Python：使用 JWT 令牌和 cookie 处理 Flask 会话

Question

我正在构建一个云服务，我需要知道一件事。这是我使用烧瓶和 JWT 的第三天，所以基本上我需要以某种方式查看用户是否已登录。所以我现在所做的是登录系统，该系统生成一个 JWT 身份验证令牌，其中包含用户信息散列在其中。现在，登录后，我生成了一个令牌并将其保存在 cookie 中，现在我有一个用户可以在登录后再次登录的东西，并且系统生成了另一个 JWT 令牌。所以现在我需要创建一个会话来保存用户会话状态，例如 - logged in = True，并且当 JWT 令牌过期时会话会自动关闭，我试图做到这一点，但这是一个很好的例子吗？这是我的代码。

def token_required(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        token = None

        if 'x-access-token' in request.cookies:
            token = request.cookies['x-access-token']
        else:
            return jsonify({'message': 'Token is missing'}), 401

        try:
            data = jwt.decode(token, app.config['SECRET_KEY'])
            current_user = User.query.filter_by(public_id=data['public_id']).first()
        except jwt.DecodeError:
            print('decodeerrr')
            return jsonify({'message': 'Token is missing'}), 401

        except jwt.exceptions.ExpiredSignatureError:
            return jsonify({'message': 'Token has expired'}), 401

        return f(current_user, *args, **kwargs)
    return decorated

@app.route('/login')
def login():

    if 'x-access-token' in request.cookies:
        token = request.cookies['x-access-token']
        try:
            data = jwt.decode(token, app.config['SECRET_KEY'])
            return jsonify({'message': 'User is already logged in cant perform another login'}), 200
        except jwt.DecodeError:
            print('decodeerrr')
            return jsonify({'message': 'Token is missing'}), 401

        except jwt.exceptions.ExpiredSignatureError:
            return jsonify({'message': 'Token has expired'}), 401
    else:
        pass


    auth = request.authorization

    if not auth or not auth.username or not auth.password:
        return make_response('Could not verify', 401, {'WWW-Authenticate': 'Basic realm="Login required!"'})

    user = User.query.filter_by(username=auth.username).first()

    if not user:
        return make_response('Could not verify', 401, {'WWW-Authenticate': 'Basic realm="Login required!"'})

    if check_password_hash(user.password, auth.password):
        token = jwt.encode({'public_id': user.public_id, 'exp': datetime.datetime.now() + datetime.timedelta(minutes=30)}, app.config['SECRET_KEY'])
        print("++++++++++++++++++++++ ANOTHER LOGIN +++++++++++++++++++++++")
        resp = make_response(f'Successfully Logged in as {user.username}', 200)
        resp.set_cookie('x-access-token', token.decode('UTF-8'), expires=datetime.datetime.utcnow() + datetime.timedelta(seconds=15))
        return resp

        #return jsonify({'token': token.decode('UTF-8')})
        #resp = make_response("hello") #here you could use make_response(render_template(...)) too
        #resp.headers['x-access-token'] = token.decode('UTF-8')
        #return resp

    return make_response('Could not verify', 401, {'WWW-Authenticate': 'Basic realm="Login required!"'})

Answer 1

我想你已经在 set cookie 中设置了 expire 参数，所以会话令牌会在那个时候自动过期。