arxiv.users.auth.middleware module

Middleware for interpreting authn/z information on requestsself.

This module provides AuthMiddleware, which unpacks encrypted JSON Web Tokens provided via the Authorization header. This is intended to support requests that have been pre-authorized by the web server using the authenticator service (see authenticator).

The configuration parameter JWT_SECRET must be set in the WSGI request environ (e.g. Apache’s SetEnv) or in the runtime environment. This must be the same secret that was used by the authenticator service to mint the token.

To install the middleware, use the pattern described in arxiv.base.middleware. For example:

from arxiv.base import Base
from arxiv.base.middleware import wrap
from arxiv.users import auth


def create_web_app() -> Flask:
    app = Flask('foo')
    Base(app)
    auth.Auth(app)
    wrap(app, [auth.middleware.AuthMiddleware])
    return app

For convenience, this is intended to be used with arxiv.users.auth.decorators.

class arxiv.users.auth.middleware.AuthMiddleware(app)[source]

Bases: arxiv.base.middleware.base.BaseMiddleware

Middleware to handle auth information on requests.

Before the request is handled by the application, the Authorization header is parsed for an encrypted JWT. If successfully decrypted, information about the user and their authorization scope is attached to the request.

This can be accessed in the application via flask.request.environ['session']. If Authorization header was not included, then that value will be None.

If the JWT could not be decrypted, the value will be an Unauthorized exception instance. We cannot raise the exception here, because the middleware is executed outside of the Flask application. It’s up to something running inside the application (e.g. arxiv.users.auth.decorators.scoped()) to raise the exception.

before(environ, start_response)[source]

Decode and unpack the auth token on the request.

Return type:Tuple[dict, Callable]