deploying to Heroku

Author: AdityaKshettri

app.py

@@ -2,30 +2,81 @@
 
 from flask import Flask
 from flask_restful import Api
-from flask_jwt import JWT
+from flask_jwt_extended import JWTManager
 
-from security import authenticate, identity
-from resources.user import UserRegister
+from resources.user import UserRegister, User, UserLogin, UserLogout, TokenRefresh
 from resources.item import Item, ItemList
 from resources.store import Store, StoreList
+from blacklist import BLACKLIST
 
 app = Flask(__name__)
 
 app.config['DEBUG'] = True
-
 app.config['SQLALCHEMY_DATABASE_URI'] = os.environ.get('DATABASE_URL', 'sqlite:///data.db')
 app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
+app.config['PROPAGATE_EXCEPTIONS'] = True
+app.config['JWT_BLACKLIST_ENABLED'] = True
+app.config['JWT_BLACKLIST_TOKEN_CHECKS'] = ['access', 'refresh']
 app.secret_key = 'jose'
 api = Api(app)
 
-jwt = JWT(app, authenticate, identity)  # /auth
+jwt = JWTManager(app)
+
+@jwt.user_claims_loader
+def add_claims_to_jwt(identity):
+    if identity == 1:
+        return {'is_admin': True}
+    else:
+        return {'is_admin': False}
+
+@jwt.token_in_blacklist_loader
+def check_if_token_in_blacklist(decrypted_token):
+    return decrypted_token['jti'] in BLACKLIST
+
+@jwt.expired_token_loader
+def expired_token_callback():
+    return {
+        'description': 'The token has expired.',
+        'error': 'token_expired'
+    }, 401
+
+@jwt.invalid_token_loader
+def invalid_token_callback(error):
+    return {
+        'description': 'Signature verification failed.',
+        'error': "invalid_token"
+    }, 401
+
+@jwt.unauthorized_loader
+def missing_token_callback(error):
+    return {
+        'description': 'Request does not contain an access token.',
+        'error': "authorization_required"
+    }, 401
+
+@jwt.needs_fresh_token_loader
+def token_not_fresh_callback():
+    return {
+        'description': 'The token is not fresh.',
+        'error': "fresh_token_required"
+    }, 401
+
+@jwt.revoked_token_loader
+def revoked_token_callback():
+    return {
+        'description': 'The token has been revoked.',
+        'error': "token_revoked"
+    }, 401
 
 api.add_resource(Store, '/store/<string:name>')
 api.add_resource(Item, '/item/<string:name>')
 api.add_resource(ItemList, '/items')
 api.add_resource(StoreList, '/stores')
-
 api.add_resource(UserRegister, '/register')
+api.add_resource(User, '/user/<int:user_id>')
+api.add_resource(UserLogin, '/login')
+api.add_resource(UserLogout, '/logout')
+api.add_resource(TokenRefresh, '/refresh')
 
 if __name__ == '__main__':
     from db import db

blacklist.py

@@ -0,0 +1 @@
+BLACKLIST = set()

models/item.py

@@ -16,12 +16,21 @@ def __init__(self, name, price, store_id):
         self.store_id = store_id
 
     def json(self):
-        return {'name': self.name, 'price': self.price}
+        return {
+            'id': self.id, 
+            'name': self.name, 
+            'price': self.price, 
+            'store_id': self.store_id
+        }
 
     @classmethod
     def find_by_name(cls, name):
         return cls.query.filter_by(name=name).first()
 
+    @classmethod
+    def find_all(cls):
+        return cls.query.all()
+
     def save_to_db(self):
         db.session.add(self)
         db.session.commit()

models/store.py

@@ -12,12 +12,20 @@ def __init__(self, name):
         self.name = name
 
     def json(self):
-        return {'name': self.name, 'items': [item.json() for item in self.items.all()]}
+        return {
+            'id': self.id, 
+            'name': self.name, 
+            'items': [item.json() for item in self.items.all()]
+        }
 
     @classmethod
     def find_by_name(cls, name):
         return cls.query.filter_by(name=name).first()
 
+    @classmethod
+    def find_all(cls):
+        return cls.query.all()
+
     def save_to_db(self):
         db.session.add(self)
         db.session.commit()

models/user.py

@@ -11,11 +11,21 @@ class UserModel(db.Model):
     def __init__(self, username, password):
         self.username = username
         self.password = password
+    
+    def json(self):
+        return {
+            'id': self.id, 
+            'username': self.username
+        }
 
     def save_to_db(self):
         db.session.add(self)
         db.session.commit()
 
+    def delete_from_db(self):
+        db.session.delete(self)
+        db.session.commit()
+
     @classmethod
     def find_by_username(cls, username):
         return cls.query.filter_by(username=username).first()

requirements.txt

@@ -1,6 +1,6 @@
 Flask
 Flask-RESTful
-Flask-JWT
+Flask-JWT-Extended
 Flask-SQLAlchemy
 uwsgi
 psycopg2

resources/item.py

@@ -1,5 +1,11 @@
 from flask_restful import Resource, reqparse
-from flask_jwt import jwt_required
+from flask_jwt_extended import (
+    jwt_required, 
+    get_jwt_claims, 
+    jwt_optional, 
+    get_jwt_identity, 
+    fresh_jwt_required
+)
 from models.item import ItemModel
 
 class Item(Resource):
@@ -15,13 +21,14 @@ class Item(Resource):
         help="Every item needs a store id."
     )
 
-    @jwt_required()
+    @jwt_required
     def get(self, name):
         item = ItemModel.find_by_name(name)
         if item:
             return item.json()
         return {'message': 'Item not found'}, 404
 
+    @fresh_jwt_required
     def post(self, name):
         if ItemModel.find_by_name(name):
             return {'message': "An item with name '{}' already exists.".format(name)}, 400
@@ -37,7 +44,11 @@ def post(self, name):
 
         return item.json(), 201
 
+    @jwt_required
     def delete(self, name):
+        claims = get_jwt_claims()
+        if not claims['is_admin']:
+            return {'message': 'Admin priveledges required.'}, 401
         item = ItemModel.find_by_name(name)
         if item:
             item.delete_from_db()
@@ -60,5 +71,14 @@ def put(self, name):
 
 
 class ItemList(Resource):
+
+    @jwt_optional
     def get(self):
-        return {'items': [x.json() for x in ItemModel.query.all()]}
+        user_id = get_jwt_identity()
+        items = [item.json() for item in ItemModel.find_all()]
+        if user_id:
+            return {'items': items}, 200
+        return {
+            'items': [item['name'] for item in items],
+            'message': 'More data available if you log in.'
+        }, 200

resources/store.py

@@ -29,4 +29,4 @@ def delete(self, name):
 
 class StoreList(Resource):
     def get(self):
-        return {'stores': [store.json() for store in StoreModel.query.all()]}
+        return {'stores': [store.json() for store in StoreModel.find_all()]}

resources/user.py

@@ -1,23 +1,34 @@
-import sqlite3
 from flask_restful import Resource, reqparse
+from werkzeug.security import safe_str_cmp
+from flask_jwt_extended import (
+    create_access_token, 
+    create_refresh_token, 
+    jwt_refresh_token_required, 
+    get_jwt_identity,
+    jwt_required,
+    get_raw_jwt
+)
+
 from models.user import UserModel
+from blacklist import BLACKLIST
 
-class UserRegister(Resource):
+_user_parser = reqparse.RequestParser()
+_user_parser.add_argument('username',
+    type=str,
+    required=True,
+    help="This field cannot be blank."
+)
+_user_parser.add_argument('password',
+    type=str,
+    required=True,
+    help="This field cannot be blank."
+)
 
-    parser = reqparse.RequestParser()
-    parser.add_argument('username',
-        type=str,
-        required=True,
-        help="This field cannot be blank."
-    )
-    parser.add_argument('password',
-        type=str,
-        required=True,
-        help="This field cannot be blank."
-    )
+
+class UserRegister(Resource):
 
     def post(self):
-        data = UserRegister.parser.parse_args()
+        data = _user_parser.parse_args()
 
         if UserModel.find_by_username(data['username']):
             return {"message": "A user with that username already exists"}, 400
@@ -26,3 +37,56 @@ def post(self):
         user.save_to_db()
 
         return {"message": "User created successfully."}, 201
+
+
+class User(Resource):
+
+    @classmethod
+    def get(cls, user_id):
+        user = UserModel.find_by_id(user_id)
+        if not user:
+            return {'message': 'User not found'}, 404
+        return user.json()
+
+    @classmethod
+    def delete(cls, user_id):
+        user = UserModel.find_by_id(user_id)
+        if not user:
+            return {'message': 'User not found'}, 404
+        user.delete_from_db()
+        return {'message': 'User deleted'}, 200
+
+
+class UserLogin(Resource):
+    
+    @classmethod
+    def post(cls):
+        data = _user_parser.parse_args()
+        user = UserModel.find_by_username(data['username'])
+
+        if user and safe_str_cmp(user.password, data['password']):
+            access_token = create_access_token(identity=user.id, fresh=True)
+            refresh_token = create_refresh_token(user.id)
+            return {
+                'access_token': access_token,
+                'refresh_token': refresh_token
+            }, 200
+
+        return {'message': 'Invalid credentials'}, 401
+
+
+class UserLogout(Resource):
+    @jwt_required
+    def post(self):
+        jti = get_raw_jwt()['jti'] #jti is "JWT ID", a unique identifier for a JWT
+        BLACKLIST.add(jti)
+        return {'message': 'Successfully logged out'}, 200
+
+
+class TokenRefresh(Resource):
+
+    @jwt_refresh_token_required
+    def post(self):
+        current_user = get_jwt_identity()
+        new_token = create_access_token(identity=current_user, fresh=False)
+        return {'access_token': new_token}, 200

runtime.txt

@@ -1 +1 @@
-python-3.7.5
+python-3.8.2