freshcrate
Home > Frameworks > flask-jwt-extended

flask-jwt-extended

Extended JWT integration with Flask

flaskjsonjwtpypitokenweb

Description

# Flask-JWT-Extended ### Features Flask-JWT-Extended not only adds support for using JSON Web Tokens (JWT) to Flask for protecting routes, but also many helpful (and **optional**) features built in to make working with JSON Web Tokens easier. These include: - Adding custom claims to JSON Web Tokens - Automatic user loading (`current_user`). - Custom claims validation on received tokens - [Refresh tokens](https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/) - First class support for fresh tokens for making sensitive changes. - Token revoking/blocklisting - Storing tokens in cookies and CSRF protection ### Usage [View the documentation online](https://flask-jwt-extended.readthedocs.io/en/stable/) ### Upgrading from 3.x.x to 4.0.0 [View the changes](https://flask-jwt-extended.readthedocs.io/en/stable/v4_upgrade_guide/) ### Changelog You can view the changelog [here](https://github.com/vimalloc/flask-jwt-extended/releases). This project follows [semantic versioning](https://semver.org/). ### Chatting Come chat with the community or ask questions at https://discord.gg/EJBsbFd ### Contributing Before making any changes, make sure to install the development requirements and setup the git hooks which will automatically lint and format your changes. ```bash pip install -r requirements.txt pre-commit install ``` We require 100% code coverage in our unit tests. You can run the tests locally with `tox` which ensures that all tests pass, tests provide complete code coverage, documentation builds, and style guide are adhered to ```bash tox ``` A subset of checks can also be ran by adding an argument to tox. The available arguments are: - py37, py38, py39, py310, py311, py312, pypy3 - Run unit tests on the given python version - mypy - Run mypy type checking - coverage - Run a code coverage check - docs - Ensure documentation builds and there are no broken links - style - Ensure style guide is adhered to ```bash tox -e py38 ``` We also require features to be well documented. You can generate a local copy of the documentation by going to the `docs` directory and running: ```bash make clean && make html && open _build/html/index.html ```

Release History

VersionChangesUrgencyDate
4.7.1Imported from PyPI (4.7.1)Low4/21/2026
4.7.0## What's Changed * Drop support for python 3.7 and 3.8, add 3.13 by @vimalloc in https://github.com/vimalloc/flask-jwt-extended/pull/559 * Fix documentation around identity needing to be a string by @vimalloc in https://github.com/vimalloc/flask-jwt-extended/pull/558 **Full Changelog**: https://github.com/vimalloc/flask-jwt-extended/compare/4.6.0...4.7.0Low11/18/2024
4.6.0## What's Changed * Bump cryptography from 41.0.4 to 41.0.6 by @dependabot in https://github.com/vimalloc/flask-jwt-extended/pull/535 * Do not check JWT_TOKEN_LOCATION when testing if cookie_csrf_protect is enabled by @vimalloc in https://github.com/vimalloc/flask-jwt-extended/pull/538 **Full Changelog**: https://github.com/vimalloc/flask-jwt-extended/compare/4.5.3...4.6.0Low12/13/2023
4.5.3## What's Changed * Typos by @dwinton-go in https://github.com/vimalloc/flask-jwt-extended/pull/514 * Replace "defining" with "define" by @lewisemm in https://github.com/vimalloc/flask-jwt-extended/pull/517 * Fix documentation syntax error by @dtalkachou in https://github.com/vimalloc/flask-jwt-extended/pull/519 * remove duplicate comments by @Abyssknight in https://github.com/vimalloc/flask-jwt-extended/pull/522 * Support python 3.12 and add support for flask 3.0 by @vimalloc in https://giLow10/3/2023
4.5.2* Fix documentation for `stable` build. No code changes were made in this release. Low5/26/2023
4.5.1No changes from the 4.5.0 tag, I just forgot to update the `__version__` which causes issues with publishing the release. This corrects that issue and bumps the version to 4.5.1.Low5/26/2023
4.5.0## What's Changed * Updated typing of expires_delta and fresh by @eMaerthin in https://github.com/vimalloc/flask-jwt-extended/pull/510 * Allow selective disabling of blocklist check by @indrajeet307 in https://github.com/vimalloc/flask-jwt-extended/pull/501 ## New Contributors * @eMaerthin made their first contribution in https://github.com/vimalloc/flask-jwt-extended/pull/510 * @indrajeet307 made their first contribution in https://github.com/vimalloc/flask-jwt-extended/pull/501 **FulLow5/26/2023
4.4.4* Fix compatibility with flask version 2.3 (#493). Huge shout out to @jrast for taking on the bulk of this work! **Full Changelog**: https://github.com/vimalloc/flask-jwt-extended/compare/4.4.3...4.4.4Low8/15/2022
4.4.3* Documentation improvements ( #470). Thanks @Udit107710! * Drop support for python 3.6 (flask no longer supports 3.6, so following suite here) * Add option to include `current_user` in jinja templates by default (#478) * Fix mypy type checks for `current_user` (#488) **Full Changelog**: https://github.com/vimalloc/flask-jwt-extended/compare/4.4.2...4.4.3Low7/27/2022
4.4.2## What's Changed * Fix mypy explicitly mark exported names #484 (thanks @KSmanis) * Fix `verify_type` being set to `False` by default in `verify_jwt_in_request()` #483 **Full Changelog**: https://github.com/vimalloc/flask-jwt-extended/compare/4.4.1...4.4.2Low6/27/2022
4.4.1## What's Changed * Documentation improvements (thanks @udoyen) * Fix PEP 561 compatibility #480 (thanks @KSmanis) **Full Changelog**: https://github.com/vimalloc/flask-jwt-extended/compare/4.4.0...4.4.1Low6/2/2022
4.4.0# Overview * Drop support for Flask 1 * This decision comes because flask 1 is no longer being supported upstream and a recent dependency change they released made it difficult to continue testing both versions for compatibility. * Add `verify_type` argument to view decorators to allow accepting both refresh & access tokens #460 (thanks @tgross35) * Adds type hinting and MyPy support * Documentation improvements (thanks @wjjmjh and @Udit107710) * Relax dependency pinning for cryptographLow5/2/2022
4.3.1* Allow Flask-JWT-Extended to work with new Cryptography versioning scheme (#452)Low10/8/2021
4.3.0* Allow overriding cookies domain at runtime (#446). Thanks @bejito! * Better compatibility with flask 1.x.x and 2.x.x (#440). Thanks @StefanVDWeide * Documentation updates (#443, #444). Thanks @killthekitten and @juur Low8/25/2021
4.2.3* Fix compatibility with Flask 1.x.x that was broke with the 4.2.2 release (see #437). Thanks @j178 for pointing this out!Low7/6/2021
4.2.2* Added async support to jwt_required view decorator (#436). Thanks @StefanVDWeide! * Minor documentation improvements. Thanks @rohitsanj-jovian!Low7/5/2021
4.2.1* Update Flask-JWT-Extended to work with flask 2.x.x. (#427).Low5/12/2021
4.2.0* Add `JWT_ENCODE_NBF` configuration option to allow disabling the NBF claim during token creation. Thanks @magnunleno! #416 * Add a new `get_jwt_request_location()` function to determine where a token was parsed from in a request (useful for implicit token refresh with cookies). Thanks @sammck! #420 * Fix wrong error message in edge case with current user in non-decorated route. #408 * Fix JWT in headers followed by a comma raises IndexError #347 * Fix edge cases where `@jwt_required(optiLow5/2/2021
4.1.0* Allow JWT `type` to be things besides `refresh` or `access` (#401). Any type that is not `refresh` will be considered an access token. Thanks @sambonner for the PR! * Allow locations kwarg for jwt_required() to be a string (#394) * Minor documentation improvementsLow3/9/2021
4.0.2* Properly include `requirements.txt` in the manifest.Low2/13/2021
4.0.1* No changes from 4.0.0, this release is purely to fix some github actions and documentation buildsLow2/13/2021
4.0.0This release contains many months of work and lots of breaking changes. For full details, please see: https://flask-jwt-extended.readthedocs.io/en/stable/v4_upgrade_guide/Low2/13/2021
3.25.1* The only change it this release is that we are setting the metadata that marks this as the last release to support python versions earlier then 3.6 (including python 2).Low2/13/2021
3.25.0* Add `JWT_ENCODE_ISSUER` option * Require PyJWT before version 2.0.0a to prevent breaking changes. (we will update to the 2.0.0 pyjwt release once it's out of the alpha/early release).Low11/9/2020
3.24.1* Fixes a bug where missing JWTs were not being handled gracefully, introduced in version 3.23.0 (#282)Low10/24/2019
3.24.0* Adds the ability to add custom data to the JWT headers via the `headers` kwarg when making new tokens or via the `jwt_manager.additional_headers_loader` decorator. These headers can be accessed in your endpoints via the `get_raw_jwt_header` function. Thanks @iamajay for this feature! (#271)Low10/4/2019
3.23.0* Make header reading compliant with RFC7230, section 3.2.2 (#270). Thanks @Croug!Low9/10/2019
3.22.0* Adds ability to check CSRF double submit token from form data instead of headers (#269). Thanks @colevscode!Low8/28/2019
3.21.0* Require flask 1.0 or greater (#263) * Move docs to pallets-sphinx-themes (#261) * Add a new `JWT_DECODE_ISSUER` option for use with other JWT providers (#259) * Gracefully handle errors for malformed tokens (#246)Low8/3/2019
3.20.0* Look for JWTs in the same order that they are defined in `JWT_TOKEN_LOCATION`. Thanks @stephendwolff!(#256)Low7/3/2019
3.19.0* Adds support for using multiple algorithms for decoding JWTs. Thanks @Darkheir! (#254) Low6/25/2019
3.18.2* Fix `JWT_SESSION_COOKIE = False` creating a cookie that was too long in the future for some browsers (#243). Thanks @allen-cook! Low5/10/2019
3.18.1* Fixes an issue when using `decode_token` on an expired token. This issue was introduced in `3.16.0`. (#234) * Require PyJWT `1.6.4` or newer (#238)Low4/10/2019
3.18.0* Add the ability to dynamically set user claims via the new `user_claims` argument to `create_access_token` and `create_refresh_token` functions (#229). Thanks @jeanphix * Add ability to use other datetime libraries for the token expiration configuration options. Anything that works with `datetime.datetime` (such as `dateutil`) will now work with extension (#233). Thanks @abathurLow3/2/2019
3.17.0* Add the ability to use an integer (seconds) for the `JWT_ACCESS_TOKEN_EXPIRES` and `JWT_REFRESH_TOKEN_EXPIRES` settings. (#226) Thanks @evangilo!Low2/1/2019
3.16.0This release changes how the `@jwt.expired_token_loader` callback function works. Before this release the callback function took no arguments. Now it will take one argument which is the decoded contents of the expired token. This lets you customize the expired token callback based on the token that was received. For example: ```python # Old way @jwt.expired_token_loader def old_expired_callback(): return jsonify(foo='bar'), 401 # New way @jwt.expired_token_loader def new_expiredLow1/20/2019
3.15.0* Adds the `JWT_DECODE_LEEWAY` option (#218). Thanks @otetard! * Adds the ability to use other data structures besides lists (such as sets, tuples, etc) as config values (#215) Thanks @illia-v!Low1/3/2019
3.14.0In this release we are modifying how decoded tokens work, so that this extension can be more easily used by other JWT providers (#212). The important changes in this release are: * added the `JWT_DECODE_AUDIENCE` configuration option, for using the `aud` claim in JWTs * Change the `decode_key_callback()` function to now take the unverified headers as well as the unverified claims as arguments. If you have existing code that only takes one argument, it will still work, but you will see a depLow12/7/2018
3.13.1* Include tests in MANIFEST.in (#197)Low9/28/2018
3.13.0* Add support for custom encode and decode keys (#91). There are now two new callbacks that can be registered: `decode_key_loader` and `encode_key_loader`. The decode callback is passed in the **unverified** JWT claims, and must return a string that will be used to decode and verify the JWT. The encode callback is passed in the identity (as passed in to the `create_access_token` or `create_refresh_token` functions) and must return a string that will be used to encode a JWT. If unset, the `JWT_SLow9/16/2018
3.12.1* Requires cryptography >= 2.3 in response to https://nvd.nist.gov/vuln/detail/CVE-2018-10903Low8/4/2018
3.12.0* Add ability to get the JWT from the JSON body of the request (#173). Thanks @luord!!Low7/21/2018
3.11.0* Adds new `JWT_ERROR_MESSAGE_KEY` option to change the JSON key on the default error messages (#160) Low7/17/2018
3.10.0* Adds new `JWT_CLAIMS_IN_REFRESH_TOKEN` configuration option, which if set to true will cause the user claims to be loaded into refresh tokens as well as access tokens (#100).Low6/5/2018
3.9.1I forgot to actually increase the version number on the 3.9.0 release. Whoops. Nothing new from 3.9.0 minus a the version number fix.Low5/11/2018
3.9.0* Allows passing JWTs in via the query string (#117). Note that in most cases this is not a great idea, see the documentation as to why. * Break out code to verify JWTs in a request into helper functions. This allows you to easily create your own decorators that utilize this extension (such as a `role_required` decorator), or hook up functionality to a flask before_request. (#131)Low5/11/2018
3.8.2* Allow option to unset access and refresh cookies independently of each other (#148)Low5/5/2018
3.8.1* Fixes JSON encoder added in 3.8.0 (#140)Low4/11/2018
3.8.0* Default to the Flask JSON encoder and allows for custom JSON encoders for encoding JWTs (#139)Low4/11/2018
3.7.2* Fixes a CSRF error when using jwts in cookies and the `@jwt_optional` decorator (#129)Low3/6/2018

Dependencies & License Audit

Loading dependencies...

Similar Packages

dataclass-wizardA wizard-like JSON serialization library for Python dataclasses0.39.1
jsonconversionThis python module helps converting arbitrary Python objects into JSON strings and back.1.2.1
sphinx-designA sphinx extension for designing beautiful, view size responsive web components.0.7.0
py-serializableLibrary for serializing and deserializing Python Objects to and from JSON and XML.2.1.0
jupyterlab-widgetsJupyter interactive widgets for JupyterLab3.0.16