Use one header for all csrf token double sumbits

Author: vimalloc

flask_jwt_extended/config.py

@@ -1,14 +1,6 @@
 import datetime
 from flask import current_app
 
-# TODO move this to the docs
-# blacklist storage options (simplekv). If using a storage option that supports
-# the simplekv.TimeToLiveMixin (example: redis, memcached), the TTL will be
-# automatically set to 15 minutes after the token expires (to account for
-# clock drift between different jwt providers/consumers).
-#
-# See: http://pythonhosted.org/simplekv/index.html#simplekv.TimeToLiveMixin
-
 
 # TODO support for cookies and headers at the same time. This could be useful
 #      for using cookies in a web browser (more secure), and headers in a mobile
@@ -29,15 +21,11 @@
 ACCESS_COOKIE_PATH = None
 REFRESH_COOKIE_PATH = None
 
-# TODO set domain for the cookie
-# TODO only one header for both access and refresh tokens, as we will only be
-#      checking one of those at a time
 # Options for using double submit for verifying CSRF tokens
 COOKIE_CSRF_PROTECT = True
 ACCESS_CSRF_COOKIE_NAME = 'csrf_access_token'
 REFRESH_CSRF_COOKIE_NAME = 'csrf_refresh_token'
-ACCESS_CSRF_HEADER_NAME = 'X-CSRF-ACCESS-TOKEN'
-REFRESH_CSRF_HEADER_NAME = 'X-CSRF-REFRESH-TOKEN'
+CSRF_HEADER_NAME = 'X-CSRF-TOKEN'
 
 # How long an a token will live before they expire.
 ACCESS_TOKEN_EXPIRES = datetime.timedelta(minutes=15)
@@ -100,12 +88,8 @@ def get_refresh_csrf_cookie_name():
     return current_app.config.get('JWT_REFRESH_CSRF_COOKIE_NAME', REFRESH_CSRF_COOKIE_NAME)
 
 
-def get_access_csrf_header_name():
-    return current_app.config.get('JWT_ACCESS_CSRF_HEADER_NAME', ACCESS_CSRF_HEADER_NAME)
-
-
-def get_refresh_csrf_header_name():
-    return current_app.config.get('JWT_REFRESH_CSRF_HEADER_NAME', REFRESH_CSRF_HEADER_NAME)
+def get_csrf_header_name():
+    return current_app.config.get('JWT_CSRF_HEADER_NAME', CSRF_HEADER_NAME)
 
 
 def get_jwt_header_type():

flask_jwt_extended/utils.py

@@ -18,7 +18,7 @@
     get_cookie_csrf_protect, get_access_csrf_cookie_name, \
     get_refresh_cookie_name, get_refresh_cookie_path, \
     get_refresh_csrf_cookie_name, get_token_location, \
-    get_access_csrf_header_name, get_refresh_csrf_header_name
+    get_csrf_header_name
 from flask_jwt_extended.exceptions import JWTEncodeError, JWTDecodeError, \
     InvalidHeaderError, NoAuthorizationError, WrongTokenError, RevokedTokenError, \
     FreshTokenRequired
@@ -179,10 +179,8 @@ def _decode_jwt_from_headers():
 def _decode_jwt_from_cookies(type):
     if type == 'access':
         cookie_key = get_access_cookie_name()
-        csrf_header_key = get_access_csrf_header_name()
     else:
         cookie_key = get_refresh_cookie_name()
-        csrf_header_key = get_refresh_csrf_header_name()
 
     token = request.cookies.get(cookie_key)
     if not token:
@@ -192,6 +190,7 @@ def _decode_jwt_from_cookies(type):
     token = _decode_jwt(token, secret, algorithm)
 
     if get_cookie_csrf_protect():
+        csrf_header_key = get_csrf_header_name()
         csrf = request.headers.get(csrf_header_key, None)
         if not csrf or not safe_str_cmp(csrf,  token['csrf']):
             raise NoAuthorizationError("Missing or invalid csrf double submit header")

tests/test_config.py

@@ -10,8 +10,7 @@
     get_token_location, get_cookie_secure, get_access_cookie_name, \
     get_refresh_cookie_name, get_access_cookie_path, get_refresh_cookie_path, \
     get_cookie_csrf_protect, get_access_csrf_cookie_name, \
-    get_refresh_csrf_cookie_name, get_access_csrf_header_name, \
-    get_refresh_csrf_header_name
+    get_refresh_csrf_cookie_name, get_csrf_header_name
 from flask_jwt_extended import JWTManager
 
 
@@ -24,7 +23,6 @@ def setUp(self):
         JWTManager(self.app)
         self.client = self.app.test_client()
 
-    #57, 69, 73, 77, 81, 85, 89, 93, 97, 101, 105
     def test_default_configs(self):
         with self.app.test_request_context():
             self.assertEqual(get_token_location(), 'headers')
@@ -39,8 +37,7 @@ def test_default_configs(self):
             self.assertEqual(get_cookie_csrf_protect(), True)
             self.assertEqual(get_access_csrf_cookie_name(), 'csrf_access_token')
             self.assertEqual(get_refresh_csrf_cookie_name(), 'csrf_refresh_token')
-            self.assertEqual(get_access_csrf_header_name(), 'X-CSRF-ACCESS-TOKEN')
-            self.assertEqual(get_refresh_csrf_header_name(), 'X-CSRF-REFRESH-TOKEN')
+            self.assertEqual(get_csrf_header_name(), 'X-CSRF-TOKEN')
 
             self.assertEqual(get_access_expires(), timedelta(minutes=15))
             self.assertEqual(get_refresh_expires(), timedelta(days=30))
@@ -62,8 +59,7 @@ def test_override_configs(self):
         self.app.config['JWT_COOKIE_CSRF_PROTECT'] = False
         self.app.config['JWT_ACCESS_CSRF_COOKIE_NAME'] = 'banana1a'
         self.app.config['JWT_REFRESH_CSRF_COOKIE_NAME'] = 'banana2a'
-        self.app.config['JWT_ACCESS_CSRF_HEADER_NAME'] = 'banana1b'
-        self.app.config['JWT_REFRESH_CSRF_HEADER_NAME'] = 'banana2b'
+        self.app.config['JWT_CSRF_HEADER_NAME'] = 'bananaaaa'
 
         self.app.config['JWT_ACCESS_TOKEN_EXPIRES'] = timedelta(minutes=5)
         self.app.config['JWT_REFRESH_TOKEN_EXPIRES'] = timedelta(days=7)
@@ -85,8 +81,7 @@ def test_override_configs(self):
             self.assertEqual(get_cookie_csrf_protect(), False)
             self.assertEqual(get_access_csrf_cookie_name(), 'banana1a')
             self.assertEqual(get_refresh_csrf_cookie_name(), 'banana2a')
-            self.assertEqual(get_access_csrf_header_name(), 'banana1b')
-            self.assertEqual(get_refresh_csrf_header_name(), 'banana2b')
+            self.assertEqual(get_csrf_header_name(), 'bananaaaa')
 
             self.assertEqual(get_access_expires(), timedelta(minutes=5))
             self.assertEqual(get_refresh_expires(), timedelta(days=7))

tests/test_protected_endpoints.py

@@ -502,7 +502,7 @@ def test_access_endpoints_with_cookies_and_csrf(self):
 
         # Try with logged in and good double submit token
         response = self.client.get('/api/protected',
-                                   headers={'X-CSRF-ACCESS-TOKEN': access_csrf})
+                                   headers={'X-CSRF-TOKEN': access_csrf})
         status_code = response.status_code
         data = json.loads(response.get_data(as_text=True))
         self.assertEqual(status_code, 200)