JWT Implementation #42
Description
Most changes are based on this article
PyJWT requirement
We will be using PyJWT to encode and decode JWT tokens, so add that to requirements.txt
add secret key as app config
Reconfigure app.config['SECRET_KEY'] so that it tries to get the secret key (to encode and decode JWT) from the environment variable SECRET_KEY or it just uses "SECRET_KEY" as the secret key.
migration script hashes passwords and new valid hash method
To make sure user passwords aren't in plaintext for security reasons, we need to hash it when we initialize the default users inside the database in the migration script. The user set_password method was also changed to the same hash method and salt length as the initialization so new user accounts contain hashes from same hash method (previous method of only sha256 was giving an error as well).
middleware for checking JWT token & authentication
This is the authentication middleware that all requests to the web server will go through before accessing the API. It tries to get the JWT cookie from the request. If the cookie doesn't exist, a 401 Unauthorized Error is returned telling the user that the token is missing. Otherwise, it tries to decode the token if possible. Then it gets the uid from the token and sees if it is a existing user.
/authenticate returns generated JWT token
/api/users/authenticate now returns a JWT token from the request data json containing the uid and password. It does some checks on if the body exists, if the uid exists, if the user with the uid exists, and if the password is correct. If all of that passes, the JWT token containing the uid is encoded and returned as a cookie.
@token_required is then added before the get and post methods for user CRUD to make requests going there go through the middleware first so only authenticated users can access those resources.