Flask JWT Extended Cookie Auth & WSGI raise 500 error instead of 401

Question

I build a flask API for my purpose and want to integrate a JWT token auth via cookie. Everythings works well in my development environment. An unauthorized request answers with a 401 unauthorized. Below is an example endpoint.

class TasksAPI(Resource):
    @jwt_required()
    def get(self):
        active = request.args.get("active")
        current_app.logger.info("Get all tasks")
        tasksdb = db.query(models.Tasks).all()
        app = celery_app.celery.control.inspect()
        taskscelery = app.active()
        try:
            tasklistcelery = []
            for key, values in taskscelery.items():
                for x in values:
                    tasklistcelery.append(x)
        except AttributeError:
            pass
        tasklist = unpickle_list(tasksdb)
        if active is not None:
            if active.lower() == "true":
                active_ids = []
                active_tasks = []
                for task in tasklistcelery:
                    active_ids.append(task["id"])
                for task in tasklist:
                    if task["id"] in active_ids:
                        active_tasks.append(task)
                return Response(status=200, response=json.dumps(active_tasks), mimetype="application/json")
            else:
                return Response(status=400, response="Active is not true")
        return Response(status=200, response=json.dumps(tasklist), mimetype="application/json")

Postman shows something like this: 401 NOT AUTHORIZED:

{
    "msg": "Missing cookie \"access_token_cookie\""
}

After putting it into a production test scenario behind Apache and WSGI, the behavior changes and I receive a 500 INTERNAL SERVER ERROR and the following response message:

{
    "message": "Internal Server Error"
}

The apache error log shows the following:

[Wed Mar 29 14:25:47.255850 2023] [wsgi:error] [pid ] [remote ] [2023-03-29 14:25:47,254] ERROR in app: Exception on /api/v1/tasks [GET]
[Wed Mar 29 14:25:47.256021 2023] [wsgi:error] [pid ] [remote ] Traceback (most recent call last):
[Wed Mar 29 14:25:47.256061 2023] [wsgi:error] [pid ] [remote ]   File "/var/www/cameraservice/venv/lib/python3.9/site-packages/flask/app.py", line 1820, in full_dispatch_request
[Wed Mar 29 14:25:47.256096 2023] [wsgi:error] [pid ] [remote ]     rv = self.dispatch_request()
[Wed Mar 29 14:25:47.256129 2023] [wsgi:error] [pid ] [remote ]   File "/var/www/cameraservice/venv/lib/python3.9/site-packages/flask/app.py", line 1796, in dispatch_request
[Wed Mar 29 14:25:47.256162 2023] [wsgi:error] [pid ] [remote ]     return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
[Wed Mar 29 14:25:47.256194 2023] [wsgi:error] [pid ] [remote ]   File "/var/www/cameraservice/venv/lib/python3.9/site-packages/flask_restful/__init__.py", line 467, in wrapper
[Wed Mar 29 14:25:47.256226 2023] [wsgi:error] [pid ] [remote ]     resp = resource(*args, **kwargs)
[Wed Mar 29 14:25:47.256259 2023] [wsgi:error] [pid ] [remote ]   File "/var/www/cameraservice/venv/lib/python3.9/site-packages/flask/views.py", line 107, in view
[Wed Mar 29 14:25:47.256292 2023] [wsgi:error] [pid ] [remote ]     return current_app.ensure_sync(self.dispatch_request)(**kwargs)
[Wed Mar 29 14:25:47.256326 2023] [wsgi:error] [pid ] [remote ]   File "/var/www/cameraservice/venv/lib/python3.9/site-packages/flask_restful/__init__.py", line 582, in dispatch_request
[Wed Mar 29 14:25:47.256359 2023] [wsgi:error] [pid ] [remote ]     resp = meth(*args, **kwargs)
[Wed Mar 29 14:25:47.256390 2023] [wsgi:error] [pid ] [remote ]   File "/var/www/cameraservice/venv/lib/python3.9/site-packages/flask_jwt_extended/view_decorators.py", line 153, in decorator
[Wed Mar 29 14:25:47.256424 2023] [wsgi:error] [pid ] [remote ]     verify_jwt_in_request(optional, fresh, refresh, locations, verify_type)
[Wed Mar 29 14:25:47.256457 2023] [wsgi:error] [pid ] [remote ]   File "/var/www/cameraservice/venv/lib/python3.9/site-packages/flask_jwt_extended/view_decorators.py", line 89, in verify_jwt_in_request
[Wed Mar 29 14:25:47.256545 2023] [wsgi:error] [pid ] [remote ]     jwt_data, jwt_header, jwt_location = _decode_jwt_from_request(
[Wed Mar 29 14:25:47.256580 2023] [wsgi:error] [pid ] [remote ]   File "/var/www/cameraservice/venv/lib/python3.9/site-packages/flask_jwt_extended/view_decorators.py", line 341, in _decode_jwt_from_request
[Wed Mar 29 14:25:47.256615 2023] [wsgi:error] [pid ] [remote ]     raise NoAuthorizationError(errors[0])
[Wed Mar 29 14:25:47.256647 2023] [wsgi:error] [pid ] [remote ] flask_jwt_extended.exceptions.NoAuthorizationError: Missing cookie "access_token_cookie"

I tried to solve this problem by trying to catch the NoAuthorizationError inside the get function, but it never goes there, seems to raise the error before entering the function. Next approach was adding the following custom error handler inside the app.py:

from flask import Flask, jsonify
from flask_jwt_extended.exceptions import JWTExtendedException

app = Flask(__name__)

# ...

@app.errorhandler(JWTExtendedException)
def handle_auth_error(e):
    response = jsonify({
        'message': str(e),
        'status_code': e.status_code
    })
    response.status_code = e.status_code
    return response

This also did not work, maybe because the TasksAPI is part of another file and not inside the app.py? But I am a bit clueless right now and hope somebody can help me with my problem of error handling in wsgi.

Answer 1

Okay, just a short update, maybe it is useful for others: Since I wanted to be in a situation that is like my production environment, therefore I did not turn on the Debug-Config. Now I switched to

app.config['DEBUG'] = True

and I could see the 401 status in Postman. Probably not the ideal way, but it works for me at the moment.