Create a JWT access token. SECURITY: always sets ``exp`` and ``iat`` claims. ``iat`` lets :func:`get_current_user` enforce both password-change-based revocation and the logout blocklist (see :func:`revoke_user_sessions_before`), neither of which can work on tokens missing an is
(data: dict, expires_delta: timedelta | None = None)
| 137 | |
| 138 | |
| 139 | def create_access_token(data: dict, expires_delta: timedelta | None = None): |
| 140 | """ |
| 141 | Create a JWT access token. |
| 142 | |
| 143 | SECURITY: always sets ``exp`` and ``iat`` claims. ``iat`` lets |
| 144 | :func:`get_current_user` enforce both password-change-based revocation and |
| 145 | the logout blocklist (see :func:`revoke_user_sessions_before`), neither of |
| 146 | which can work on tokens missing an issuance timestamp. |
| 147 | """ |
| 148 | to_encode = data.copy() |
| 149 | now = datetime.now(timezone.utc) |
| 150 | if expires_delta: |
| 151 | expire = now + expires_delta |
| 152 | else: |
| 153 | # SECURITY: Always set expiration (8 hours default) |
| 154 | expire = now + JWT_ACCESS_TOKEN_EXPIRES |
| 155 | to_encode.update({"exp": expire, "iat": now}) |
| 156 | encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM) |
| 157 | return encoded_jwt |
| 158 | |
| 159 | |
| 160 | JWT_REFRESH_TOKEN_EXPIRES = timedelta(days=30) |