Introduce new Config JWT_ENCODE_ISSUER (#330)

ticosax · web-flow · commit 5bd8b1ed08ea · 2020-06-21T11:54:26.000-06:00
This value will populate the claim `iss` if set.
diff --git a/flask_jwt_extended/config.py b/flask_jwt_extended/config.py
@@ -329,7 +329,11 @@ def audience(self):
         return current_app.config['JWT_DECODE_AUDIENCE']
 
     @property
-    def issuer(self):
+    def encode_issuer(self):
+        return current_app.config['JWT_ENCODE_ISSUER']
+
+    @property
+    def decode_issuer(self):
         return current_app.config['JWT_DECODE_ISSUER']
 
     @property
diff --git a/flask_jwt_extended/jwt_manager.py b/flask_jwt_extended/jwt_manager.py
@@ -230,6 +230,7 @@ def _set_default_configuration_options(app):
         app.config.setdefault('JWT_IDENTITY_CLAIM', 'identity')
         app.config.setdefault('JWT_USER_CLAIMS', 'user_claims')
         app.config.setdefault('JWT_DECODE_AUDIENCE', None)
+        app.config.setdefault('JWT_ENCODE_ISSUER', None)
         app.config.setdefault('JWT_DECODE_ISSUER', None)
         app.config.setdefault('JWT_DECODE_LEEWAY', 0)
 
@@ -519,6 +520,7 @@ def _create_access_token(self, identity, fresh=False, expires_delta=None,
             identity_claim_key=config.identity_claim_key,
             user_claims_key=config.user_claims_key,
             json_encoder=config.json_encoder,
-            headers=headers
+            headers=headers,
+            issuer=config.encode_issuer,
         )
         return access_token
diff --git a/flask_jwt_extended/tokens.py b/flask_jwt_extended/tokens.py
@@ -33,7 +33,7 @@ def _encode_jwt(additional_token_data, expires_delta, secret, algorithm,
 
 def encode_access_token(identity, secret, algorithm, expires_delta, fresh,
                         user_claims, csrf, identity_claim_key, user_claims_key,
-                        json_encoder=None, headers=None):
+                        json_encoder=None, headers=None, issuer=None):
     """
     Creates a new encoded (utf-8) access token.
 
@@ -54,6 +54,7 @@ def encode_access_token(identity, secret, algorithm, expires_delta, fresh,
     :param identity_claim_key: Which key should be used to store the identity
     :param user_claims_key: Which key should be used to store the user claims
     :param headers: valid dict for specifying additional headers in JWT header section
+    :param issuer: Issuer value configured as JWT_ENCODE_ISSUER
     :return: Encoded access token
     """
 
@@ -73,6 +74,8 @@ def encode_access_token(identity, secret, algorithm, expires_delta, fresh,
 
     if csrf:
         token_data['csrf'] = _create_csrf_token()
+    if issuer is not None:
+        token_data['iss'] = issuer
     return _encode_jwt(token_data, expires_delta, secret, algorithm,
                        json_encoder=json_encoder, headers=headers)
 
diff --git a/flask_jwt_extended/utils.py b/flask_jwt_extended/utils.py
@@ -113,7 +113,7 @@ def decode_token(encoded_token, csrf_value=None, allow_expired=False):
             user_claims_key=config.user_claims_key,
             csrf_value=csrf_value,
             audience=config.audience,
-            issuer=config.issuer,
+            issuer=config.decode_issuer,
             leeway=config.leeway,
             allow_expired=allow_expired
         )
@@ -126,7 +126,7 @@ def decode_token(encoded_token, csrf_value=None, allow_expired=False):
             user_claims_key=config.user_claims_key,
             csrf_value=csrf_value,
             audience=config.audience,
-            issuer=config.issuer,
+            issuer=config.decode_issuer,
             leeway=config.leeway,
             allow_expired=True
         )
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -72,6 +72,8 @@ def test_default_configs(app):
         assert config.json_encoder is app.json_encoder
 
         assert config.error_msg_key == 'msg'
+        assert config.encode_issuer is None
+        assert config.decode_issuer is None
 
 
 @pytest.mark.parametrize("delta_func", [timedelta, relativedelta])
@@ -117,6 +119,8 @@ def test_override_configs(app, delta_func):
     app.config['JWT_CLAIMS_IN_REFRESH_TOKEN'] = True
 
     app.config['JWT_ERROR_MESSAGE_KEY'] = 'message'
+    app.config['JWT_ENCODE_ISSUER'] = 'fje'
+    app.config['JWT_DECODE_ISSUER'] = 'fje'
 
     class CustomJSONEncoder(JSONEncoder):
         pass
@@ -175,6 +179,8 @@ class CustomJSONEncoder(JSONEncoder):
         assert config.json_encoder is CustomJSONEncoder
 
         assert config.error_msg_key == 'message'
+        assert config.encode_issuer == 'fje'
+        assert config.decode_issuer == 'fje'
 
 
 def test_tokens_never_expire(app):
diff --git a/tests/test_decode_tokens.py b/tests/test_decode_tokens.py
@@ -262,7 +262,27 @@ def test_invalid_aud(app, default_access_token, token_aud):
         with app.test_request_context():
             decode_token(invalid_token)
 
-def test_valid_iss(app, default_access_token):
+
+def test_encode_iss(app, default_access_token):
+    app.config['JWT_ENCODE_ISSUER'] = 'foobar'
+
+    with app.test_request_context():
+        access_token = create_access_token('username')
+        decoded = decode_token(access_token)
+        assert decoded['iss'] == 'foobar'
+
+
+def test_mismatch_iss(app, default_access_token):
+    app.config['JWT_ENCODE_ISSUER'] = 'foobar'
+    app.config['JWT_DECODE_ISSUER'] = 'baz'
+
+    with pytest.raises(InvalidIssuerError):
+        with app.test_request_context():
+            invalid_token = create_access_token('username')
+            decode_token(invalid_token)
+
+
+def test_valid_decode_iss(app, default_access_token):
     app.config['JWT_DECODE_ISSUER'] = 'foobar'
 
     default_access_token['iss'] = 'foobar'
@@ -271,7 +291,9 @@ def test_valid_iss(app, default_access_token):
         decoded = decode_token(valid_token)
         assert decoded['iss'] == 'foobar'
 
-def test_invalid_iss(app, default_access_token):
+
+def test_invalid_decode_iss(app, default_access_token):
+
     app.config['JWT_DECODE_ISSUER'] = 'baz'
 
     default_access_token['iss'] = 'foobar'
