justindz
commented
7 years ago I amped up my logging level and I can see that the endpoint returns 401, but it still returns the JSON payload, so the client gets the information even though it's not authorized. Hope that helps clarify.
I am hoping to use flask-jwt for authentication to my RESTful API. Here is my setup:
`def authenticate(email, password): account = connection.Account.find_one({'email': email})
def identity(payload): email = payload['identity'] account = connection.Account.find_one({'email': email}) return account
configuration
app = Flask(name) app.config.from_object(name) app.config['DATABASE'] = 'arpgmanager' app.config['MONGODB_HOST'] = '127.0.0.1' app.config['MONGODB_PORT'] = 27017 app.config['SECRET_KEY'] = '[redacted]'
logging.basicConfig()
jwt = JWT(app, authenticate, identity)`
Please note that the Flask server is running in DEBUG mode.
And here is the endpoint:
@app.route('/player/<pid>') @jwt_required() def get_player(pid): player = connection.Player.find_one({'id': pid}) return dumps(player)Scenario: I call the endpoint without first calling /auth and getting an access token. Expected: The JSON dump of the player object is protected and does not get returned. Actual: The JSON dump of the player object is returned to the client as normal. An ERROR saying the request doesn't contain an access token is logged to the console.
I believe I'm not understand this correctly the documentation correctly. Should I, in the endpoint decorated by jwt_required, be manually checking for an error, or for some state of current_identity and determining whether to respond to the requester? I did not expect a protected endpoint to work without an access token.
Thanks in advance for any guidance you can provide?