Better errors when using cookie methods without configured to use cookies

vimalloc · vimalloc · commit 21f5c7f39353 · 2017-03-05T11:23:20.000-07:00
refs #31
diff --git a/flask_jwt_extended/utils.py b/flask_jwt_extended/utils.py
@@ -388,6 +388,10 @@ def set_access_cookies(response, encoded_access_token):
     Takes a flask response object, and configures it to set the encoded access
     token in a cookie (as well as a csrf access cookie if enabled)
     """
+    if 'cookies' not in get_token_location():
+        raise RuntimeWarning("set_access_cookies() called without "
+                             "'JWT_TOKEN_LOCATION' configured to use cookies")
+
     # Set the access JWT in the cookie
     response.set_cookie(get_access_cookie_name(),
                         value=encoded_access_token,
@@ -409,6 +413,10 @@ def set_refresh_cookies(response, encoded_refresh_token):
     Takes a flask response object, and configures it to set the encoded refresh
     token in a cookie (as well as a csrf refresh cookie if enabled)
     """
+    if 'cookies' not in get_token_location():
+        raise RuntimeWarning("set_refresh_cookies() called without "
+                             "'JWT_TOKEN_LOCATION' configured to use cookies")
+
     # Set the refresh JWT in the cookie
     response.set_cookie(get_refresh_cookie_name(),
                         value=encoded_refresh_token,
@@ -431,6 +439,10 @@ def unset_jwt_cookies(response):
     cookies. Basically, this is a logout helper method if using cookies to store
     the JWT
     """
+    if 'cookies' not in get_token_location():
+        raise RuntimeWarning("unset_refresh_cookies() called without "
+                             "'JWT_TOKEN_LOCATION' configured to use cookies")
+
     response.set_cookie(get_refresh_cookie_name(),
                         value='',
                         expires=0,
diff --git a/tests/test_protected_endpoints.py b/tests/test_protected_endpoints.py
@@ -349,6 +349,41 @@ def test_different_headers(self):
         self.assertIn('msg', data)
         self.assertEqual(status, 401)
 
+    def test_cookie_methods_fail_with_headers_configured(self):
+        app = Flask(__name__)
+        app.config['JWT_TOKEN_LOCATION'] = ['headers']
+        app.secret_key = 'super=secret'
+        app.testing = True
+        JWTManager(app)
+        client = app.test_client()
+
+        @app.route('/login-bad', methods=['POST'])
+        def bad_login():
+            access_token = create_access_token('test')
+            resp = jsonify({'login': True})
+            set_access_cookies(resp, access_token)
+            return resp, 200
+
+        @app.route('/refresh-bad', methods=['POST'])
+        def bad_refresh():
+            refresh_token = create_refresh_token('test')
+            resp = jsonify({'login': True})
+            set_refresh_cookies(resp, refresh_token)
+            return resp, 200
+
+        @app.route('/logout-bad', methods=['POST'])
+        def bad_logout():
+            resp = jsonify({'logout': True})
+            unset_jwt_cookies(resp)
+            return resp, 200
+
+        with self.assertRaises(RuntimeWarning):
+            client.post('/login-bad')
+        with self.assertRaises(RuntimeWarning):
+            client.post('/refresh-bad')
+        with self.assertRaises(RuntimeWarning):
+            client.post('/logout-bad')
+
 
 class TestEndpointsWithCookies(unittest.TestCase):
 
