arxiv.users.auth.middleware module¶
Middleware for interpreting authn/z information on requestsself.
This module provides AuthMiddleware
, which unpacks encrypted JSON
Web Tokens provided via the Authorization
header. This is intended to
support requests that have been pre-authorized by the web server using the
authenticator service (see authenticator
).
The configuration parameter JWT_SECRET
must be set in the WSGI request
environ (e.g. Apache’s SetEnv) or in the runtime environment. This must be
the same secret that was used by the authenticator service to mint the token.
To install the middleware, use the pattern described in
arxiv.base.middleware
. For example:
from arxiv.base import Base
from arxiv.base.middleware import wrap
from arxiv.users import auth
def create_web_app() -> Flask:
app = Flask('foo')
Base(app)
auth.Auth(app)
wrap(app, [auth.middleware.AuthMiddleware])
return app
For convenience, this is intended to be used with
arxiv.users.auth.decorators
.
-
class
arxiv.users.auth.middleware.
AuthMiddleware
(app)[source]¶ Bases:
arxiv.base.middleware.base.BaseMiddleware
Middleware to handle auth information on requests.
Before the request is handled by the application, the
Authorization
header is parsed for an encrypted JWT. If successfully decrypted, information about the user and their authorization scope is attached to the request.This can be accessed in the application via
flask.request.environ['session']
. If Authorization header was not included, then that value will beNone
.If the JWT could not be decrypted, the value will be an
Unauthorized
exception instance. We cannot raise the exception here, because the middleware is executed outside of the Flask application. It’s up to something running inside the application (e.g.arxiv.users.auth.decorators.scoped()
) to raise the exception.