From d5d9c69aa3aaea8c1a5d77d20439bb62f8420a03 Mon Sep 17 00:00:00 2001 From: Marc LaBelle Date: Thu, 9 Apr 2020 20:53:04 -0400 Subject: [PATCH] check if blacklist is installed and warn user to delete client side if cookies and blacklist are not enabled --- dj_rest_auth/tests/test_api.py | 11 ++++++----- dj_rest_auth/views.py | 16 +++++++++++----- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/dj_rest_auth/tests/test_api.py b/dj_rest_auth/tests/test_api.py index 0e5a3c6..4c4de9e 100644 --- a/dj_rest_auth/tests/test_api.py +++ b/dj_rest_auth/tests/test_api.py @@ -1,5 +1,4 @@ import json -from unittest.mock import patch from allauth.account import app_settings as account_app_settings from django.conf import settings @@ -560,9 +559,8 @@ class APIBasicTests(TestsMixin, TestCase): self.assertEquals(resp.status_code, 200) @override_settings(REST_USE_JWT=True) - @patch('rest_framework_simplejwt.tokens.BlacklistMixin.blacklist') - def test_blacklisting_not_installed(self, mocked_blacklist): - mocked_blacklist.side_effect = AttributeError(f"'RefreshToken' object has no attribute 'blacklist'") + def test_blacklisting_not_installed(self): + settings.INSTALLED_APPS.remove('rest_framework_simplejwt.token_blacklist') payload = { "username": self.USERNAME, "password": self.PASS @@ -571,7 +569,10 @@ class APIBasicTests(TestsMixin, TestCase): resp = self.post(self.login_url, data=payload, status_code=200) token = resp.data['refresh_token'] resp = self.post(self.logout_url, status=200, data={'refresh': token}) - self.assertEqual(resp.status_code, 501) + self.assertEqual(resp.status_code, 200) + self.assertEqual(resp.data["detail"], + "Neither cookies or blacklist are enabled, so the token has not been deleted server side. " + "Please make sure the token is deleted client side.") @override_settings(REST_USE_JWT=True) def test_blacklisting(self): diff --git a/dj_rest_auth/views.py b/dj_rest_auth/views.py index f3d6c72..325466e 100644 --- a/dj_rest_auth/views.py +++ b/dj_rest_auth/views.py @@ -134,19 +134,23 @@ class LogoutView(APIView): request.user.auth_token.delete() except (AttributeError, ObjectDoesNotExist): pass + if getattr(settings, 'REST_SESSION_LOGIN', True): django_logout(request) response = Response({"detail": _("Successfully logged out.")}, status=status.HTTP_200_OK) + if getattr(settings, 'REST_USE_JWT', False): cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None) if cookie_name: response.delete_cookie(cookie_name) - else: + + elif 'rest_framework_simplejwt.token_blacklist' in settings.INSTALLED_APPS: # add refresh token to blacklist try: token = RefreshToken(request.data['refresh']) token.blacklist() + except KeyError: response = Response({"detail": _("Refresh token was not included in request data.")}, status=status.HTTP_401_UNAUTHORIZED) @@ -157,10 +161,6 @@ class LogoutView(APIView): response = Response({"detail": _(error.args[0])}, status=status.HTTP_404_NOT_FOUND) - # warn user blacklist is not enabled - elif "'RefreshToken' object has no attribute 'blacklist'" in error.args: - response = Response({"detail": _("Blacklist is not enabled in INSTALLED_APPS.")}, - status=status.HTTP_501_NOT_IMPLEMENTED) else: response = Response({"detail": _("An error has occurred.")}, status=status.HTTP_500_INTERNAL_SERVER_ERROR) @@ -169,6 +169,12 @@ class LogoutView(APIView): response = Response({"detail": _("An error has occurred.")}, status=status.HTTP_500_INTERNAL_SERVER_ERROR) + else: + response = Response({ + "detail": _("Neither cookies or blacklist are enabled, so the token has not been deleted server " + "side. Please make sure the token is deleted client side." + )}, status=status.HTTP_200_OK) + return response