# Lesson 3: Securing an Endpoint with JWT

# Securing an Endpoint with JWT

Welcome back! In the previous lessons, we learned how to create a basic login endpoint and integrate JSON Web Tokens (JWT) for authentication. By now, you should be familiar with setting up a Flask application, validating user credentials using Marshmallow, and generating JWTs upon successful login.

In this lesson, we will take a crucial step forward by learning how to secure an endpoint using JWT. Securing endpoints ensures that only authenticated users can access certain parts of your application, enhancing the overall security of your API.

---

## Configuring the Protected Endpoint

To secure an endpoint using JWT, we will leverage the `@jwt_required` decorator from the **Flask-JWT-Extended** library. This decorator ensures that any request made to the decorated route must include a valid JWT.

Here's how you can create a protected route in your Flask application:

```python
from flask_jwt_extended import jwt_required

# Define a route that requires a valid JWT to access
@app.route('/protected', methods=['GET'])
@jwt_required()
def protected_route():
    return jsonify(message="This is a protected route, and you are authenticated!"), 200
```

By adding the `@jwt_required` decorator, the endpoint is secured as it requires the presence of a valid JWT in the request headers. If the JWT is missing or invalid, the request will be denied.

With this setup, you can ensure that only authenticated users can access the `/protected` endpoint.

---

## Handling Requests Without a JWT

If a client tries to access the protected endpoint without including the JWT token in the request, the server will respond with an error message indicating that the authorization header is missing. Here is an example of the response JSON for such a request:

```json
{
  "msg": "Missing Authorization Header"
}
```

---

## Making a Successful Request with a JWT

To make a successful request to the protected endpoint, the client must first send a login request to obtain a JWT token. After obtaining the token, the client must include it in the **Authorization** header of the HTTP request.

The header should be formatted as follows:

```
Authorization: Bearer <your-token>
```

When a valid JWT token is provided, the server will allow access to the protected endpoint and return a success message, indicating that the client is authenticated.

```json
{
  "message": "This is a protected route, and you are authenticated!"
}
```

---

## Summary and Next Steps

In this lesson, we covered the following key points:

- The importance of securing endpoints in a Flask application.
- How to use Flask-JWT-Extended's `@jwt_required` decorator to secure an endpoint.

You've now mastered how to secure an endpoint using JWT in Flask, ensuring that only authenticated users can access specific parts of your application. Up next, you will have the opportunity to practice what you've learned with hands-on exercises.

---

Keep up the great work, and let's continue fortifying our Flask application to make it even more robust and secure!

## Secured Endpoint in Action

Fantastic work getting this far! Now it's time to see your protected endpoint in action.

Here's the plan for our tests:

First, we'll try to access the protected endpoint without logging in.
Then, we'll log in using the correct credentials.
Finally, we'll access the protected endpoint again.
We've got everything set up for you—just give us a couple of seconds to prepare the environment, and then click Run to see the magic happen! 🚀

```py
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, create_access_token, jwt_required
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()

# Set the secret key for signing JWTs
app.config['JWT_SECRET_KEY'] = 'super-secret' 

# Initialize the JWTManager with the Flask app
jwt = JWTManager(app)

# Define a route to receive login credentials
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)
    
    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # Create an access token for the user
        access_token = create_access_token(identity=username)
        # Return the access token with a success message
        return jsonify(access_token=access_token), 200
    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401

# Protected route that requires a valid JWT to access
@app.route('/protected', methods=['GET'])
@jwt_required()
def protected_route():
    return jsonify(message="This is a protected route, and you are authenticated!"), 200


```

## Implementing the JWT Required Decorator

Nice job on completing the lesson! You've made good progress so far.

Your next challenge is to set up a protected route in our Flask application. Complete the code by filling in the missing parts where indicated to secure the endpoint with JWT using the correct decorator.

Let's dive in and see your skills in action! 🚀

```py
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, create_access_token, jwt_required
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()

# Set the secret key for signing JWTs
app.config['JWT_SECRET_KEY'] = 'super-secret' 

# Initialize the JWTManager with the Flask app
jwt = JWTManager(app)

# Define a route to receive login credentials
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)
    
    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # Create an access token for the user
        access_token = create_access_token(identity=username)
        # Return the access token with a success message
        return jsonify(access_token=access_token), 200
    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401

# TODO: Protect the route by requiring a valid JWT to access
@app.route('/protected', methods=['GET'])
@________________()
def protected_route():
    return jsonify(message="This is a protected route, and you are authenticated!"), 200
```

You're making great progress with securing your Flask application! 🎉

To complete the code and protect the `/protected` route, you need to use the `@jwt_required()` decorator from `flask_jwt_extended`. This decorator ensures that a valid JWT (JSON Web Token) must be included in the request to access the protected endpoint.

Here's the updated code:

```py
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, create_access_token, jwt_required
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()

# Set the secret key for signing JWTs
app.config['JWT_SECRET_KEY'] = 'super-secret' 

# Initialize the JWTManager with the Flask app
jwt = JWTManager(app)

# Define a route to receive login credentials
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)
    
    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # Create an access token for the user
        access_token = create_access_token(identity=username)
        # Return the access token with a success message
        return jsonify(access_token=access_token), 200
    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401

# Protect the route by requiring a valid JWT to access
@app.route('/protected', methods=['GET'])
@jwt_required()  # This line secures the endpoint
def protected_route():
    return jsonify(message="This is a protected route, and you are authenticated!"), 200

if __name__ == "__main__":
    app.run(debug=True)
```

### What's been added:
- The `@jwt_required()` decorator is added just above the `/protected` route to ensure that only requests with a valid JWT can access this route.

Now, the `/protected` route is secured, and users will need a valid JWT (received from `/login`) to access it. Keep up the great work! 🚀

## Fix the JWT Protection Bug

Awesome job reaching this point! Every programmer makes mistakes, and finding bugs in the details is essential.

In the given code, there's a Flask application with a route intended to be protected by JWT. However, an issue is causing the security of this route to fail. Find the bug and fix it.

Let's make sure your endpoints are well-protecte

```py
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, create_access_token, jwt_required
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()

# Set the secret key for signing JWTs
app.config['JWT_SECRET_KEY'] = 'super-secret'

# Initialize the JWTManager with the Flask app
jwt = JWTManager(app)

# Define a route to receive login credentials
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)

    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # Create an access token for the user
        access_token = create_access_token(identity=username)
        # Return the access token with a success message
        return jsonify(access_token=access_token), 200
    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401

# Protected route that requires a valid JWT to access
@jwt_required()
@app.route('/protected', methods=['GET'])
def protected_route():
    return jsonify(message="This is a protected route, and you are authenticated!"), 200
```

The issue with the current code lies in how the `@jwt_required()` decorator is applied to the `/protected` route. The decorator should be placed *after* defining the route (`@app.route('/protected', methods=['GET'])`), not before it. In Python, the order of decorators matters, and in this case, the route decorator should come first, followed by the `jwt_required` decorator.

Here's the corrected code:

```py
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, create_access_token, jwt_required
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()

# Set the secret key for signing JWTs
app.config['JWT_SECRET_KEY'] = 'super-secret'

# Initialize the JWTManager with the Flask app
jwt = JWTManager(app)

# Define a route to receive login credentials
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)

    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # Create an access token for the user
        access_token = create_access_token(identity=username)
        # Return the access token with a success message
        return jsonify(access_token=access_token), 200
    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401

# Protected route that requires a valid JWT to access
@app.route('/protected', methods=['GET'])
@jwt_required()  # This is now correctly placed after the route definition
def protected_route():
    return jsonify(message="This is a protected route, and you are authenticated!"), 200

if __name__ == "__main__":
    app.run(debug=True)
```

### Explanation:
- **Original issue**: The `@jwt_required()` decorator was applied before the route definition, which led to the route being incorrectly registered and the decorator not working as intended.
- **Fix**: Place the `@jwt_required()` decorator after the `@app.route('/protected', methods=['GET'])` decorator, ensuring that the route is properly protected by the JWT authentication.

With this fix, the `/protected` route should now be securely protected by JWT, and users will need a valid token to access it. 🚀

## Secure a New Flask Endpoint

Nice work so far! You’ve learned how to secure endpoints using JWT. Now, it's your turn to put this into practice by creating a new endpoint.

Your task is to:

Define a new GET endpoint at the path /secure-data.
Protect it with JWT using the @jwt_required decorator.
Ensure it returns a success message only for authenticated users.
You've got this! Let's secure our application even further.

```py
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, create_access_token, jwt_required
from marshmallow import Schema, fields, ValidationError
from marshmallow.validate import Length

# Initialize a Flask app instance
app = Flask(__name__)

# Mock database of users
database = [
    {"id": 1, "username": "cosmo", "password": "space-corgi"}
]

# Define a schema for validating login data
class LoginSchema(Schema):
    username = fields.Str(required=True, validate=Length(min=1))
    password = fields.Str(required=True, validate=Length(min=1))

# Create an instance of LoginSchema
login_schema = LoginSchema()

# Set the secret key for signing JWTs
app.config['JWT_SECRET_KEY'] = 'super-secret' 

# Initialize the JWTManager with the Flask app
jwt = JWTManager(app)

# Define a route to receive login credentials
@app.route('/login', methods=['POST'])
def login():
    try:
        # Validate and deserialize the input data according to the schema
        data = login_schema.load(request.get_json())
    except ValidationError as err:
        # If validation fails, return an error message and a 400 status code
        return jsonify(error=err.messages), 400

    # Extract username and password from the validated data
    username = data['username']
    password = data['password']

    # Find the user in the mock database
    user = next((user for user in database if user["username"] == username), None)
    
    # Check if the user exists and if the password matches
    if user and user["password"] == password:
        # Create an access token for the user
        access_token = create_access_token(identity=username)
        # Return the access token with a success message
        return jsonify(access_token=access_token), 200
    else:
        # Return an error if the user does not exist or the password is incorrect
        return jsonify(error="Bad username or password"), 401

# TODO: Define a new route '/secure-data'
# TODO: Protect the route with the @jwt_required() decorator
    # TODO: Implement the logic in the route to return a success message with a status code of 200
```

