Expired tokens should return 401

pallets-eco / flask-jwt

JWT (JSON Web Tokens) for Flask applications

MIT License

564 stars 177 forks source link

Expired tokens should return 401 #26

Closed ryanolson closed 10 years ago

ryanolson commented 10 years ago

An expired JWT should return a 401 so the end user/client knows that they should re-authenticate and try again.

coveralls commented 10 years ago

Coverage remained the same when pulling 6eb2f4aef6653cc78d30e0a1d15da5134427f914 on ryanolson:401_on_expired into 4f35c2af1e7a8bfc1d1bc853006ae3bd2f3da8d5 on mattupstate:master.

jarmani commented 10 years ago

Sounds good, supersede #5.

ryanolson commented 10 years ago

@mattupstate thoughts?

mattupstate commented 10 years ago

For that matter, should the "undecipherable token" error produce a 401 as well?

ryanolson commented 10 years ago

I think an undecipherable token should be a 400. I'm not sure. It kind of hints at someone messing with the token or something going bad on the server side, perhaps a configuration change.

With an expired token, we know it was at one point a valid token, because it passed all the other criteria. With an undecipherable, I'm not sure we can say the same thing.

ryanolson commented 10 years ago

@mattupstate - do you think we can get this pull request merged and available via pypi?