Closed vimalloc closed 5 years ago
I had no idea that feature was available. I agree that we shouldn't have a custom implementation if it's available in one of our existing dependencies, so I look forward to seeing that PR
Note: The reason the JWTs are in the query string for certain endpoints is because of SSEs. Currently, the js uses EventSource objects, which do not accept headers and therefore we must leave the JWT in the query string. We are looking at various workarounds so that JWTs are not passed in via query strings anywhere in the WALKOFF code. However, for the majority of WALKOFF endpoints, JWTs are passed in the header.
It looks like you guys are using JWTs in the query string (https://github.com/iadgov/WALKOFF/blob/master/walkoff/security.py#L93-L120). A new version of flask-jwt-extended released today that now has built in support for this (http://flask-jwt-extended.readthedocs.io/en/latest/tokens_in_query_string.html). If there is any desire, you could probably remove the custom stuff and switch back over to this, to insure there aren't any breaking changes if the internals of that extension changes. I would be happy to throw a PR together this if that sounds good :+1: