From 3cc59578bd900e9d9793721e2916b5c8574bd86b Mon Sep 17 00:00:00 2001
From: David Cain <davidjosephcain@gmail.com>
Date: Wed, 3 Feb 2016 09:58:29 -0500
Subject: [PATCH 1/2] Stop 500's on a non-JSON /auth request

When the request is not JSON (and the `force` flag is False), Flask's
`get_json()` will return None:
https://github.com/mitsuhiko/flask/blob/0.10.1/flask/wrappers.py#L127

If somebody POSTs to `/auth` with a non-JSON mimetype, the server will
500 with `'NoneType' object has no attribute 'get'`.

Additionally, the default second parameter to `get()` is already None -
it can be safely omitted.

And more than one criterion are criteria. =)
---
 flask_jwt/__init__.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/flask_jwt/__init__.py b/flask_jwt/__init__.py
index f864b78..5cd448a 100644
--- a/flask_jwt/__init__.py
+++ b/flask_jwt/__init__.py
@@ -111,12 +111,12 @@ def _default_request_handler():
 
 
 def _default_auth_request_handler():
-    data = request.get_json()
-    username = data.get(current_app.config.get('JWT_AUTH_USERNAME_KEY'), None)
-    password = data.get(current_app.config.get('JWT_AUTH_PASSWORD_KEY'), None)
-    criterion = [username, password, len(data) == 2]
+    data = request.get_json() or {}
+    username = data.get(current_app.config.get('JWT_AUTH_USERNAME_KEY'))
+    password = data.get(current_app.config.get('JWT_AUTH_PASSWORD_KEY'))
+    criteria = [username, password, len(data) == 2]
 
-    if not all(criterion):
+    if not all(criteria):
         raise JWTError('Bad Request', 'Invalid credentials')
 
     identity = _jwt.authentication_callback(username, password)

From 147822d450e4c53cb3d7a374e13e932cb146f7b5 Mon Sep 17 00:00:00 2001
From: David Cain <davidjosephcain@gmail.com>
Date: Wed, 3 Feb 2016 10:16:47 -0500
Subject: [PATCH 2/2] Stop 500's on non-object JSON

If the mimetype is indeed JSON, but strings or arrays are POSTed,
an `AttributeError` will be thrown when trying to call `get()`.
---
 flask_jwt/__init__.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/flask_jwt/__init__.py b/flask_jwt/__init__.py
index 5cd448a..132a832 100644
--- a/flask_jwt/__init__.py
+++ b/flask_jwt/__init__.py
@@ -111,7 +111,10 @@ def _default_request_handler():
 
 
 def _default_auth_request_handler():
-    data = request.get_json() or {}
+    data = request.get_json()
+    if not isinstance(data, dict):  # Strings/arrays, or non-JSON mimetype
+        raise JWTError('Bad Request', 'Credentials must be a JSON object')
+
     username = data.get(current_app.config.get('JWT_AUTH_USERNAME_KEY'))
     password = data.get(current_app.config.get('JWT_AUTH_PASSWORD_KEY'))
     criteria = [username, password, len(data) == 2]