Implement capability for dual (cookie and header) authentication

README.rst

@@ -237,6 +237,13 @@ The follow options applies to the cookie-based authentication policy:
 |                |                           |               | instance) before a cookie (and the token   |
 |                |                           |               | within it) is reissued                     |
 +----------------+---------------------------+---------------+--------------------------------------------+
+| accept_header  | jwt.cookie_accept_header  |  False        | If cookie authentication doesn't return    |
+|                |                           |               | any claims, try to decode JWT header too   |
++----------------+---------------------------+---------------+--------------------------------------------+
+| header_first   | jwt.cookie_prefer_header  |  False        | Try to decode JWT header BEFORE decoding   |
+|                |                           |               | the cookie value. Set accept_header=True   |
+|                |                           |               | for this to take effect                    |
++----------------+---------------------------+---------------+--------------------------------------------+
 
 Pyramid JWT example use cases
 =============================

src/pyramid_jwt/__init__.py

@@ -96,13 +96,19 @@ def set_jwt_cookie_authentication_policy(
     https_only=True,
     reissue_time=None,
     cookie_path=None,
+    accept_header=None,
+    header_first=None,
 ):
     settings = config.get_settings()
     cookie_name = cookie_name or settings.get("jwt.cookie_name")
     cookie_path = cookie_path or settings.get("jwt.cookie_path")
     reissue_time = reissue_time or settings.get("jwt.cookie_reissue_time")
     if https_only is None:
         https_only = settings.get("jwt.https_only_cookie", True)
+    if accept_header is None:
+        accept_header = settings.get("jwt.cookie_accept_header", False)
+    if header_first is None:
+        header_first = settings.get("jwt.cookie_prefer_header", False)
 
     auth_policy = create_jwt_authentication_policy(
         config,

src/pyramid_jwt/policy.py

@@ -6,6 +6,7 @@
 
 import jwt
 from pyramid.renderers import JSON
+from pyramid.settings import asbool
 from webob.cookies import CookieProfile
 from zope.interface import implementer
 from pyramid.authentication import CallbackAuthenticationPolicy
@@ -172,6 +173,8 @@ def __init__(
         https_only=True,
         reissue_time=None,
         cookie_path=None,
+        accept_header=False,
+        header_first=False,
     ):
         super(JWTCookieAuthenticationPolicy, self).__init__(
             private_key,
@@ -194,6 +197,8 @@ def __init__(
         if reissue_time and isinstance(reissue_time, datetime.timedelta):
             reissue_time = reissue_time.total_seconds()
         self.reissue_time = reissue_time
+        self.accept_header = asbool(accept_header)
+        self.header_first = asbool(header_first)
 
         self.cookie_profile = CookieProfile(
             cookie_name=self.cookie_name,
@@ -251,6 +256,13 @@ def forget(self, request):
         return self._get_cookies(request, None)
 
     def get_claims(self, request):
+        if self.accept_header:
+            if self.header_first:
+                return super().get_claims(request) or self.get_cookie_claims(request)
+            return self.get_cookie_claims(request) or super().get_claims(request)
+        return self.get_cookie_claims(request)
+
+    def get_cookie_claims(self, request):
         profile = self.cookie_profile.bind(request)
         cookie = profile.get_value()