# Lesson 2: Generating JWT Tokens Upon Login

# Generating JWT Tokens Upon Login

Welcome to the next step in securing your Flask application! In the last lesson, you learned how to create a basic login endpoint that validates user credentials. Today, we'll enhance that by introducing **JSON Web Tokens (JWT)** to improve security.

## Recap of API Setup

Let’s quickly recap our Flask app setup and the initial code.

```python
from flask import Flask, request, jsonify
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()
```

This code sets up a Flask app with a mock database and uses **Marshmallow** to validate login data.

## Understanding Bearer Tokens

A **Bearer Token** is like a "movie ticket" that you present to gain entry. Instead of sending your username and password with every request (which is risky), you log in once and receive a bearer token. You include this token in the headers of future requests.

### JWT: A Type of Bearer Token

A **JWT (JSON Web Token)** is a compact, URL-safe token used to represent claims between two parties securely. It consists of three parts:

1. **Header**: Contains metadata like the type of token and hashing algorithm.
2. **Payload**: Holds claims, such as user information and token expiration.
3. **Signature**: Verifies the token's integrity using a secret key.

## Installing and Configuring Flask-JWT-Extended

To generate and manage JWT tokens in Flask, install the `Flask-JWT-Extended` library:

```bash
pip install flask-jwt-extended
```

In the CodeSignal environment, this library is pre-installed.

### JWTManager Configuration

```python
from flask_jwt_extended import JWTManager

# Set the secret key for signing JWTs
app.config['JWT_SECRET_KEY'] = 'super-secret'

# Initialize the JWTManager with the Flask app
jwt = JWTManager(app)
```

#### Key Steps:

- **Secret Key**: `app.config['JWT_SECRET_KEY']` is used to sign JWTs. Ensure this key is strong and unpredictable in production.
- **JWTManager Initialization**: Initializes JWT handling in your Flask app.

## Recap of the Login Endpoint

Before we start generating JWT tokens, let’s revisit the basic login endpoint.

```python
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        return jsonify(error=err.messages), 400

    # Extract username and password
    username = data['username']
    password = data['password']

    # Find the user in the database
    user = next((user for user in database if user["username"] == username), None)
    
    if user and user["password"] == password:
        return jsonify(message="Login successful"), 200
    else:
        return jsonify(error="Bad username or password"), 401
```

## Returning a Generated JWT on Login

Now, let’s modify the `/login` endpoint to generate a JWT token upon successful authentication.

```python
from flask_jwt_extended import create_access_token

@app.route('/login', methods=['POST'])
def login():
    try:
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        return jsonify(error=err.messages), 400

    username = data['username']
    password = data['password']

    user = next((user for user in database if user["username"] == username), None)

    if user and user["password"] == password:
        # Create an access token
        access_token = create_access_token(identity=username)
        # Return the access token
        return jsonify(access_token=access_token), 200
    else:
        return jsonify(error="Bad username or password"), 401
```

### Key Changes:

1. **Import `create_access_token`**: To generate a JWT.
2. **Generate Access Token**: The token is created with `create_access_token(identity=username)`, where the identity is the username.
3. **Return Access Token**: The token is included in the JSON response.

## Example of Successful Login Response

When a user logs in successfully, the response includes a JWT token:

```json
{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
}
```

The client stores this token and includes it in future requests as a **Bearer token** in the authorization header.

## Summary and Next Steps

In this lesson, you learned how to secure your Flask app by:

- Understanding JWT and its use in authentication.
- Installing and configuring `Flask-JWT-Extended`.
- Enhancing the `/login` endpoint to generate and return JWT tokens.

Next, you can start using this token to protect your API endpoints. Keep practicing and ensure your implementation is secure!

Happy coding!

## Run and Generate a JWT Token

Well done on completing the lesson! Now let's see the JWT token generation in action! 🔐

In this exercise, you don't need to write any code. Wait a bit for the environment to be set up, then click on Run to execute the code and observe the output.
```py
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, create_access_token
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()

# Set the secret key for signing JWTs
app.config['JWT_SECRET_KEY'] = 'super-secret' 

# Initialize the JWTManager with the Flask app
jwt = JWTManager(app)

# Define a route to receive login credentials
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)
    
    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # Create an access token for the user
        access_token = create_access_token(identity=username)
        # Return the access token with a success message
        return jsonify(access_token=access_token), 200
    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401
```

## Setting Up JWT Authentication

Time to apply what you've learned.

Your task is to complete the Flask application by setting up JWT for user authentication. Fill in the missing parts where indicated to:

Set the secret key.
Initialize the JWTManager.
Fill in the identity argument to create an access token.
This will solidify your understanding of integrating JWT authentication in Flask apps.

```py
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, create_access_token
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()

# TODO: Set the secret key for signing JWTs
app.config['JWT_SECRET_KEY'] = 'super-secret' 

# TODO: Initialize the JWTManager with the Flask app instance
jwt = JWTManager(app)

# Define a route to receive login credentials
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)
    
    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # TODO: Create an access token using the username as identity
        access_token = create_access_token(identity=username)
        # Return the access token with a success message
        return jsonify(access_token=access_token), 200
    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401
```

## Fix the JWT Bug

You're doing an excellent job! Bugs are part of the journey, and mastering the art of debugging is crucial. Your task is to find and fix a bug in our code.

We have a Flask application with a /login endpoint designed to validate user credentials and generate a JWT token. However, a small mistake is preventing it from working correctly.

Delve into the code, uncover the bug, and resolve it.

```py
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, create_access_token
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()

# Initialize the JWTManager with the Flask app
jwt = JWTManager(app)

# Set the secret key for signing JWTs
app.config['JWT_SECRET_KEY'] = 'super-secret' 

# Define a route to receive login credentials
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)
    
    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # Create an access token for the user
        access_token = create_access_token()
        # Return the access token with a success message
        return jsonify(access_token=access_token), 200
    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401

```

Thank you for your kind words! The bug in the code is in the line where the access token is created. When calling `create_access_token()`, it's missing the `identity` parameter, which is required to associate the token with a user identity.

Here’s the corrected version of the `/login` function:

### Bug Fix:
```py
# Correct the creation of the access token by passing the user's identity
access_token = create_access_token(identity=user['id'])
```

### Full corrected `/login` route:
```py
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)
    
    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # Create an access token for the user (fixed bug: added identity parameter)
        access_token = create_access_token(identity=user['id'])
        # Return the access token with a success message
        return jsonify(access_token=access_token), 200
    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401
```

### Explanation:
- The `create_access_token()` function requires the `identity` argument to know which user the token is being created for. Passing the `user['id']` as the `identity` will ensure the token is linked to the correct user.

This should resolve the issue with your `/login` endpoint!

## Complete Your Flask JWT Login

Nice work so far!

You've learned a lot about JWT-based authentication, and it's time to put that knowledge to use. In this exercise, you'll complete the code to correctly set up a Flask app that generates and returns JWT tokens upon successful login.

Fill in the missing lines of code to make the login endpoint work as intended. Focus on:

Defining the secret key
Setting up the JWTManager
Generating and returning the access token (use the key access_token in the JSON response)
You've got this!

```py
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, create_access_token
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()

# TODO: Set the secret key for signing JWTs


# TODO: Initialize the JWTManager with the Flask app


# Define a route to receive login credentials
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)
    
    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # TODO: Create an access token for the user

        # TODO: Return the access token with a success message (use the key 'access_token' in the JSON response)

    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401

```

You're doing great! Let's complete the Flask app with JWT-based authentication. Here’s the full solution with the missing lines of code added:

### Completed code:
```py
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, create_access_token
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()

# TODO: Set the secret key for signing JWTs
app.config['JWT_SECRET_KEY'] = 'super-secret-key'  # Replace with a strong secret in production

# TODO: Initialize the JWTManager with the Flask app
jwt = JWTManager(app)

# Define a route to receive login credentials
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)
    
    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # TODO: Create an access token for the user
        access_token = create_access_token(identity=user['id'])

        # TODO: Return the access token with a success message (use the key 'access_token' in the JSON response)
        return jsonify(access_token=access_token), 200
    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401

# Run the app if executed directly
if __name__ == '__main__':
    app.run(debug=True)
```

### Breakdown of the missing parts:
1. **Set the secret key:**
   - `app.config['JWT_SECRET_KEY'] = 'super-secret-key'`
   - This is required for signing the JWT. In production, you should use a more secure and complex key.

2. **Initialize the JWTManager:**
   - `jwt = JWTManager(app)`
   - This initializes the `JWTManager` so that Flask can handle JWT tokens.

3. **Generate the access token:**
   - `access_token = create_access_token(identity=user['id'])`
   - The `identity` parameter is required to bind the token to the user's identity, in this case, the user's `id`.

4. **Return the access token:**
   - `return jsonify(access_token=access_token), 200`
   - The token is returned in the JSON response with the key `access_token`.

Now, with these changes, your Flask app should work correctly for JWT-based authentication!