Replace itsdangerous with pyjwt in examples (Fixes #157)

miguelgrinberg · Feb 11, 2023 · 6f708b0 · 6f708b0
1 parent 03ff944
commit 6f708b0
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 10 deletions.
diff --git a/examples/multi_auth.py b/examples/multi_auth.py
@@ -6,16 +6,18 @@
 
 The root URL for this application can be accessed via basic auth, providing
 username and password, or via token auth, providing a bearer JWS token.
+
+This example requires the PyJWT package to be installed.
 """
+from time import time
 from flask import Flask
 from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth, MultiAuth
 from werkzeug.security import generate_password_hash, check_password_hash
-from itsdangerous import TimedJSONWebSignatureSerializer as JWS
+import jwt
 
 
 app = Flask(__name__)
 app.config['SECRET_KEY'] = 'top secret!'
-jws = JWS(app.config['SECRET_KEY'], expires_in=3600)
 
 basic_auth = HTTPBasicAuth()
 token_auth = HTTPTokenAuth('Bearer')
@@ -28,7 +30,8 @@
 }
 
 for user in users.keys():
-    token = jws.dumps({'username': user})
+    token = jwt.encode({'username': user, 'exp': int(time()) + 3600},
+                       app.config['SECRET_KEY'], algorithm='HS256')
     print('*** token for {}: {}\n'.format(user, token))
 
 
@@ -42,7 +45,8 @@ def verify_password(username, password):
 @token_auth.verify_token
 def verify_token(token):
     try:
-        data = jws.loads(token)
+        data = jwt.decode(token, app.config['SECRET_KEY'],
+                          algorithms=['HS256'])
     except:  # noqa: E722
         return False
     if 'username' in data:

diff --git a/examples/token_auth.py b/examples/token_auth.py
@@ -2,38 +2,44 @@
 """Token authentication example
 
 This example demonstrates how to protect Flask endpoints with token
-authentication, using tokens.
+authentication, using JWT tokens. To use this example you need to install the
+PyJWT library:
+
+    pip install pyjwt
 
 When this application starts, a token is generated for each of the two users.
 To gain access, you can use a command line HTTP client such as curl, passing
 one of the tokens:
 
     curl -X GET -H "Authorization: Bearer <jws-token>" http://localhost:5000/
 
-The response should include the username, which is obtained from the token.
+The response should include the username, which is obtained from the token. The
+tokens have a validity time of one hour, after which they will be rejected.
 """
+from time import time
 from flask import Flask
 from flask_httpauth import HTTPTokenAuth
-from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
+import jwt
 
 
 app = Flask(__name__)
 app.config['SECRET_KEY'] = 'top secret!'
-token_serializer = Serializer(app.config['SECRET_KEY'], expires_in=3600)
 
 auth = HTTPTokenAuth('Bearer')
 
 
 users = ['john', 'susan']
 for user in users:
-    token = token_serializer.dumps({'username': user}).decode('utf-8')
+    token = jwt.encode({'username': user, 'exp': int(time()) + 3600},
+                       app.config['SECRET_KEY'], algorithm='HS256')
     print('*** token for {}: {}\n'.format(user, token))
 
 
 @auth.verify_token
 def verify_token(token):
     try:
-        data = token_serializer.loads(token)
+        data = jwt.decode(token, app.config['SECRET_KEY'],
+                          algorithms=['HS256'])
     except:  # noqa: E722
         return False
     if 'username' in data: