when sent via cookies (which works with flask_jwt_extended). This is the error I'm getting:

ERROR:    Exception in ASGI application
Traceback (most recent call last):
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/uvicorn/protocols/websockets/websockets_impl.py", line 154, in run_asgi
    result = await self.app(self.scope, self.asgi_receive, self.asgi_send)
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/uvicorn/middleware/proxy_headers.py", line 45, in __call__
    return await self.app(scope, receive, send)
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/fastapi/applications.py", line 179, in __call__
    await super().__call__(scope, receive, send)
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/starlette/applications.py", line 111, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/starlette/middleware/errors.py", line 146, in __call__
    await self.app(scope, receive, send)
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/starlette/exceptions.py", line 58, in __call__
    await self.app(scope, receive, send)
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/starlette/routing.py", line 566, in __call__
    await route.handle(scope, receive, send)
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/starlette/routing.py", line 283, in handle
    await self.app(scope, receive, send)
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/starlette/routing.py", line 57, in app
    await func(session)
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/fastapi/routing.py", line 228, in app
    await dependant.call(**values)
  File "./backend/api/routers/apps.py", line 171, in dashboard
    Authorize.jwt_required()
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/fastapi_jwt_auth/auth_jwt.py", line 670, in jwt_required
    self._verify_and_get_jwt_in_cookies('access',self._decode_issuer)
  File "/home/user/dev/work/venv/lib/python3.8/site-packages/fastapi_jwt_auth/auth_jwt.py", line 541, in _verify_and_get_jwt_in_cookies
    cookie = self._request.cookies.get(cookie_key)
AttributeError: 'NoneType' object has no attribute 'cookies'

For ratelimiting the endpoint I want to use two approaches i)based on IP address (unprotected endpoint, no JWT access token)

def get_remote_address(request: Request) -> str:
    """
    Returns the ip address for the current request (or 127.0.0.1 if none found)
    """
    return request.client.host or "127.0.0.1"

It works fine

2 ) based on current user, current user has to be retrieved from JWT access token. JWT access token is created using this fastapi-jwt-auth and user is in get-jwt-subject.

from starlette.requests import Request
from fastapi_jwt_auth import AuthJWT

def get_user_from_headers(request: Request):
    if 'authorization' in request.headers:
        
        current_user = AuthJWT.get_jwt_subject()
        print(current_user)
        return current_user
    else:
         return  get_remote_address

Doing this, I couldn't find current-user. How to find current_user if request.headers has authorization?

Hi, how can i personalize exeption messages?

@app.exception_handler(AuthJWTException) def authjwt_exception_handler(request: Request, exc: AuthJWTException): return JSONResponse( status_code=exc.status_code, content={"detail": exc.message} )

Would it be feasible to add an optional option to enable or disable authentication to the jwtSettings?

Currently I'm using Fast-API users (but I'm migrating to fastapi-jwt-auth) and one of the requests of some users is to be able to disable authentication (so that they can use their own authentication platform like authelia).

With FastAPI users I highjack a function (essentially if the DISABLE_AUTH environment variable is set to true, I import a fake function that just returns true instead of the actual get_active_user function (code here)).

I was wondering if there's a similar way to do that with this framework?

Is it possible to use it in graphql? https://fastapi.tiangolo.com/advanced/graphql/

Tried this: https://github.com/tiangolo/fastapi/issues/1279

But it's not showing the graphiql ide : {"detail":"Method Not Allowed"}

In https://indominusbyte.github.io/fastapi-jwt-auth/usage/freshness/

def refresh():
    new_access_token = Authorize.create_access_token(subject=current_user,fresh=False)

fresh=False. Took me a while to figure out on localhost why it was giving me the "Fresh token required" error. Switching this to True got me good. I'm a total JWT newb, and still wrapping my mind around it, so maybe it's user-error on my part?

While testing protected endpoint, I put wrong access token (deleting some values in actual access token) in Postman. I tired to print AuthJwt exception but it gives nothing. When I donot supply access token, no any exception message is printed. For example: access token is eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

But I put access token in Postman as eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJz to test It gives nothing while printing print(e).

except AuthJWTException as e:
       print(e)
       return ErrorResponseModel(
                        "Something went wrong",
                        status.HTTP_200_OK,
                        status.HTTP_401_UNAUTHORIZED
                    )   

Code in main.py

application.add_exception_handler(AuthJWTException, authjwt_exception_handler)

How toc check individual exception?

Hi. I've got this problem. How to fix this?

Request to get access token: curl -H "Content-Type: application/json" -X POST -d '{"email":"test","password":"test"}' http://localhost:8000/login Response: {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0IiwiaWF0IjoxNjA0MzUwMTc4LCJuYmYiOjE2MDQzNTAxNzgsImp0aSI6IjI5Yjg3YTY0LTQyZDQtNGVlZC1iZmEyLTU4OTZhZjdhNjM2NiIsImV4cCI6MTYwNDM1MTA3OCwidHlwZSI6ImFjY2VzcyIsImZyZXNoIjpmYWxzZX0.o6JkaCJmANVbuwaj5loHmj_YBLfHchf8TiTssdwmgTM", "refresh_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0IiwiaWF0IjoxNjA0MzUwMTc4LCJuYmYiOjE2MDQzNTAxNzgsImp0aSI6IjY5NTc1MjBhLTFiNDItNDFhOS1iMmRmLWZmNTU2ODBhNDIyYiIsImV4cCI6MTYwNjk0MjE3OCwidHlwZSI6InJlZnJlc2gifQ.SVa5ol5sDGzcUnDtrf--oduG5jifapXYy2zulwt6fO0"}

Request to protected endpoint with Authorize.jwt_required: curl -H "Authorization: Authorization-Token eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0IiwiaWF0IjoxNjA0MzUwMTc4LCJuYmYiOjE2MDQzNTAxNzgsImp0aSI6IjI5Yjg3YTY0LTQyZDQtNGVlZC1iZmEyLTU4OTZhZjdhNjM2NiIsImV4cCI6MTYwNDM1MTA3OCwidHlwZSI6ImFjY2VzcyIsImZyZXNoIjpmYWxzZX0.o6JkaCJmANVbuwaj5loHmj_YBLfHchf8TiTssdwmgTM" http://localhost:8000/protected Response: {"detail":"Invalid token type. Token must be a <class 'bytes'>"}

I really appreciate your work on this project.

It could be a nice feature to have sliding sessions available, i.e. sending fresh access tokens on every request, if a certain time of inactivity is not exceeded.

Some information about this approach can be found here https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/.

Any suggestions how this could be implemented? Maybe as a middleware?

Best regards

I try to separate the logic of checking JWT tokens from one function so that it can be reused. But when I try to run the code, it does not work. I manage an access token in my database and check if it exists or not. The last generated token will be valid only for the access token. This access token must be checked at every protected endpoint. Here is my code:

@router.get('/user')
async def items(Authorize: AuthJWT = Depends(), db: AsyncIOMotorClient = Depends(get_database)):
    try:
        await jwt_token_checker(Authorize, db)
        return {"asd"}   

    except Exception as ex:
        return error

Helper Function:

async def jwt_token_checker( Authorize: AuthJWT , conn: AsyncIOMotorClient):
    try:
        Authorize.jwt_required()
        jti = Authorize.get_raw_jwt()['jti']
        current_user = Authorize.get_jwt_subject()
        access_token_check = await check_access_token(conn, Authorize, jti, current_user)
        
        errorMessage = ""
        if access_token_check == AuthEnum.FORBIDDEN_UNAUTHORIZED_ACCESS:
            errorMessage = Locale(
                language, strings.FORBIDDEN_UNAUTHORIZED_ACCESS).string
            return errorMessage
    except Exception as ex:
        return error

Is this right way to separate the token checker function? If not then can you please suggest me some solution.

Hi, for RSA base encryption there is a public key that is used to decrypt messages. By the look of it, the library does not seem to support this. Would it make sense to add support for it ?

In this line, https://github.com/IndominusByte/fastapi-jwt-auth/blob/a6c06193319da0e4976c7472966f3a2891e0d50c/fastapi_jwt_auth/auth_jwt.py#L549 the code is trying to get CSRF_TOKEN from the headers and treating response.headers as a dict object which is true. But the headers don't contain the default "X-CSRF-Token". It contains the key-value pair with cookies as key and all cookie info as a string separated by ;.

So whenever someone tries to get CSRF token the code is unable to find the key "X-CSRF-Token" in the headers but now it's inside key cookies, which needs to be parsed for extracting CSRF_TOKEN.

That's why whenever someone uses csrf_protect as True, they get a Missing CSRF Token error every time

I can see the code is not updated for the last 2 years. That might be the reason that it is not in compliance with the browser's headers.

now it can create an access token and refresh token together with a specific id that "aid" so in deny list we can block both of them, by blocking that is the same in both

I'm having a problem with the OpenApi doc generation, I tested https://indominusbyte.github.io/fastapi-jwt-auth/advanced-usage/generate-docs/ and it keeps giving the error with the Authorization key being ignored by openApi, if you make the call via insomnia it works normally

Att

I am using pyjwt version 2.4.0 and I think it's conflicting and showing this error: AttributeError: 'str' object has no attribute 'decode' When I try to use this:

access_token = self.authorize.create_access_token(subject=body.phone)
refresh_token = self.authorize.create_refresh_token(subject=body.phone)

When I down grade pyjwt to 1.7.0 it works fine.

A grammatical error was observed in the docs. It said "Which keeps javascript cannot be able to access the cookies."

I think want was meant was "Which means javascript cannot be able to access the cookies."