DEV Community

Discussion on: Python: Using JWT in cookies with a flask app and restful API!

Collapse
 
kr profile image
KRains

Thanks a lot for the really comprehensive article!
Flask-JWT is very complicated to me, I just can't get some things.
For example, from my understanding, when the access token is expired, we just want to use the refresh token and generate a new access token - and this should be done completely transparent for the end user. I can't get how it's done in practice. Can you explain? Thanks!

Collapse
 
totally_chase profile image
Phantz

Yep! This is one of the questions I was faced with which prompted me to write the guide.

Practically, the expired token should indeed be refreshed transparently. But that's a bit tough if you're using pure backend (which is what this guide focuses on). So what I like to do is mentioned in the @expired_token_loader and @jwt.refresh_token_required decorators above.

Basically I unset the user jwt in
@expired_token_loader and redirect the user to token/refresh, which then refreshes the jwt and redirects the user to BASE_URL. This happens fast enough to seem transparent to the user.

Collapse
 
kr profile image
KRains

Thanks for your response.
I don't see any code here redirecting back to the page (URL).
The function refresh() uses url variable but where is it from?
Thanks.

Thread Thread
 
totally_chase profile image
Phantz

The url var is just a placeholder that you can change to any URL you'd like the user to be redirected to.

Although I suppose I should change it to BASE_URL

Thread Thread
 
kr profile image
KRains

Sorry but it's still not clear for me. Do I understand properly that this function is called automatically, therefore it MUST know which URL to redirect next. You can provide BASE_URL but it's not the point because we want the redirection to be done to the same URL that fired refreshing token, right? How to gain it?
Thanks!

Thread Thread
 
totally_chase profile image
Phantz

This is exactly the drawback of using just the backend for jwt, there's no simple way for refresh to know which url the user was on when the token expired. So it just redirects to BASE_URL or any other URL you've set by default to a variable

Thread Thread
 
kr profile image
KRains

Thanks. Because I was starting feeling that something is wrong with me - I just can't get some things here :) I actually found the way to pass the url to be redirected to (just attach as a query to it) but the problem when I try to call the method with @jwt_refresh_token_required I've got kicked back to @jwt.expired_token_loader function. I'm really puzzled about what's wrong with it because I managed to make it work for API calls but not for the backend.

Thread Thread
 
totally_chase profile image
Phantz

Make sure you unset_access_cookies() before assigning new ones. Also make sure you're not "calling" the method by name (i.e refresh()). You need to redirect() to the refresh url instead

Thread Thread
 
kr profile image
KRains

Yes, I did so. But I have a feeling that I just can't set cookies on a protected route because @jwt_required decorator can't find any cookies YET and kick me out. I'm totally confused now :(