Configuration¶
How to add settings¶
There are several ways to configure Sanic JWT depeding upon your project’s complexity and use case.
The Sanic way¶
Any way that Sanic offers to load configration will work. Simply convert the setting name to all caps, and add the SANIC_JWT_
prefix.
app = Sanic()
app.config.SANIC_JWT_ACCESS_TOKEN_NAME = 'jwt'
Initialize(app)
If you choose this approach, Sanic JWT will only know about configurations set _BEFORE_ you call Initialize
.
Inline at initialization¶
One of the easiest methods is to simply name the setting and value as a keyword argument on the Initialize
object.
Initialize(
app,
access_token_name='jwt')
Configuration
class¶
For a more fine grain control, you can subclass the Configuration
class and provide the settings as attributes on the class.
from sanic_jwt import Configuration
class MyConfiguration(Configuration):
access_token_name='jwt'
Initialize(
app,
configuration_class=MyConfiguration)
What if you need to calculate a setting? No problem. Each of the settings can be declared at initialization with the set_<setting>()
method.
from sanic_jwt import Configuration
class MyConfiguration(Configuration):
def set_access_token_name(self):
return 'jwt'
Initialize(
app,
configuration_class=MyConfiguration)
But, it does not need to be a callable. This works too:
from sanic_jwt import Configuration
class MyConfiguration(Configuration):
set_access_token_name = 'jwt'
Initialize(
app,
configuration_class=MyConfiguration)
Okay … need to go even further? You can also have a setting evaluated on each request with the get_<setting>()
method:
auth_header_key = "x-authorization-header"
class MyConfig(Configuration):
def get_authorization_header(self, request):
if auth_header_key in request.headers:
return request.headers.get(auth_header_key)
return "authorization"
Initialize(
app,
configuration_class=MyConfig
)
This brings up an important point. If you go with the getter method, then in order to not waste resources, it will be evaluated only one time per request. The output of your getter will be cached for the lifespan of that request only.
As you can see, the getter method is passed the request
object as a parameter.
Temporary override¶
Sometimes you may need to only change a value for a brief moment. There is an auth.override()
method that allows you to handle these situations seemlesly. Anything executed inside the with
statement will have the modified value.
with app.auth.override(expiration_delta=1440):
token = app.auth.generate_access_token(user)
Settings¶
access_token_name
¶
'access_token'
algorithm
¶
'HS256'
HS256 - HMAC using SHA-256 hash algorithm (default)
HS384 - HMAC using SHA-384 hash algorithm
HS512 - HMAC using SHA-512 hash algorithm
ES256 - ECDSA signature algorithm using SHA-256 hash algorithm
ES384 - ECDSA signature algorithm using SHA-384 hash algorithm
ES512 - ECDSA signature algorithm using SHA-512 hash algorithm
RS256 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash algorithm
RS384 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-384 hash algorithm
RS512 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-512 hash algorithm
PS256 - RSASSA-PSS signature using SHA-256 and MGF1 padding with SHA-256
PS384 - RSASSA-PSS signature using SHA-384 and MGF1 padding with SHA-384
PS512 - RSASSA-PSS signature using SHA-512 and MGF1 padding with SHA-512
auth_mode
¶
/auth
endpoints or not. Helpful for microservice applications.True
authorization_header
¶
'authorization'
authorization_header_prefix
¶
'Bearer'
authorization_header_refresh_prefix
¶
'Refresh'
claim_aud
¶
None
claim_iat
¶
True
value, then the iat claim will be generated for all requests.False
claim_iss
¶
None
, requires a str
valueclaim_nbf
¶
True
value, then the nbf
claim will be generated for all requests, and will be required to verify a token. If True
, the nbf
claim will be set to the current time of the generation of the token. You can modify this with two additional settings: nbf_delta
(the number of seconds to add to the timestamp) and leeway
(the number of seconds of leeway you want to allow for).False
claim_nbf_delta
¶
60 * 3
cookie_access_token_name
¶
'access_token'
cookie_domain
¶
''
cookie_expires
¶
expires
field to cookies. Should be a Python datetime
object, and therefore should be set in Python code and not via environment variables.None
cookie_httponly
¶
True
cookie_max_age
¶
max-age
field to the cookies. The number is expressed in seconds.0
cookie_path
¶
'/'
cookie_refresh_token_name
¶
'refresh_token'
cookie_secure
¶
secure
field to cookies. This should be used in production, but is disabled by default because it might lead to unintended frustrations in development.False
cookie_set
¶
True
.False
cookie_split
¶
True
, will enable split cookies (see protecting routes with cookies for more details). Overrides cookie_httponly
.False
cookie_split_signature_name
¶
cookie_split
turned on.access_token_signature
cookie_strict
¶
cookie_set
is enabled, an exception will be raised if the cookie is not present. To allow for an authorization header to be used as a fallback, turn cookie_strict
to False
.True
cookie_token_name
¶
Alias for cookie_access_token_name
debug
¶
False
do_protection
¶
True
, unless you know what you are doing since it will effectively render the @protected
decorator useless and all traffic will be passed thru.True
expiration_delta
¶
60 * 5 * 6
, aka 30 minutesgenerate_refresh_token
¶
sanic_jwt.utils.generate_refresh_token
leeway
¶
60 * 3
, aka 3 minuteslogin_redirect_url
¶
/index.html
path_to_authenticate
¶
'/'
path_to_refresh
¶
'/refresh'
path_to_retrieve_user
¶
'/me'
path_to_verify
¶
'/verify'
private_key
¶
None
public_key
¶
Alias for secret
query_string_access_token_name
¶
'access_token'
query_string_refresh_token_name
¶
'refresh_token'
query_string_set
¶
True
.False
query_string_strict
¶
query_string_set
is enabled, an exception will be raised if the query string is not present. To allow for an authorization header to be used as a fallback, turn query_string_strict
to False
.True
refresh_token_enabled
¶
False
refresh_token_name
¶
'refresh_token'
scopes_enabled
¶
False
scopes_name
¶
'scopes'
secret
¶
'This is a big secret. Shhhhh'
strict_slashes
¶
False
url_prefix
¶
/
.'/auth'
user_id
¶
'user_id'
user_secret_enabled
¶
False
verify_exp
¶
True
Warning
IMPORTANT: Changing verify_exp to False
means that access tokens will NOT expire. Make sure you know what you are doing before disabling this.
This is a potential SECURITY RISK.