With flask_jwt_extended, whenever I'm trying to send a POST request with the following decorators:
I am having this 401 error:
"msg": "Missing CSRF token"
When I use a GET instead, it's working fine. I have read the documentation that talk about double submit protection, but that does not solve my problem. Any ideas how I could fix my issue? The code to reproduce the problem is below.
Below is the structure of my code:
- src/__init.py__ # where I put all configs
- src/ # where are the endpoints
login_serializer = URLSafeTimedSerializer(SERIALIZER_SECRET_KEY)
jwt = JWTManager()
def create_app():
app = Flask(__name__)
app.config['JWT_TOKEN_LOCATION'] = ['cookies']
app.config['JWT_COOKIE_CSRF_PROTECT'] = True
# blueprint for auth routes in our app
from .auth import auth as auth_blueprint
# blueprint for non-auth parts of app
from .routes import main as main_blueprint
return app
import logging
from flask import Blueprint, request, current_app as app, jsonify
from import generate_password_hash, check_password_hash
from . import login_serializer, jwt
from flask_jwt_extended import (jwt_required, jwt_refresh_token_required,
get_jwt_identity, get_raw_jwt, unset_jwt_cookies,
current_user, create_access_token, create_refresh_token, set_access_cookies, set_refresh_cookies)
auth = Blueprint('auth', __name__)
def set_response_cookies(token_identity, resp=None, token_types=["access", "refresh"]):
Helper function to set cookies in response
logging.warning("Setting cookies")
resp = jsonify(resp)
if token_types == ["access", "refresh"]:
access_token = create_access_token(identity = token_identity)
refresh_token = create_refresh_token(identity = token_identity)
if not resp:
resp = jsonify({"access_token": access_token, "refresh_token": refresh_token})
set_access_cookies(resp, access_token)
set_refresh_cookies(resp, refresh_token)
return resp
elif token_types == ["access"]:
access_token = create_access_token(identity = token_identity)
if not resp:
resp = jsonify({"access_token": access_token})
set_access_cookies(resp, access_token)
return resp
elif token_types == ["refresh"]:
refresh_token = create_refresh_token(identity = token_identity)
if not resp:
resp = jsonify({"refresh_token": refresh_token})
set_refresh_cookies(resp, refresh_token)
return resp
raise ValueError("Wrong Call to this function")
def add_claims_to_access_token(identity):
return {
'email': identity
def user_loader_callback(identity):
Ignore Here, but I use it to get a User object (not mentionned here) from a Token.
return User.objects(
@auth.route('/token', methods=['POST'])
def token_post():
""" obj =
{"email": "email", "password": "password"} => Tokens
obj = request.get_json()
resp = set_response_cookies(obj["email"], {"token": True}, ["access", "refresh"])
return resp, 200
@auth.route('/token/access', methods=['POST'])
def refresh_access_cookies():
if current_user:
resp = set_response_cookies(, {"token_refreshed": True}, ["access"])
return resp, 200
So, here, all I have to do to reproduce the error is:
Make a POST request to /token => In postman, my response will get all cookies and headers.
Make a POST request to /token/access => Give the error mentioned above.
Upvotes: 5
Views: 2211
Reputation: 186
On your configuration, you enabled JWT_COOKIE_CSRF_PROTECT
to true.
For devep purpose, the error will be gone if you can set it to False which may not safe.
On production, You need to pass csrf_token on your request header.
I think this links can help you. (see the last section)
Upvotes: 0