I'm using the flask-jwt-extended library to provide authorization for an API with the following route:
@app.route('/<string:stage>/api/v2.0/unauth/token', methods=['POST'])
def get_token(stage):
username = request.json['username']
password = request.json['password']
user = get_user(username)
if user and user.password == password:
return jsonify({'access_token': create_access_token(identity=username)}), 200
else:
abort(401)
When I make the following CURL request
curl -H "Content-Type: application/json" -X POST -d '{"username":"android", "password":"59a07c1a-0ec9-41a0-9b96-2ff196f35f0c"}' http://0.0.0.0:5000/staging/api/v2.0/unauth/token
the server responds with
{
"msg": "Missing Authorization Header"
}
despite the fact that there is no jwt_required annotation on the get_token function. I know that the username and password passed to the request are valid, the object returned from the get_user call is valid, and other non-jwt_required-annotated and jwt_required-annotated routes work as expected. I've tried renaming the endpoint, and even moving it in the code to a different spot but to no avail. How can this be fixed?
I think there has to be something else going on in your application. If we take a minimum application based on what you have there, it works correctly:
from flask import Flask, jsonify, request, abort
from flask_jwt_extended import JWTManager, create_access_token
app = Flask(__name__)
app.secret_key = 'super-secret' # Change this!
# Setup the Flask-JWT-Extended extension
jwt = JWTManager(app)
@app.route('/<string:stage>/api/v2.0/unauth/token', methods=['POST'])
def get_token(stage):
username = request.json['username']
password = request.json['password']
if username == 'test' and password == 'test':
return jsonify({'access_token': create_access_token(identity=username)}), 200
else:
abort(401)
if __name__ == '__main__':
app.run()
and
$ curl -H "Content-Type: application/json" -X POST -d '{"username":"test", "password":"test"}' http://0.0.0.0:5000/staging/api/v2.0/unauth/token
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0OTQ5NTI3MjMsImlhdCI6MTQ5NDk1MTgyMywibmJmIjoxNDk0OTUxODIzLCJqdGkiOiJhMTM0ZjU0MS03NDliLTRjODctYTA1ZC02NDU0MDBlMTQ2YTIiLCJpZGVudGl0eSI6InRlc3QiLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MiLCJ1c2VyX2NsYWltcyI6e319.rXyi7p97tiplzyPq_7AtDsu0gUlrOhQmcak9bn2LOaU"
}
If you can post more of your code, maybe we could help track down what is going on?
Also, to mirror what Sven said, you should never be storing/comparing passwords in plain text. If this was just as an example for posting to stackoverflow, then no problem. But if your real code is the same, you should look into salting and hashing your passwords.