Add JWT_QUERY_STRING_VALUE_PREFIX configuration option

Refs #421

Author: Landon Gilbert-Bland

docs/options.rst

@@ -397,6 +397,17 @@ These are only applicable if a route is configured to accept JWTs via query stri
     Default: ``"jwt"``
 
 
+.. py:data:: JWT_QUERY_STRING_VALUE_PREFIX
+
+    An optional prefix string that should show up before the JWT in a
+    query string parameter.
+
+    For example, if this was ``"Bearer "``, the query string should look like
+    ``"/endpoint?jwt=Bearer <JWT>"``
+
+    Default: ``""``
+
+
 JSON Body Options:
 ~~~~~~~~~~~~~~~~~~
 These are only applicable if a route is configured to accept JWTs via the JSON body.

flask_jwt_extended/config.py

@@ -82,6 +82,10 @@ def header_type(self):
     def query_string_name(self):
         return current_app.config["JWT_QUERY_STRING_NAME"]
 
+    @property
+    def query_string_value_prefix(self):
+        return current_app.config["JWT_QUERY_STRING_VALUE_PREFIX"]
+
     @property
     def access_cookie_name(self):
         return current_app.config["JWT_ACCESS_COOKIE_NAME"]

flask_jwt_extended/exceptions.py

@@ -22,6 +22,14 @@ class InvalidHeaderError(JWTExtendedException):
     pass
 
 
+class InvalidQueryParamError(JWTExtendedException):
+    """
+    An error when a query string param is not in the correct format
+    """
+
+    pass
+
+
 class NoAuthorizationError(JWTExtendedException):
     """
     An error raised when no authorization token was found in a protected endpoint

flask_jwt_extended/jwt_manager.py

@@ -28,6 +28,7 @@
 from flask_jwt_extended.exceptions import CSRFError
 from flask_jwt_extended.exceptions import FreshTokenRequired
 from flask_jwt_extended.exceptions import InvalidHeaderError
+from flask_jwt_extended.exceptions import InvalidQueryParamError
 from flask_jwt_extended.exceptions import JWTDecodeError
 from flask_jwt_extended.exceptions import NoAuthorizationError
 from flask_jwt_extended.exceptions import RevokedTokenError
@@ -142,6 +143,10 @@ def handle_jwt_decode_error(e):
         def handle_auth_error(e):
             return self._unauthorized_callback(str(e))
 
+        @app.errorhandler(InvalidQueryParamError)
+        def handle_invalid_query_param_error(e):
+            return self._invalid_token_callback(str(e))
+
         @app.errorhandler(RevokedTokenError)
         def handle_revoked_token_error(e):
             return self._revoked_token_callback(e.jwt_header, e.jwt_data)
@@ -191,6 +196,7 @@ def _set_default_configuration_options(app):
         app.config.setdefault("JWT_PRIVATE_KEY", None)
         app.config.setdefault("JWT_PUBLIC_KEY", None)
         app.config.setdefault("JWT_QUERY_STRING_NAME", "jwt")
+        app.config.setdefault("JWT_QUERY_STRING_VALUE_PREFIX", "")
         app.config.setdefault("JWT_REFRESH_COOKIE_NAME", "refresh_token_cookie")
         app.config.setdefault("JWT_REFRESH_COOKIE_PATH", "/")
         app.config.setdefault("JWT_REFRESH_CSRF_COOKIE_NAME", "csrf_refresh_token")

flask_jwt_extended/view_decorators.py

@@ -11,6 +11,7 @@
 from flask_jwt_extended.exceptions import CSRFError
 from flask_jwt_extended.exceptions import FreshTokenRequired
 from flask_jwt_extended.exceptions import InvalidHeaderError
+from flask_jwt_extended.exceptions import InvalidQueryParamError
 from flask_jwt_extended.exceptions import NoAuthorizationError
 from flask_jwt_extended.exceptions import UserLookupError
 from flask_jwt_extended.internal_utils import custom_verification_for_token
@@ -207,11 +208,20 @@ def _decode_jwt_from_cookies(refresh):
 
 
 def _decode_jwt_from_query_string():
-    query_param = config.query_string_name
-    encoded_token = request.args.get(query_param)
-    if not encoded_token:
-        raise NoAuthorizationError('Missing "{}" query paramater'.format(query_param))
+    param_name = config.query_string_name
+    prefix = config.query_string_value_prefix
+
+    value = request.args.get(param_name)
+    if not value:
+        raise NoAuthorizationError(f"Missing '{param_name}' query paramater")
+
+    if not value.startswith(prefix):
+        raise InvalidQueryParamError(
+            f"Invalid value for query parameter '{param_name}'. "
+            f"Expected the value to start with '{prefix}'"
+        )
 
+    encoded_token = value[len(prefix) :]  # noqa: E203
     return encoded_token, None
 
 

tests/test_config.py

@@ -31,6 +31,7 @@ def test_default_configs(app):
         assert config.header_type == "Bearer"
 
         assert config.query_string_name == "jwt"
+        assert config.query_string_value_prefix == ""
 
         assert config.access_cookie_name == "access_token_cookie"
         assert config.refresh_cookie_name == "refresh_token_cookie"
@@ -81,6 +82,7 @@ def test_override_configs(app, delta_func):
     app.config["JWT_ENCODE_ISSUER"] = "TestEncodeIssuer"
 
     app.config["JWT_QUERY_STRING_NAME"] = "banana"
+    app.config["JWT_QUERY_STRING_VALUE_PREFIX"] = "kiwi"
 
     app.config["JWT_ACCESS_COOKIE_NAME"] = "new_access_cookie"
     app.config["JWT_REFRESH_COOKIE_NAME"] = "new_refresh_cookie"
@@ -130,6 +132,7 @@ class CustomJSONEncoder(JSONEncoder):
         assert config.encode_issuer == "TestEncodeIssuer"
 
         assert config.query_string_name == "banana"
+        assert config.query_string_value_prefix == "kiwi"
 
         assert config.access_cookie_name == "new_access_cookie"
         assert config.refresh_cookie_name == "new_refresh_cookie"

tests/test_multiple_token_locations.py

@@ -113,7 +113,7 @@ def test_json_access(app, app_with_locations):
             (
                 "Missing JWT in json or query_string (Invalid "
                 "content-type. Must be application/json.; "
-                'Missing "jwt" query paramater)'
+                "Missing 'jwt' query paramater)"
             ),
         ),
     ],

tests/test_query_string.py

@@ -35,6 +35,30 @@ def test_default_query_paramater(app):
     assert response.get_json() == {"foo": "bar"}
 
 
+def test_query_string_value_prefix(app):
+    app.config["JWT_QUERY_STRING_VALUE_PREFIX"] = "bearer "
+    test_client = app.test_client()
+
+    with app.test_request_context():
+        access_token = create_access_token("username")
+
+    # Valid string prefix
+    url = f"/protected?jwt=bearer {access_token}"
+    response = test_client.get(url)
+    assert response.status_code == 200
+    assert response.get_json() == {"foo": "bar"}
+
+    # Invalid string prefix
+    url = f"/protected?jwt={access_token}"
+    response = test_client.get(url)
+    error_msg = (
+        "Invalid value for query parameter 'jwt'. "
+        "Expected the value to start with 'bearer '"
+    )
+    assert response.status_code == 422
+    assert response.get_json() == {"msg": error_msg}
+
+
 def test_custom_query_paramater(app):
     app.config["JWT_QUERY_STRING_NAME"] = "foo"
     test_client = app.test_client()
@@ -46,7 +70,7 @@ def test_custom_query_paramater(app):
     url = "/protected?jwt={}".format(access_token)
     response = test_client.get(url)
     assert response.status_code == 401
-    assert response.get_json() == {"msg": 'Missing "foo" query paramater'}
+    assert response.get_json() == {"msg": "Missing 'foo' query paramater"}
 
     # Insure new query_string does work
     url = "/protected?foo={}".format(access_token)
@@ -65,13 +89,13 @@ def test_missing_query_paramater(app):
     # Insure no query paramaters doesn't give a response
     response = test_client.get("/protected")
     assert response.status_code == 401
-    assert response.get_json() == {"msg": 'Missing "jwt" query paramater'}
+    assert response.get_json() == {"msg": "Missing 'jwt' query paramater"}
 
     # Insure headers don't work
     access_headers = {"Authorization": "Bearer {}".format(access_token)}
     response = test_client.get("/protected", headers=access_headers)
     assert response.status_code == 401
-    assert response.get_json() == {"msg": 'Missing "jwt" query paramater'}
+    assert response.get_json() == {"msg": "Missing 'jwt' query paramater"}
 
     # Test custom response works
     @jwtM.unauthorized_loader