linotp.controllers.base module

The Controller’s Base class

class linotp.controllers.base.BaseController(name, install_name='', **kwargs)

Bases: Blueprint

BaseController class - will be called with every request


Call derived controller’s legacy __before__ method if it exists

This method is called before each request is processed.

default_url_prefix = ''

Suggested URL to access this controller.

The URL at which this controller will be available depends on a number of factors. These are, in order of priority: 1. Any explicit path in the settings CONTROLLERS=ControllerName:PATH 2. The controller’s base_url_prefix setting 3. The name of the controller


Check whether the current request needs to be authenticated using JWT, and if so, whether it contains a valid JWT access token. The login name from the access token is stored in the request_context[‘AuthUser’] via quering the jwt identity with get_jwt_identiy for the benefit of lib.user.getUserFromRequest().

jwt_exempt = False

load the requesting user

The result is placed into request_context[‘RequestUser’]

property request_params
class linotp.controllers.base.ControllerMetaClass(name, bases, dct)

Bases: type

This is used to determine the list of methods of a new controller that should be made available as API endpoints. Basically every method whose name does not start with an underscore has a Flask route to it added in the blueprint when a controller class is instantiated.

class linotp.controllers.base.JWTMixin

Bases: object

Provides login and logout methods that generate or dispose of JWT access tokens (and double-submit tokens for CSRF protection).

This is a mixin class so we can keep all the JWT stuff closely together instead of spreading it out across various controllers.


POST /base/login

manage authentication

Checks a user’s credentials and issues them a JWT access token if their credentials are valid. We’re using cookies to store the access token plus a double-submit token for CSRF protection, which makes it easy to refresh access tokens transparently if they are nearing expiry.

  • username – the name of the user

  • password – the password of the user


a json document and the jwt cookies are replied


Logs a user out by obliterating their JWT access token cookies. NOTE: We may wish to block further use of the access token in question in case the user has saved a copy somewhere. See the Flask-JWT-Extended docs for ideas about how to do this.


Decorator that sets the hyphenated_url attribute on a function. We could set the attribute directly after the function definition but this way it looks nicer, and the code in the other file doesn’t need to know about the attribute.


Decorator for methods that should be exempt from JWT validation.


Transparently refresh a JWT access token that is close to expiry. This is pretty much straight from the Flask-JWT-Extended docs, except we’re making the refresh period configurable.


Decorator to specify the allowable HTTP methods for a controller/blueprint method. It turns out that Flask.add_url_rule looks at a function object’s methods property when figuring out what HTTP methods should be allowed on a view, so that’s where we’re putting the methods list.