jwt_refresh_token_required on OPTION request

[wogscpar]

Hello,

I'm not sure if this is an issue or if this is a expected behavior. Anyway, I'm developing an API which uses JWT tokens for authentication. I'm getting unauthorized when I'm trying to refresh the access token using the example:

@app.route('/refresh', methods=['POST'])
@jwt_refresh_token_required
def refresh():
    current_user = get_jwt_identity()
    new_token = create_access_token(identity=current_user, fresh=False)
    ret = {'access_token': new_token}
    return jsonify(ret), 200

If the client is located on a different origin than the server, then this function will return unauthorized because of the empty OPTION request before the real POST request is sent.

Shouldn't @jwt_refresh_token_required check if the request is a OPTION request and then ignore the absence of the token but act on all other requests?

[vimalloc]

I bet you are seeing something like 405 Method Not Allowed, which is generated by flask itself (not this extension), and indicating that there is no handler setup for this method. If you want an OPTION handler, you would need to add it yourself, along the lines of

@app.route('/refresh', methods=['OPTION'])
def option_endpoint():
    # Setup things like the `allow` header here. 
    return '', 204

I feel like automatically adding OPTION endpoints to the flask application is outside of the scope of this extension, and would be better handled by an extension specifically designed to handle this use case (I'm not sure if that extension already exists or not).

EDIT:
Looks like you may be looking for flask-cors: https://flask-cors.readthedocs.io/en/2.1.0/

[vimalloc]

@wogscpar So it turns out I may have been very wrong about this. According to the flask quickstart guide:

OPTIONS
Provides a quick way for a client to figure out which methods are supported by this URL. Starting with Flask 0.6, this is implemented for you automatically.

Sorry about that, totally an oversight on my part there! A pull request (#120) is in the works that will fix this up, so that @jwt_required (et al) endpoints now work properly with OPTIONS requests.