First off, sorry and advance, as this is a big breaking change for how blacklist and token revoking works. If you use these features, you will need to update your application accordingly to get everything working with the 3.x.x releases. If you are not using the token blacklisting/revoking features, you should be able to update to the 3.x.x releases without any issues.
Token revoking has always been the weakest part of this extension. It locked you in to a single (not overly efficient) way of doing things, and didn't provide any way to customize this feature to fit with your applications needs.This library always aimed to give you the tools needed so that you could do whatever it was you wanted to do with your application. Unfortunately, the original blacklist feature did not do this, and thus why I am making a large breaking change to introduce a new blacklisting system.
This new blacklisting system only requires that you give this extension a callback function that checks if a token has been revoked or not. It is now up to you to provide this function, as well as keeping track of the revoked tokens.
To upgrade to the 3.x.x branch, you will need to remove theapp.config['JWT_BLACKLIST_STORE'], and use your own code to store blacklisted tokens. You will also need to use the jwt.token_in_blacklist_loaderto provide a callback method which we use to check if a token is expired. Finally, if you are using app.config['JWT_BLACKLIST_STORE'] = 'all'', you will need to change it to app.config['JWT_BLACKLIST_STORE'] = ['access', 'refresh'].
Check out these links for examples that you can use with your application:
- https://github.com/vimalloc/flask-jwt-extended/blob/master/examples/blacklist.py
- https://github.com/vimalloc/flask-jwt-extended/blob/master/examples/redis_blacklist.py
- https://github.com/vimalloc/flask-jwt-extended/tree/master/examples/database_blacklist
(I'm also generally available in IRC to help out if you have any questions. I am in `flask-jwt-extended` on `freenode`).
Final Note: I know breaking changes suck. I am very happy with where this extension is at now, and do not foresee any more breaking changes on the horizon. I will to do everything I can to prevent more breaking changes from here on out.
Change List
---------------
* JWT_BLACKLIST_STORE option has been removed.
* all simplekv code has been removed.
* JWT_BLACKLIST_TOKEN_CHECKS option now takes a string or a list of strings, and the valid strings are ['access', 'refresh'] instead of 'refresh' or 'all'.
* JWT_BLACKLIST_TOKEN_CHECKS option now defaults to ['access', 'refresh']. This is the equivalent of the 'all' option in 2.x.x.
* Add jwt.token_in_blacklist_loader decorator. This is used to register a callback function for checking if a token has been blacklisted.
* Add decode_token(encoded_token) function, which lets you decode an encoded token.
* Users now needs to add tokens to the blacklist themselves, it is no longer automatically added in the create_access_token() and create_refresh_token() calls.