flask-jwt-extended

• Adds new JWT_ERROR_MESSAGE_KEY option to change the JSON key on the default error messages (#160)

• Adds new JWT_CLAIMS_IN_REFRESH_TOKEN configuration option, which if set to true will cause the user claims to be loaded into refresh tokens as well as access tokens (#100).

I forgot to actually increase the version number on the 3.9.0 release. Whoops. Nothing new from 3.9.0 minus a the version number fix.

• Allows passing JWTs in via the query string (#117). Note that in most cases this is not a great idea, see the documentation as to why.
• Break out code to verify JWTs in a request into helper functions. This allows you to easily create your own decorators that utilize this extension (such as a role_required decorator), or hook up functionality to a flask before_request. (#131)

• Allow option to unset access and refresh cookies independently of each other (#148)

• Fixes JSON encoder added in 3.8.0 (#140)

• Default to the Flask JSON encoder and allows for custom JSON encoders for encoding JWTs (#139)

• Fixes a CSRF error when using jwts in cookies and the @jwt_optional decorator (#129)

In this release, we are no longer toggling the flask PROPAGATE_EXCEPTIONS = True setting in this extension. It was set in here initially to get things working with flask-restful, but setting a global flask option in here just so that it would work with another flask extension was a poor design choice.

Note that if you are using flask-restful (or possibly other extensions) and the error handlers stop working after this update, you will need to manually set the PROPAGATE_EXCEPTIONS setting in your configuration to keep everything working. Sorry all the inconvenience.

• Removed PROPAGATE_EXCEPTIONS setting from this extension
• Internal cleanup and refactoring

• @jwt_required (et al) no longer require authorization to be present on an OPTIONS request (#119)
• Add Add Werkzeug>=0.14 to install requirements (#115)

• Adds ability to use the samesite cookie attribute (#34, #113, #115). Requires Werkzeug >= 0.14. Thanks @farshiana!

• Exports get_csrf_token to the api (#112)

• Add ability to set the fresh argument when creating access tokens to a datetime.timedelta, which will cause the token to be marked as fresh from now until the timedelta is past (#107). Thanks @dunkmann00!

• Add ability to disable expires check for JWTs (#105 and #106). Thanks @beenje!

• Fix MANIFEST.in spelling, caused LICENSE file to not be properly included in pypi (#88)

• Previous test of 3.3.2 (for adding license file) caused pypi to not allow 3.3.2 to be reused, even though that release was nuked. Just incrementing the version number once more. See the 3.3.2 release notes

• Add ability to change user claims name in token (#92)
• Update unittest and convert test suite to pytest (#77)
• Allow get_jwt_identity (et al) to work in claims_verification_loader (#90)
• Dropped support for python 3.3 (#89)
• Add LICENSE file to the pypi package (#88)

• No longer returns the InvalidHeaderError handler if an authorization header appears in a different format then we expect in the @jwt_optional endpoint. (refs #82)

• Add possibility to set up cookies max-age during runtime (#81)
• Register this extension with a flask app in a more proper way (043ba2390ee82920c6297e9334fee9113df8b8b5)

• Adds optional @jwt.claims_verification_loader and @jwt.claims_verification_failed_loader to do verification of the user_claims in an access token (refs #64 #70)