Which decorator to add an authorization step before the request is processed ?

[lucj]

Hello, this is more a question than an issue.
I've added @jwt_required() on several routes

@routes.route('/devices', methods=['GET'])
@jwt_required()
def get_devices(args):
  ...

but I need to have a method that extracts, for each request, the user data from the JWT so it can verify if the user is authorized for the request. I though about adding a @jwt.user_lookup_loader in a @before_request method, something like the following:

@routes.before_request
@jwt.user_lookup_loader
def user_lookup_callback(_jwt_header, jwt_data):
    email = jwt_data["sub"]
    user = Database.find_one("accounts", {"username": email})
    return user

but this is not working as expected. I think I'm missing something here.
Can a decorator be added to trigger some kind of authorization function before each @jwt_required() decorated routes ?

[vimalloc]

You don't need to add a @app.before_request, just having the @jwt.user_lookup_loader defined is all flask-jwt-extended needs to cause it to be called any time a valid JWT is present in the request. You can then access the user via the current_user proxy. Full docs around that can be found here: https://flask-jwt-extended.readthedocs.io/en/stable/automatic_user_loading.

If you are trying to do something like permission checks, you can do that in conjunction with the @jwt.user_lookup_loader / current_user via jwt_manager.verify_jwt_in_request in an app.before_request or in a custom decorator

[lucj]

Thanks a lot !

So from what I understand, before_request with user_lookup_loader is the good approach to retrieve the user specified in the JWT and check if it is authorized for the current request, right ?

When I try the following code:

@routes.before_request
@jwt.user_lookup_loader
def user_lookup_callback(_jwt_header, jwt_data):
    # Get current_user and check if this one is authorized to access
    # the request.endpoint / requested resource

I get the following error:

TypeError: user_lookup_callback() missing 2 required positional arguments: '_jwt_header' and 'jwt_data'

[vimalloc]

No. Before request should not be used directly with @jwt.user_lookup_loader. That's just gonna make a mess of things. @jwt_user_lookup should be used entirely on it's own.

[lucj]

Ok, sorry I think my explanations were kind of messy :)

In fact, within a user_lookup_callback (function decorated with @jwt.user_lookup_loader) I was expecting:

• to be able to get the user (this part works fine)
• to check if the user has the right to access the request.endpoint (based on authorization rules)
• to return a 403 directly to the client in the event the user has no right to perform the action it requests

It seems it's not possible to process like that, correct ?
How would you reject a request based on the JWT content (user defined in identity) prior it gets processed by the protected endpoint ?

[lucj]

I'm playing with custom decorators, exactly what I need. Thanks a lot