I'm trying to add this email verification process in to my flask app.

Within app/models.py I have this:

def get_confirm_account_token(self, expires_in=600):
    return jwt.encode(
        {'confirm_account': self.id, 'exp': time()   expires_in},
        current_app.config['SECRET_KEY'], algorithm='HS256')

   @staticmethod
    def verify_confirm_account_token(token):
        try:
            id = jwt.decode(token, current_app.config['SECRET_KEY'],
                            algorithms=['HS256'])['confirm_account']
        except:
            return
        return User.query.get(id)

In my route.py I call send_account_verify_email(user) after the user registers which in turn generates a token:

token = user.get_confirm_account_token()

In my route.py I then have this:

@bp.route('/confirm/<token>')
@login_required
def confirm_email(token):
    if current_user.is_confirmed:
        flash('Account already confirmed')
        return redirect(url_for('main.index'))
    if not user:
        return redirect(url_for('main.index'))
    user = User.verify_confirm_account_token(token)
    # HOW DO I CHECK TOKEN VALIDITY BEFORE SETTING CONFIRMED?
        user.is_confirmed = True
        user.confirmed_on = datetime.now()
        db.session.add(user)
        db.session.commit()
    flash('You have confirmed your account')  
    else:
        flash('The confirmation link is invalid or has expired')
    return redirect(url_for('main.index'))

The part I'm struggling with is how to check if the token the user entered is correct - i.e what is stopping them from entering any old token - before I then mark them as confirmed?

CodePudding user response：

The jwt.decode() method will raise an ExpiredSignatureError if your token is expired.

This article explains it pretty good: https://auth0.com/blog/how-to-handle-jwt-in-python/