I got a traceback from flask_jwt_extended import jwt_required File "D:\Program Files\Python\Python36\lib\site-packages\flask_jwt_extended_init_.py", line 1, in from .jwt_manager import JWTManager File "D:\Program Files\Python\Python36\lib\site-packages\flask_jwt_extended\jwt_manager.py", line 3, in from jwt import ExpiredSignatureError, InvalidTokenError ImportError: cannot import name 'ExpiredSignatureError'

We've considered using a JWT as a relatively long-lived server-to-server API key (for a handful of first and second-party servers) that specifies permitted endpoints/restrictions/etc, on which we'd use blacklisting. We've also considered various short-lived client authorization uses where we don't really need to worry about blacklisting.

I'm not sure how much it would matter in reality, but I would be a little more comfortable using JWTs for both purposes if it was trivial to specify separate secrets for each use case. This would:

• reduce the number (probably by at least a few orders of magnitude) of tokens floating around that could be used to attempt brute-force recovery of the secret used to sign the API-key tokens
• enable us to rotate more heavily-used auth secrets without having to temporarily break integrations and redistribute API-keys

One approach might be using the existing config vars when the decorators are used normally, and adding support for explicitly passing one or more secrets to the decorator. I think this could be reasonably intuitive:

API_KEY_SECRET = os.getenv("API_KEY_SECRET")
AUTH_SECRET = os.getenv("AUTH_SECRET")

@jwt_required(API_KEY_SECRET)
@route("/partner_api")
def partners(self):
   ...

@jwt_required(AUTH_SECRET)
@route("/account")
def account(self):
   ...

A more robust version might be for the decorators to accept your config objects, along with a factory that'll generate a config object as you do currently (with defaults from app.config), but override any user-supplied values.

Flask with blueprint pattern, using Flask Restful with a Token Resource class and method decorator for jwt_required.

'''In app.py'''
from flask_jwt_extended import JWTManager
from flask import Flask

jwtmanager = JWTManager()

def create_app():
    app = Flask(__name__)

def register_extensions(app):
    jwtmanager.init_app(app)


'''in views.py'''
from flask_restful import Resource, Api
from flask_jwt_extended import jwt_required

api = Api()

class TokenResource(Resource):
    method_decorators = [jwt_required]

class HelloWorld(TokenResource):
    def get(self):
        return 'Hello, World!'

api.add_resource(HelloWorld, '/hello')

The issue I am having is with exceptions and it likely has little to do with this library. When I run into a common jwt_extended exception on the flask development server with debug enabled I get this which is awesome!

{
  "msg": "Token has expired"
}

With Gunicorn I get this on the exact same request with the same expired token. gunicorn --reload --worker-class "gevent" "app:create_app()"

{"message": "Internal Server Error"}

with a traceback that the development server never showed.

File "/usr/local/lib/python3.5/site-packages/flask/app.py", line 1639, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.5/site-packages/flask/app.py", line 1625, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/local/lib/python3.5/site-packages/flask_restful/__init__.py", line 477, in wrapper
resp = resource(*args, **kwargs)
File "/usr/local/lib/python3.5/site-packages/flask/views.py", line 84, in view
return self.dispatch_request(*args, **kwargs)
File "/usr/local/lib/python3.5/site-packages/flask_restful/__init__.py", line 587, in dispatch_request
resp = meth(*args, **kwargs)
File "/usr/local/lib/python3.5/site-packages/flask_jwt_extended/utils.py", line 222, in wrapper
jwt_data = _decode_jwt_from_request(type='access')
File "/usr/local/lib/python3.5/site-packages/flask_jwt_extended/utils.py", line 204, in _decode_jwt_from_request
return _decode_jwt_from_headers()
File "/usr/local/lib/python3.5/site-packages/flask_jwt_extended/utils.py", line 176, in _decode_jwt_from_headers
return _decode_jwt(token, secret, algorithm)
File "/usr/local/lib/python3.5/site-packages/flask_jwt_extended/utils.py", line 136, in _decode_jwt
data = jwt.decode(token, secret, algorithm=algorithm)
File "/usr/local/lib/python3.5/site-packages/jwt/api_jwt.py", line 75, in decode
self._validate_claims(payload, merged_options, **kwargs)
File "/usr/local/lib/python3.5/site-packages/jwt/api_jwt.py", line 104, in _validate_claims
self._validate_exp(payload, now, leeway)
File "/usr/local/lib/python3.5/site-packages/jwt/api_jwt.py", line 149, in _validate_exp
raise ExpiredSignatureError('Signature has expired')
jwt.exceptions.ExpiredSignatureError: Signature has expired

It is raising the exception and I imagine it is calling the Signature expired callback which sends the json back out but clearly something goes wrong and it bubbles up and Flask hands out a 500 in place of what would have been a signature expired json message as the flask dev server does.

This probably has nothing to do with this specific library at all and any hints at all your give me about which direction to go in on this would be much appreciated by me. Using this with the flask development server has been perfect but now getting something ready for production I am encountering this persistent issue. My regular views return json just fine with the production setup but these exceptions don't. I was hoping maybe somebody had been running this in production and would be able to give me a hint on where I went wrong here. Thanks!

Hello,

I am seeing some weirdness around JWT token usage. If the same user credentials are used to generate tokens from different locations, one of the user gets a 500 internal server error.

I see the below entries in the logs. Wondering if this is a known behavior? Is there anyway to mitigate it?

File "/var/task/flask_jwt_extended/config.py", line 58, in jwt_in_cookies return 'cookies' in self.token_location File "/var/task/flask_jwt_extended/config.py", line 44, in token_location locations = current_app.config['JWT_TOKEN_LOCATION'] KeyError: 'JWT_TOKEN_LOCATION'

Hi mate,

I've been reading this attack vector from the OWASP: https://www.owasp.org/index.php/JSON_Web_Token_(JWT)_Cheat_Sheet_for_Java#Token_sidejacking

And I was wondering what you reckon about the option of adding "user context" and then validating it. It would be trivial to add this data as you describe here: https://flask-jwt-extended.readthedocs.io/en/latest/add_custom_data_claims.html, but I'm not sure how easy would be to then add that check to the JWT validation process as well, as opposed to having to do it manually for every request an API receives if there is no native support from this module.

Cheers!

Hi, I found an issue with jwt_required decorator, I don't understand why works when I used like:

@custom_api.route('/resellers/<token>/registrations', methods=['GET'])
@jwt_required
def get_resellers(token):
  ...

but NOT when:

I'm using https://flask-restless.readthedocs.io/en/stable/ where I can use methods as preprocessor

    @classmethod
    @jwt_required
    def get_many_preprocessor(cls, search_params=None, **kw):
        print "Here not work"

This worked me with flask-jwt, what could be?

I'm migrating from flask-jwt and make extensive use of decorated required and optional routes. My tests also have extensive coverage for invalid JWT cases. I've confirmed that invalid JWTs are handled correctly for jwt_required() routes, but not fully for jwt_required(optional=True) routes. Note that I use "JWT" as my prefix instead of "Bearer". I've also seen that flask-jwt-extended test cases do not cover these types of cases for optional routes.

Specifically these routes are allowed access for these invalid tokens. It is obviously important that any type of error for a submitted token (in any location) is rejected even when it is optional.

• "JWT "
• "JWT xxxx"
• "JWT xxxx xxxx"
• "JXX"

I create both refresh token and access token when login. However, when logout, those tokens should be revoked at the same time, without affecting other tokens owned by the user. I look at the doc. Like:

# Endpoint for revoking the current users access token
@app.route('/logout', methods=['POST'])
@jwt_required
def logout():
    try:
        _revoke_current_token()
    except KeyError:
        return jsonify({
            'msg': 'Access token not found in the blacklist store'
        }), 500
    return jsonify({"msg": "Successfully logged out"}), 200


# Endpoint for revoking the current users refresh token
@app.route('/logout2', methods=['POST'])
@jwt_refresh_token_required
def logout2():
    try:
        _revoke_current_token()
    except KeyError:
        return jsonify({
            'msg': 'Refresh token not found in the blacklist store'
        }), 500
    return jsonify({"msg": "Successfully logged out"}), 200

Is there a way to revoke both?

I'm using Flask-JWT-Extended to protect my Flask API. After the Login, in the protected route (add-user), I call get_jwt_identity(), but it's returning None, so I'm not able to get the identity.

@flask_app.route('/<api_version>/login', methods=['POST'])
def login(api_version):
    print(f'login', request.form)
    response = None
    try:
        username = request.form['username']
        password = request.form['password']

        if not username:
            return jsonify({"msg": "Missing username parameter"}), 400
        if not password:
            return jsonify({"msg": "Missing password parameter"}), 400

        user = User.get_with_password(username, password)

        if (not user):
            e1 = Unauthorized(
                'Invalid username or password.  Please try again.')
            e1.status = 401
            raise e1

        """ flask_login.login_user(user, remember=True) """
        access_token = create_access_token(identity=username)
        response = json.dumps({"token": access_token}, cls=CustomJSONEncoder)
    except Exception as e:
        errMsg = f'Error Logging in user {username if username else ""}: {e}'
        status = e.status if hasattr(e, 'status') else 500
        print(f'{errMsg}')
        traceback.print_exc()
        return Response(
            json.dumps({"message": errMsg, "status": status, "stack": traceback.format_exc() }), status=status, mimetype='application/json')
        

    resp = Response(response, status=200, mimetype='application/json')
    return resp

@flask_app.route('/<api_version>/add-user', methods=['POST'])
@jwt_required
def add_user(api_version):
    print(f'add-user', request)
    response = None
    username = None
    password = None
    allow_admin = None
    try:
        data = request.get_json()
        print(f'add-user data', data)

        if 'username' in data:
            username = data['username']
        else:
            return jsonify({"msg": "Missing username parameter"}), 400
        if 'password' in data:
            password = data['password']
        else:
            return jsonify({"msg": "Missing password parameter"}), 400
        if 'allow_admin' in data:
            allow_admin = data['allow_admin']

        """ user = User.get_with_password(username, password)"""
        user = get_jwt_identity()
        print('user',user)

        if (not user):
            e1 = Unauthorized(
                'Invalid username or password.  Please try again.')
            e1.status = 401
            raise e1

        response = json.dumps({"user": user}, cls=CustomJSONEncoder)
    except Exception as e:
        errMsg = f'Error Adding User {username}: {e}'
        status = e.status if hasattr(e, 'status') else 500
        print(f'{errMsg}')
        traceback.print_exc()
        return Response(
            json.dumps({"message": errMsg, "status": status, "stack": traceback.format_exc() }), status=status, mimetype='application/json')
        

    resp = Response(response, status=200, mimetype='application/json')
    return resp

User.py

class User():
    @classmethod
    def get_with_password(cls, username, password):
        print(f'User get_with_password {username} with password')
        user_db = account.get_account(username)
        print(f'User returned from DB: {user_db}')

        user = User()
        if not user_db or not len(user_db) or (not 'password' in user_db):
            return None
        user.username = username
        user.id = username

        if bcrypt.check_password_hash(user_db['password'], password):

            user.role = user_db['role']
            #user.is_authenticated = True
            print(
                f'loginUser returning {vars(user)} ')
            return user
        return None

Apologies if this is only tangentially a jwt issue:

I am trying to figure out a simple way to enable a "debug mode" (conditional to FLASK_DEBUG) where @jwt_required requests succeed, regardless of the presence of an authorization header. That would be especially useful to be able to test using flask-restplus' automatically generated API docs and request forms.

Ideally, I would simply add a custom jwt.claims_verification_loader when in debug mode, but that callback does not seem to be called at all, if the header is not set altogether.

Is there a (clean) way to intercept the verification process higher up? Any other suggestions on the best way to implement a debug mode that will play nice with flask-restplus?

Similar to #86, errors like SignatureExpiry are returning 500 rather than 4xx errors.

However I am using flask-restful which does not have an error_handler, so the solutions in the referenced issue do not apply.

Flask-restful is briefly mentioned on the releases page here, but setting application.config['PROPAGATE_EXCEPTIONS'] = True didn't have any effect for me.

Any insight into how I can correctly deal with error handling using flask-restful?

After upgrading to PyJWT 2.6.0 (to fix https://github.virtualitics.com/advisories/GHSA-ffqj-6fqr-9h24), the following error occurs when using create_access_token.

File "/opt/app-root/lib/python3.8/site-packages/flask_jwt_extended/utils.py", line 172, in create_access_token

    return jwt_manager._create_access_token(identity, fresh, expires_delta, user_claims,

  File "/opt/app-root/lib/python3.8/site-packages/flask_jwt_extended/jwt_manager.py", line 511, in _create_access_token

    access_token = encode_access_token(

  File "/opt/app-root/lib/python3.8/site-packages/flask_jwt_extended/tokens.py", line 76, in encode_access_token

    return _encode_jwt(token_data, expires_delta, secret, algorithm,

  File "/opt/app-root/lib/python3.8/site-packages/flask_jwt_extended/tokens.py", line 29, in _encode_jwt

    encoded_token = jwt.encode(token_data, secret, algorithm,

AttributeError: 'str' object has no attribute 'decode'

It would be helpful to be able to provide an argument to the @jwt_required() decorator that would disable the blocklist verification for a given route.

This (or another workaround) is needed to be fully compliant with RFC 7009 - OAuth 2.0 Token Revocation. Specifically, the RFC states, "The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token.".

The RFC also recommends (via should language), that if the auth server supports access token revocation, then it should revoke any access tokens associated with a refresh token when it receives a refresh token revocation request. The simplest way to achieve this is for the server to store the access and refresh tokens upon user login.

Such a schema means that the blocklist becomes more of an allow-list, where a token is considered revoked if it does not appear in the list or table of current access tokens. This approach is mentioned in the jwt-extended documentation as the third option for revoking both access and refresh tokens.

@token_in_blocklist_loader
def is_denied(header, payload):
    return payload['jti'] not in active_tokens

# ...

@jwt_required(verify_type=False)
def logout():
    # look for an entry in active_tokens. If it exists, delete it.
    # either way, return a 200
   token_entry = active_tokens.find_by_token(get_jwt())
   if token_entry:
       token_entry.remove()
    return {'message': 'Logout successful'}

The problem is that the method logic will never run if an invalid token is sent since jwt-extended will run the revocation check, then nvoke the appropriate error handler if the token isn't recognized. Additionally, valid tokens that were previously revoked will also result in an error response (for instance if the user logs out twice in a row using the same access/refresh token, the second attempt will produce an error).

At the same time, an error should be thrown if no token is provided (and get_jwt() doesn't function without @jwt_required()).

The simplest solution would be to optionally bypass the revocation check when adding the decorator. Something like @jwt_required(verify_type=False, skip_revocation_check=True).

There are other workarounds, such as not using the jwt_required decorator on the logout/revoke route (and instead doing manual validation of the token), or looking at the request object in the blocklist loader, and if it contains a specific URL, always returning False, but both of those are less than ideal.

All error handler callbacks should include the original error message in the parameters. E.g, the _expired_token_callback takes e.jwt_header, e.jwt_data as parameters, thus the original error message is lost when setting the expired_token_loader. Either the entire error should be set as parameter, I.e. _expired_token_callback(e: Exception) or alternatively you could add the error message as a string _expired_token_callback(e.jwt_header, e.jwt_data, str(e)). The same applies for all error handlers which do not include the error message.

Hello,

Thanks for the great work !

With the OPTIONS HTTP method, a confusing error message is raised, stating that @jwt_required() was not called, although it was called:

"You must call @jwt_required() or verify_jwt_in_request() "

Here is a way to reproduce the issue :

from flask import Flask, jsonify
from flask_jwt_extended import get_jwt_identity, jwt_required, JWTManager

app = Flask(__name__)
app.config["JWT_SECRET_KEY"] = "super-secret"
jwt = JWTManager(app)

@app.route("/", methods=["GET", "OPTIONS"])
@jwt_required(optional=True)
def protected():
    current_user = get_jwt_identity()
    return "hello", 200


if __name__ == "__main__":
    app.run()

$ curl -X OPTIONS http://0.0.0.0:5000/ -i 
HTTP/1.0 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
Content-Length: 290
Server: Werkzeug/2.0.2 Python/3.7.11
Date: Wed, 13 Apr 2022 07:55:36 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

2022-04-13 09:55:36,725] ERROR in app: Exception on / [OPTIONS]
Traceback (most recent call last):
  File "/***/venv/lib/python3.7/site-packages/flask/app.py", line 2073, in wsgi_app
    response = self.full_dispatch_request()
  File "/***/venv/lib/python3.7/site-packages/flask/app.py", line 1518, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/***/venv/lib/python3.7/site-packages/flask/app.py", line 1516, in full_dispatch_request
    rv = self.dispatch_request()
  File "/***/venv/lib/python3.7/site-packages/flask/app.py", line 1502, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
  File "/***/venv/lib/python3.7/site-packages/flask_jwt_extended/view_decorators.py", line 127, in decorator
    return current_app.ensure_sync(fn)(*args, **kwargs)
  File "test_app.py", line 11, in protected
    current_user = get_jwt_identity()
  File "/***/venv/lib/python3.7/site-packages/flask_jwt_extended/utils.py", line 58, in get_jwt_identity
    return get_jwt().get(config.identity_claim_key, None)
  File "/***/venv/lib/python3.7/site-packages/flask_jwt_extended/utils.py", line 25, in get_jwt
    "You must call `@jwt_required()` or `verify_jwt_in_request()` "
RuntimeError: You must call `@jwt_required()` or `verify_jwt_in_request()` before using this method
127.0.0.1 - - [13/Apr/2022 09:55:36] "OPTIONS / HTTP/1.1" 500 -

Hi, i need to parse the token from JSON that is in request.event var (SocketIO) and for that i had to implement custom _decode_jwt_from_event and wire it it like this (yes that is bunch of code cannibalized from flask-jwt-extended):

"""
This is flask-jwt-extended version 4 implementation of custom resolver
"""


from functools import wraps
from flask import request, current_app
from werkzeug.exceptions import BadRequest
from flask_jwt_extended.config import config
from flask_jwt_extended.view_decorators import _load_user, _decode_jwt_from_cookies, _decode_jwt_from_query_string, _decode_jwt_from_headers, _verify_token_is_fresh, _decode_jwt_from_json
from flask_jwt_extended.exceptions import NoAuthorizationError
from flask_jwt_extended.utils import decode_token, get_unverified_jwt_headers
from flask_jwt_extended.internal_utils import verify_token_type, verify_token_not_blocklisted, custom_verification_for_token
from flask import _request_ctx_stack


def _decode_jwt_from_event(refresh):
    if not request.event:
        raise NoAuthorizationError('Invalid content-type. Must have event.')

    if refresh:
        token_key = config.refresh_json_key
    else:
        token_key = config.json_key

    try:
        encoded_token = request.event.get('args')[0].get(token_key, None)
        if not encoded_token:
            raise BadRequest()
    except BadRequest:
        raise NoAuthorizationError('Missing "{}" key in json data.'.format(token_key))

    return encoded_token, None


def _decode_jwt_from_request(locations, fresh, refresh=False):
    # Figure out what locations to look for the JWT in this request
    if isinstance(locations, str):
        locations = [locations]

    if not locations:
        locations = config.token_location

    # Get the decode functions in the order specified by locations.
    # Each entry in this list is a tuple (<location>, <encoded-token-function>)
    get_encoded_token_functions = [("json", lambda: _decode_jwt_from_event(refresh))]
    for location in locations:
        if location == "cookies":
            get_encoded_token_functions.append(
                (location, lambda: _decode_jwt_from_cookies(refresh))
            )
        elif location == "query_string":
            get_encoded_token_functions.append(
                (location, _decode_jwt_from_query_string)
            )
        elif location == "headers":
            get_encoded_token_functions.append((location, _decode_jwt_from_headers))
        elif location == "json":
            get_encoded_token_functions.append(
                (location, lambda: _decode_jwt_from_json(refresh))
            )
        else:
            raise RuntimeError(f"'{location}' is not a valid location")

    # Try to find the token from one of these locations. It only needs to exist
    # in one place to be valid (not every location).
    errors = []
    decoded_token = None
    jwt_header = None
    jwt_location = None
    for location, get_encoded_token_function in get_encoded_token_functions:
        try:
            encoded_token, csrf_token = get_encoded_token_function()
            decoded_token = decode_token(encoded_token, csrf_token)
            jwt_location = location
            jwt_header = get_unverified_jwt_headers(encoded_token)
            break
        except NoAuthorizationError as e:
            errors.append(str(e))

    # Do some work to make a helpful and human readable error message if no
    # token was found in any of the expected locations.
    if not decoded_token:
        if len(locations) > 1:
            err_msg = "Missing JWT in {start_locs} or {end_locs} ({details})".format(
                start_locs=", ".join(locations[:-1]),
                end_locs=locations[-1],
                details="; ".join(errors),
            )
            raise NoAuthorizationError(err_msg)
        else:
            raise NoAuthorizationError(errors[0])

    # Additional verifications provided by this extension
    verify_token_type(decoded_token, refresh)
    if fresh:
        _verify_token_is_fresh(jwt_header, decoded_token)
    verify_token_not_blocklisted(jwt_header, decoded_token)
    custom_verification_for_token(jwt_header, decoded_token)

    return decoded_token, jwt_header, jwt_location


def verify_jwt_in_request(optional=False, fresh=False, refresh=False, locations=None):
    """
    Verify that a valid JWT is present in the request, unless ``optional=True`` in
    which case no JWT is also considered valid.

    :param optional:
        If ``True``, do not raise an error if no JWT is present in the request.
        Defaults to ``False``.

    :param fresh:
        If ``True``, require a JWT marked as ``fresh`` in order to be verified.
        Defaults to ``False``.

    :param refresh:
        If ``True``, require a refresh JWT to be verified.

    :param locations:
        A location or list of locations to look for the JWT in this request, for
        example ``'headers'`` or ``['headers', 'cookies']``. Defaults to ``None``
        which indicates that JWTs will be looked for in the locations defined by the
        ``JWT_TOKEN_LOCATION`` configuration option.
    """
    if request.method in config.exempt_methods:
        return

    try:
        if refresh:
            jwt_data, jwt_header, jwt_location = _decode_jwt_from_request(
                locations, fresh, refresh=True
            )
        else:
            jwt_data, jwt_header, jwt_location = _decode_jwt_from_request(
                locations, fresh
            )
    except NoAuthorizationError:
        if not optional:
            raise
        _request_ctx_stack.top.jwt = {}
        _request_ctx_stack.top.jwt_header = {}
        _request_ctx_stack.top.jwt_user = {"loaded_user": None}
        _request_ctx_stack.top.jwt_location = None
        return

    # Save these at the very end so that they are only saved in the requet
    # context if the token is valid and all callbacks succeed
    _request_ctx_stack.top.jwt_user = _load_user(jwt_header, jwt_data)
    _request_ctx_stack.top.jwt_header = jwt_header
    _request_ctx_stack.top.jwt = jwt_data
    _request_ctx_stack.top.jwt_location = jwt_location

    return jwt_header, jwt_data


def jwt_required(optional=False, fresh=False, refresh=False, locations=None):
    """
    A decorator to protect a Flask endpoint with JSON Web Tokens.

    Any route decorated with this will require a valid JWT to be present in the
    request (unless optional=True, in which case no JWT is also valid) before the
    endpoint can be called.

    :param optional:
        If ``True``, allow the decorated endpoint to be accessed if no JWT is present in
        the request. Defaults to ``False``.

    :param fresh:
        If ``True``, require a JWT marked with ``fresh`` to be able to access this
        endpoint. Defaults to ``False``.

    :param refresh:
        If ``True``, requires a refresh JWT to access this endpoint. If ``False``,
        requires an access JWT to access this endpoint. Defaults to ``False``.

    :param locations:
        A location or list of locations to look for the JWT in this request, for
        example ``'headers'`` or ``['headers', 'cookies']``. Defaults to ``None``
        which indicates that JWTs will be looked for in the locations defined by the
        ``JWT_TOKEN_LOCATION`` configuration option.
    """

    def wrapper(fn):
        @wraps(fn)
        def decorator(*args, **kwargs):
            verify_jwt_in_request(optional, fresh, refresh, locations)

            # Compatibility with flask < 2.0
            if hasattr(current_app, "ensure_sync") and callable(
                getattr(current_app, "ensure_sync", None)
            ):
                return current_app.ensure_sync(fn)(*args, **kwargs)

            return fn(*args, **kwargs)  # pragma: no cover

        return decorator

    return wrapper

So my Q is, is there a better way how to do this^ (did i miss some thing?). And if there is none, will you be willing to merge a PR implementing lets say decorator custom_jwt_decoder to handle custom decoding?