23

I am using Python 3.5.1 with Requests 2.9.1. My use case as follows: I need to authenticate (get a token) from service T and use it as value of the Authorization header when making requests to a resource server R. The token expires at some point and a new one needs to be fetched.

I have an application using requests, which when started first fetches a token and remembers it - sets in the Session used for requests to R. From then on for 3 minutes, everything works as a charm. After 3 minutes, I get unauthorized responses as the token is invalid.

I use Session for all requests except for the one to authenticate; this call updates the Authorization header on the Session for other requests to use.

I created code to re-authenticate automatically when unauthorized is detected, using the response hook (set only on the Session), here is the code:

def __hook(self, res, *args, **kwargs):
    if res.status_code == requests.codes.unauthorized:
        print('Token expired, refreshing')
        self.auth() # sets the token on self.__session

        req = res.request
        print('Resending request', req.method, req.url, req.headers)
        req.headers['Authorization'] = self.__session.headers['Authorization'] # why is it needed?

        return self.__session.send(res.request)

Basically, it even works. There are a couple of issues, though:

  1. Why is it necessary to re-set the Authorization header on the request, even though the session is updated and is used to resend the original request? Without the line, the application will just keep on refreshing the token as the new one is never used, this can be seen in the output, the token is the original one which caused the automatic refresh.

  2. How can I make the code more robust, i.e. prevent endless recursion (I am not sure whether it is possible in reality, but with the line setting the Authorization header on the retried request it will just go on an on)? I was thinking of setting a custom header, and if the hooks discovers the failed request has it, it would not re-authenticate and resend. Is there anything better? Edit: it turns out it is possible to get an (almost) endless loop (it is recursive, after all) if the configuration is wrong: the tokens are taken for one environment (like STAGING), but the resource server is from another (TEST) - the auth request will succeed but the token is actually incorrect for the resource server. For the time being I implemented the 'special' header solution mentioned above.

Is this a good approach in general or is there anything better suited for the task in requests?

wujek
  • 10,112
  • 12
  • 52
  • 88
  • 1
    Without resetting the authorization header the client won't have the new token and without the new token it won't be able to make the request after the next three minutes. – formatkaka May 10 '16 at 17:15
  • Do you know in advance when the token will expire? If so, it's much more efficient to refresh the token in advance, before it expires. – Peter Schorn Apr 22 '21 at 02:44
  • Bit of a necro bump, but I figured out why resetting the authorization header is required. It's because `res.request` is a `PreparedRequest` which has a copy of the headers, here's another way to reconfigure the headers in the `PreparedRequest`: `request.prepare_headers(self._session.headers)` – Jess Jun 10 '21 at 16:55
  • Also pykube-ng has a really nice set of examples on how you could do this as well in their source: https://codeberg.org/hjacobs/pykube-ng/src/branch/main/pykube/http.py – Jess Jun 10 '21 at 16:56

3 Answers3

8

Here's the same solution but without using a class

session = requests.Session()
session.headers.update({"Authorization": f"Bearer deliberate-wrong-token"})

def refresh_token(r, *args, **kwargs):
    if r.status_code == 401:
        logger.info("Fetching new token as the previous token expired")
        token = get_token()
        session.headers.update({"Authorization": f"Bearer {token}"})
        r.request.headers["Authorization"] = session.headers["Authorization"]
        return session.send(r.request, verify=False)

session.hooks['response'].append(refresh_token)
Yesh
  • 976
  • 12
  • 15
3

The eventual code I came up with to solve this. It is more complete than OP. It exposes a session attribute you can use for authenticated requests.

The reason why you have to recall auth is because .send just sends the PreparedRequest.

If you don't like the REATTEMPT header I added to prevent infinite recursion. You can also de-register the hook like OP mentioned (but you have to register it again for use in the future), or in my coded class instead do the new request with self._session instead of self.session. (self._session is just a session without hooks.)

import requests
from urllib.parse import urljoin

class JWTAuth:

    def __init__(self, user, passw, base):
        self.base = base
        self.user, self.passw = user, passw

        self._session = requests.Session()  # Session for tokens
        self.authenticate()

        self.session = requests.Session()  # Authenticated session
        self.session.auth = self.auth
        self.session.hooks['response'].append(self.reauth)

    def abs_url(self, path):
        """Combine the base url with a path."""
        return urljoin(self.base, path)

    def auth(self, req):
        """Just set the authentication token, on every request."""
        req.headers['Authorization'] = f'JWT {self.access}'
        return req

    def reauth(self, res, *args, **kwargs):
        """Hook to re-authenticate whenever authentication expires."""
        if res.status_code == requests.codes.unauthorized:
            if res.request.headers.get('REATTEMPT'):
                res.raise_for_status()
            self.refresh_auth()
            req = res.request
            req.headers['REATTEMPT'] = 1
            req = self.session.auth(req)
            res = self.session.send(req)
            return res

    def refresh_auth(self):
        """Use the refresh token to get a new access token."""
        res = self._session.post(self.abs_url("api/token/refresh/"), data={"refresh": self.refresh})
        if res.status_code == 200:
            self.access = res.json()['access']
        else:
            # Token expired -> re-authenticate
            self.authenticate()

    def authenticate(self):
        res = self._session.post(
            self.abs_url("api/token/"),
            data={"username": self.user, "password": self.passw},
        )
        res.raise_for_status()
        data = res.json()
        self.refresh, self.access = data['refresh'], data['access']
Hielke Walinga
  • 2,677
  • 1
  • 17
  • 30
2

So I got in touch with the Requests author discussing an unrelated issue and asked about this, and it turns out this approach is Ok. The only changed I did was to drop the custom header (it does work and is also Ok) and now I just deregister the response hook within the hook before re-sending the request. This breaks the loop and all is nice.

wujek
  • 10,112
  • 12
  • 52
  • 88
  • 1
    Care to share to final solution? if any – Julian Camilleri Jul 19 '18 at 14:39
  • @belthazorNv - sorry, I don't have it available right now, will be able to access it in about a month and will post it then if you are still interested. – wujek Aug 07 '18 at 01:52
  • 1
    Thanks managed to get it all done. - got to say, I hate that `Retry` adapter doesn't honour the response hooks. – Julian Camilleri Aug 07 '18 at 08:48
  • How did you access session variable inside the hook ? self.__session , when I declare the same , missing 1 required positional argument: 'res' , How did you register the hook ? session = requests.Session() session.hooks = {'response': response_hook} – Jeffin Sam Sep 08 '20 at 08:47
  • Sorry @JeffinSam it's been a long time I don't have the code any more but AFAIK the code I posted originally is pretty complete, but the requests version was much older. – wujek Sep 09 '20 at 07:46