Strong, Simple, and Precise security for Flask APIs (using jwt)

I'm using flask_restplus which kinda looks like the best choice to go with flask_praetorian (or in reverse order), and @api.errorhandler does not catch PraetorianError. But it does catch it's children, InvalidToken, InvalidUser etc.

~I'm wondering, is it possible to change exception class via config or maybe provide more usable for Flask exception instead of one making server go 500?~

~I'm also kinda new to Flask, so maybe exception thrown when JWT not found is ok and I just need to turn some switch on in Flask so it will handle it gracefully?~

~Thanks!~

~edit: actually, no JWT and decoding JWT errors may be more like... NotAuthrozired error or something?~

pytest didn't have any complaints and I didn't face any complications when testing it with my project. I suggest to just update the dependencies.

fixes #250

Sometimes users need more fine-grained control over access to users of the same class (role). For this, we should support a set of permissions.

This should be a completely optional feature.

Hello, Flask 2.0 was recently released however I'm unable to upgrade my application due to praetorian requiring flask <2.0: https://github.com/dusktreader/flask-praetorian/blob/master/poetry.lock#L196

I'm not familiar with Poetry - but it seems like it's flask-buzz that has the <2.0 requirement for flask?

If you can help confirm whether a change needs to be made to buzz and/or praetorian then I'm happy to help from there.

Thanks!

On the main page, if you scroll down to the "API" section and click on it (link here), it lists the modules, but not any of the actual functions or decorators.

I've noticed in a few implementations that the token provides an expiration value of 87970022657 (effectively never timing out in the near future). This occurs when JWT_ACCESS_LIFESPAN is provided in the config or not not. I have done some testing and it appears flask-praetorian detects the JWT_ACCESS_LIFESPAN but never overrides it and the default value for expiration when JWT_ACCESS_LIFESPAN is not provided is still 87970022657 and not the default 15 minutes.

{
  "iat": 1570022657,
  "exp": 87970022657,
  "jti": "21373dcf-0ad4-425c-b4bb-76a00cf1934f",
  "id": "5d923b3623ee32d79594545d",
  "rls": "user,admin",
  "rf_exp": 87970022657
}

In my configuration I have:

from flask import Flask, render_template
from apis import api, blueprint
from components.resources import guard, User
from flask_cors import CORS

# Initialize Flask and its config options
app = Flask(__name__)
app.config['SECRET_KEY'] = 'secret goes here'
app.config['JWT_ACCESS_LIFESPAN'] = {'minutes': 30}
app.config['JWT_REFRESH_LIFESPAN'] = {'days': 30}
app.config['MONGO_URI'] = 'connection string goes here'

# Initialize Flask-Restplus API with BluePrint
api.init_app(blueprint)
app.register_blueprint(blueprint)

# Initialize Flask-Praetorian for JWT based authentication and authorization
guard.init_app(app, User)

# Initialize CORS for remote apps
CORS(app)


if __name__ == '__main__':
    app.run()

The only way I've gotten it to work is to modify flask-praetorian/base.py line 364 to

if override_access_lifespan is not None:
    access_lifespan = self.access_lifespan
else:
    access_lifespan = override_access_lifespan
access_expiration = min(
    (moment + access_lifespan).int_timestamp,
    refresh_expiration,
)

in running tests i get a lot of repeated warnings from flask-praetorian:

DeprecationWarning: the method passlib.context.CryptContext.encrypt() is deprecated as of Passlib 1.7, and will be removed in Passlib 2.0, use CryptContext.hash() instead.
    return self.pwd_ctx.encrypt(raw_password, scheme=self.hash_scheme)

just a heads up and thanks for the great lib!

Creating new users is tricky for an api-based application. It would be nice to have a way to create a new user and provide verification via email.

I'm not sure this fits into flask-praetorian, but to be a complete batteries-included auth system it might be necessary.

Think about how something like this could be integrated

We will need the ability to verify a password using it's encryption algorithm and then re-encrypt with a new algorithm. This is necessary if an application decides to switch encryption methods but still needs current passwords to function correctly.

cls = <class 'freezegun.api.FakeDatetime'>, tz = datetime.timezone.utc

    @classmethod
    def now(cls, tz=None):
        now = cls._time_to_freeze() or real_datetime.now()
        if tz:
>           result = tz.fromutc(now.replace(tzinfo=tz)) + cls._tz_offset()
E           ValueError: fromutc: dt.tzinfo is not self

../../../.cache/pypoetry/virtualenvs/flask-praetorian-IlIQAbrd-py3.8/lib/python3.8/site-packages/freezegun/api.py:358: ValueError

I'm just checking in to see how you're sending your email template for the verification.

I have it working and sending the default verification email which is fine. I've created a HTML template now though and want to use it instead.

Following the docs it says to do as so:

send_reset_email(email, template=None, reset_sender=None, reset_uri=None, subject=None, override_access_lifespan=None)

so I did:

guard.send_registration_email(user.username, user=user, template="path.to.template.html")

Stupid me, the email came in, with path.to.template.html in the body. So I get that. String.

I've tried to somehow get it to the path of the file like so:

.flask_api/blueprints/auth/templates/new_registration_email.html

...however I get a 500 INTERNAL SERVER ERROR with "details": "'str' object has no attribute 'new_registration_email'".

I can't imagine I have to put the complete html in the send_registration_email and I can't find anything in the docs, so I'm a little stumped.

How are you adding your HTML template in this case?

Any advice greatly appreciated. Thank you

Bumps certifi from 2021.10.8 to 2022.12.7.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

https://github.com/dusktreader/flask-praetorian/blob/c23d10e0d6e34b2b3102b9b71e48f006b8397467/flask_praetorian/base.py#L243

    self.reset_sender = app.config.get(
        "PRAETORIAN_RESET_SENDER",
    )

might can be replace by:

...
DEFAULT_SENDER = app.config.get(
                "DEFAULT_SENDER"
            )
...
    self.reset_sender = app.config.get(
        "PRAETORIAN_RESET_SENDER",
        DEFAULT_SENDER 
    )

IPO,the only DEFAULT_SENDER can meet the needs of sending mail. If the application need to use different mail sender, they can further set them separately?

When encoding a jwt and specifying the override_access_lifespan parameter using a dictionary as per the documentation, an error is thrown: (unsupported operand type(s) for +: 'DateTime' and 'dict') I solved the problem by using datetime.timedelta() to set the override_access_lifespan parameter. I suggest either add a check in encode_jwt_token method as you did with the JWT_ACCESS_LIFESPAN:

if isinstance(self.access_lifespan, dict): self.access_lifespan = pendulum.duration(**self.access_lifespan)

or mention in the documentation that it should be of type timedelta.

thank you ,

The project needs to have integration tests that verify that each feature works with:

• A running flask API instance
• A running database

The unit tests should verify that requests to the API get proper responses

Look into spinning up resources in Docker using the docker python sdk.

The email methods needed some hardening and there were some assumptions baked in that needed to be corrected. For now, the functionality has been updated, and documentation will follow. I will need to do some integration and regression testing on this feature.

https://github.com/dusktreader/flask-praetorian/blob/4740713858965e4c933b12e7d33d8972cd1d5618/flask_praetorian/base.py#L896-L899

send_reset_email attempts to pass the attribute user.email to the function send_token_email. The User object may not necessarily have an email attribute (I for instance have set it up as username in my model), and is causing the execution of send_reset_email to fail.

Can we update the function to return email instead of user.email? Similar to how its currently done for send_registration_email https://github.com/dusktreader/flask-praetorian/blob/4740713858965e4c933b12e7d33d8972cd1d5618/flask_praetorian/base.py#L827-L831