Tokens

[hackzaid]

When you create a new token, is it just my code or something wrong with codebase that the refresh token returns as a null value?

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.........",
  "refresh_token": null
}

And when revoking the access_token, I always get this error:

return _unicodify_header_value(self.environ[f"HTTP_{key}"])
KeyError: 'HTTP_AUTHORIZATION'

Can't seem to find where it's originating from.

[hackzaid]

The revoking now works after modifying the endpoint to this:

@tokens.route('/tokens', methods=['DELETE'])
@authenticate(token_auth) <<< added this line here
@response(EmptySchema, status_code=204, description='Token revoked')
@other_responses({401: 'Invalid access token'})
def revoke():
    """Revoke an access token"""

Is this a recommended way or there is a better way to handling revoking tokens?

[miguelgrinberg]

Without the code I have no way to know what to debug this problem. This is the APIFairy project, which is generic and has nothing to do with tokens. You seem to be asking about a project in particular, maybe something based on my microblog-api example?

[hackzaid]

Clearly @miguelgrinberg I am expanding my project from the microblog-API example.

This is the endpoint that handles "create access and refresh tokens" as copied from the microblog-API project

@tokens.route('/tokens', methods=['POST'])
@authenticate(basic_auth)
@response(token_schema)
@other_responses({401: 'Invalid username or password'})
def new():
    """Create new access and refresh tokens

    The refresh token is returned in the body of the request or as a hardened
    cookie, depending on configuration. A cookie should be used when the
    client is running in an insecure environment such as a web browser, and
    cannot adequately protect the refresh token against unauthorized access.
    """
    user = basic_auth.current_user()
    token = user.generate_auth_token()
    db.session.add(token)
    Token.clean()  # keep token table clean of old tokens
    db.session.commit()
    return token_response(token)

[miguelgrinberg]

Okay, I think I understand. I agree, it makes sense to add the @authenticate decorator on the revoke token endpoint. It isn't strictly necessary, but from an OpenAPI standpoint it should be added so that the documentation reflects that the token is required. Will go ahead and add it.

[hackzaid]

Before you close this off, my first raised issue hasn't been resolved. The issue of the refresh token returning null value. Can you please look into it too or suggest on what can be done to have the refresh token returned along with the access token

Get Outlook for Androidhttps://aka.ms/AAb9ysg

---

From: Miguel Grinberg @.> Sent: Sunday, June 11, 2023 1:46:22 AM To: miguelgrinberg/microblog-api @.> Cc: Hack Zaid @.>; Author @.> Subject: Re: [miguelgrinberg/microblog-api] Tokens (Issue #24)

Closed #24https://github.com/miguelgrinberg/microblog-api/issues/24 as completed via 4c5d5aahttps://github.com/miguelgrinberg/microblog-api/commit/4c5d5aa8a433ac3976ca7f6d837bd5805ba4a126.

— Reply to this email directly, view it on GitHubhttps://github.com/miguelgrinberg/microblog-api/issues/24#event-9491833540, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGIUMNWVJMV7FSV7AZMY65TXKT2L5ANCNFSM6AAAAAAZB54YOM. You are receiving this because you authored the thread.Message ID: @.***>

[miguelgrinberg]

Sorry, forgot to reply to that.

I suggest you read the code to understand how refresh tokens work (and the documentation for the endpoint). These can be returned in the body of the response, or in a secure cookie. You must have your application configured to return it in the secure cookie, which is more secure.