From eb20f6e7d06b8de23c0a22d31e11bd60ace93c94 Mon Sep 17 00:00:00 2001
From: Matthias <xmatthias@outlook.com>
Date: Thu, 31 Dec 2020 10:22:28 +0100
Subject: [PATCH] Align auth token to flask version to prevent user-logout

---
 freqtrade/rpc/api_server2/api_auth.py | 6 +++---
 freqtrade/rpc/rpc_manager.py          | 2 --
 tests/rpc/test_rpc_apiserver.py       | 6 +++---
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/freqtrade/rpc/api_server2/api_auth.py b/freqtrade/rpc/api_server2/api_auth.py
index 6f5d051d3..a02accb18 100644
--- a/freqtrade/rpc/api_server2/api_auth.py
+++ b/freqtrade/rpc/api_server2/api_auth.py
@@ -34,7 +34,7 @@ def get_user_from_token(token, secret_key: str, token_type: str = "access"):
     )
     try:
         payload = jwt.decode(token, secret_key, algorithms=[ALGORITHM])
-        username: str = payload.get("sub")
+        username: str = payload.get("identity", {}).get('u')
         if username is None:
             raise credentials_exception
         if payload.get("type") != token_type:
@@ -81,7 +81,7 @@ def token_login(form_data: HTTPBasicCredentials = Depends(HTTPBasic()),
                 api_config=Depends(get_api_config)):
 
     if verify_auth(api_config, form_data.username, form_data.password):
-        token_data = {'sub': form_data.username}
+        token_data = {'identity': {'u': form_data.username}}
         access_token = create_token(token_data, api_config.get('jwt_secret_key', 'super-secret'))
         refresh_token = create_token(token_data, api_config.get('jwt_secret_key', 'super-secret'),
                                      token_type="refresh")
@@ -101,7 +101,7 @@ def token_refresh(token: str = Depends(oauth2_scheme), api_config=Depends(get_ap
     # Refresh token
     u = get_user_from_token(token, api_config.get(
         'jwt_secret_key', 'super-secret'), 'refresh')
-    token_data = {'sub': u}
+    token_data = {'identity': {'u': u}}
     access_token = create_token(token_data, api_config.get('jwt_secret_key', 'super-secret'),
                                 token_type="access")
     return {'access_token': access_token}
diff --git a/freqtrade/rpc/rpc_manager.py b/freqtrade/rpc/rpc_manager.py
index 2afd39eda..369dfa5c9 100644
--- a/freqtrade/rpc/rpc_manager.py
+++ b/freqtrade/rpc/rpc_manager.py
@@ -34,8 +34,6 @@ class RPCManager:
         # Enable local rest api server for cmd line control
         if config.get('api_server', {}).get('enabled', False):
             logger.info('Enabling rpc.api_server')
-            # from freqtrade.rpc.api_server import ApiServer
-            # TODO: Remove the above import
             from freqtrade.rpc.api_server2 import ApiServer
 
             self.registered_modules.append(ApiServer(self._rpc, config))
diff --git a/tests/rpc/test_rpc_apiserver.py b/tests/rpc/test_rpc_apiserver.py
index 95789a85f..470032357 100644
--- a/tests/rpc/test_rpc_apiserver.py
+++ b/tests/rpc/test_rpc_apiserver.py
@@ -91,9 +91,9 @@ def test_api_not_found(botclient):
 
 def test_api_auth():
     with pytest.raises(ValueError):
-        create_token({'sub': 'Freqtrade'}, 'secret1234', token_type="NotATokenType")
+        create_token({'identity': {'u': 'Freqtrade'}}, 'secret1234', token_type="NotATokenType")
 
-    token = create_token({'sub': 'Freqtrade'}, 'secret1234')
+    token = create_token({'identity': {'u': 'Freqtrade'}}, 'secret1234')
     assert isinstance(token, bytes)
 
     u = get_user_from_token(token, 'secret1234')
@@ -101,7 +101,7 @@ def test_api_auth():
     with pytest.raises(HTTPException):
         get_user_from_token(token, 'secret1234', token_type='refresh')
     # Create invalid token
-    token = create_token({'sub`': 'Freqtrade'}, 'secret1234')
+    token = create_token({'identity': {'u1': 'Freqrade'}}, 'secret1234')
     with pytest.raises(HTTPException):
         get_user_from_token(token, 'secret1234')