@jwt_required does not work with the OPTIONS method

[stackp]

Hello,

Thanks for the great work !

With the OPTIONS HTTP method, a confusing error message is raised, stating that @jwt_required() was not called, although it was called:

"You must call @jwt_required() or verify_jwt_in_request() "

Here is a way to reproduce the issue :

from flask import Flask, jsonify
from flask_jwt_extended import get_jwt_identity, jwt_required, JWTManager

app = Flask(__name__)
app.config["JWT_SECRET_KEY"] = "super-secret"
jwt = JWTManager(app)

@app.route("/", methods=["GET", "OPTIONS"])
@jwt_required(optional=True)
def protected():
    current_user = get_jwt_identity()
    return "hello", 200


if __name__ == "__main__":
    app.run()

$ curl -X OPTIONS http://0.0.0.0:5000/ -i 
HTTP/1.0 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
Content-Length: 290
Server: Werkzeug/2.0.2 Python/3.7.11
Date: Wed, 13 Apr 2022 07:55:36 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

2022-04-13 09:55:36,725] ERROR in app: Exception on / [OPTIONS]
Traceback (most recent call last):
  File "/***/venv/lib/python3.7/site-packages/flask/app.py", line 2073, in wsgi_app
    response = self.full_dispatch_request()
  File "/***/venv/lib/python3.7/site-packages/flask/app.py", line 1518, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/***/venv/lib/python3.7/site-packages/flask/app.py", line 1516, in full_dispatch_request
    rv = self.dispatch_request()
  File "/***/venv/lib/python3.7/site-packages/flask/app.py", line 1502, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
  File "/***/venv/lib/python3.7/site-packages/flask_jwt_extended/view_decorators.py", line 127, in decorator
    return current_app.ensure_sync(fn)(*args, **kwargs)
  File "test_app.py", line 11, in protected
    current_user = get_jwt_identity()
  File "/***/venv/lib/python3.7/site-packages/flask_jwt_extended/utils.py", line 58, in get_jwt_identity
    return get_jwt().get(config.identity_claim_key, None)
  File "/***/venv/lib/python3.7/site-packages/flask_jwt_extended/utils.py", line 25, in get_jwt
    "You must call `@jwt_required()` or `verify_jwt_in_request()` "
RuntimeError: You must call `@jwt_required()` or `verify_jwt_in_request()` before using this method
127.0.0.1 - - [13/Apr/2022 09:55:36] "OPTIONS / HTTP/1.1" 500 -

[vimalloc]

This is happening because in most cases, OPTIONS is used as a preflight CORS check that happens automatically by the web browser, and when that happens the browser wont be sending a JWT with the request, which causes the preflight check to always fail. To account for that, this extension is configured to ignore jwt checks if for OPTION requests here: https://github.com/vimalloc/flask-jwt-extended/blob/master/flask_jwt_extended/config.py#L277-L279

If this is a use case you need to support, I would be more then happy to have an HTTP_EXEMPT_METHODS flask configuration option option put in place, which would allow you to override this behavior. What is your use case for needing an explicit OPTIONS request?

[stackp]

Hi @vimalloc, thanks for your reply.

It is not a use case I need to support; this error is raised in our prod app a few times a week, and I was confused by the message trying to trace it. I am not sure why some clients send an OPTIONS request here, as there is no cross-origin situation in our app.

Here is how the app is set up, you can see that the error is raised before any Flask route is entered, and therefore before any check on the HTTP method is done.

@jwt_required(optional=True)
def get_user_id():
    return get_jwt_identity()

@app.before_request
def before_request():
    g.user_id = get_user_id()

@app.errorhandler(jwt.exceptions.PyJWTError)
@app.errorhandler(flask_jwt_extended.exceptions.JWTExtendedException)
def handle_expired_token(error):
    # Exceptions raised by @jwt_required(optional=True)
    logging.warning("Invalid JWT token", exc_info=True)
    unset_jwt_cookies(resp)
    return unauthorized()

I would have expected get_jwt_identity() to return None as optional=True is passed and no JWT is present. Wouldn't that be the correct behavior ?

Otherwise, I can check in my code if the method is OPTIONS, and force g.user_id = None in that case, without calling get_jwt_identity().

Thanks!

[vimalloc]

Sorry for the late reply!

I would have expected get_jwt_identity() to return None as optional=True is passed and no JWT is present. Wouldn't that be the correct behavior

It would be, except that the entire callback chain is short circuited if it is an OPTIONS request (https://github.com/vimalloc/flask-jwt-extended/blob/master/flask_jwt_extended/view_decorators.py#L85-L86). The reason for that is otherwise CORS would break for an endpoint that had optional=False because the preflight OPTIONS request would return a 4xx code instead of a 200.

We could update that to not short circuit if optional=True and it's an OPTIONS request. I don't know if that really provides much value, but I'm not opposed to making that change. Thoughts?

[stackp]

Hey! Thanks for your reply.

We could update that to not short circuit if optional=True and it's an OPTIONS request. I don't know if that really provides much value, but I'm not opposed to making that change. Thoughts?

That's the behavior I would expect from the decorator, though I agree it's quite an edge case. So, if it's an easy fix, then why not. ;)

For the record, I've added a condition in my code to not attempt to call get_jwt_identity()when method == 'OPTIONS'.