Tivix/django-rest-auth
1
1
Fork 0
mirror of https://github.com/Tivix/django-rest-auth.git synced 2024-12-02 13:53:43 +03:00
Code Issues Packages Projects Releases Wiki Activity

check if blacklist is installed and warn user to delete client side if cookies and blacklist are not enabled

Browse Source
This commit is contained in:
Marc LaBelle 2020-04-09 20:53:04 -04:00
parent b55fcc2361
commit d5d9c69aa3
2 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
dj_rest_auth/tests/test_api.py
View File

@ -1,5 +1,4 @@
import json import json
from unittest.mock import patch
from allauth.account import app_settings as account_app_settings from allauth.account import app_settings as account_app_settings
from django.conf import settings from django.conf import settings
@ -560,9 +559,8 @@ class APIBasicTests(TestsMixin, TestCase):
self.assertEquals(resp.status_code, 200) self.assertEquals(resp.status_code, 200)
@override_settings(REST_USE_JWT=True) @override_settings(REST_USE_JWT=True)
@patch('rest_framework_simplejwt.tokens.BlacklistMixin.blacklist') def test_blacklisting_not_installed(self):
def test_blacklisting_not_installed(self, mocked_blacklist): settings.INSTALLED_APPS.remove('rest_framework_simplejwt.token_blacklist')
mocked_blacklist.side_effect = AttributeError(f"'RefreshToken' object has no attribute 'blacklist'")
payload = { payload = {
"username": self.USERNAME, "username": self.USERNAME,
"password": self.PASS "password": self.PASS
@ -571,7 +569,10 @@ class APIBasicTests(TestsMixin, TestCase):
resp = self.post(self.login_url, data=payload, status_code=200) resp = self.post(self.login_url, data=payload, status_code=200)
token = resp.data['refresh_token'] token = resp.data['refresh_token']
resp = self.post(self.logout_url, status=200, data={'refresh': token}) resp = self.post(self.logout_url, status=200, data={'refresh': token})
self.assertEqual(resp.status_code, 501) self.assertEqual(resp.status_code, 200)
self.assertEqual(resp.data["detail"],
"Neither cookies or blacklist are enabled, so the token has not been deleted server side. "
"Please make sure the token is deleted client side.")
@override_settings(REST_USE_JWT=True) @override_settings(REST_USE_JWT=True)
def test_blacklisting(self): def test_blacklisting(self):

16
dj_rest_auth/views.py
View File

@ -134,19 +134,23 @@ class LogoutView(APIView):
request.user.auth_token.delete() request.user.auth_token.delete()
except (AttributeError, ObjectDoesNotExist): except (AttributeError, ObjectDoesNotExist):
pass pass
if getattr(settings, 'REST_SESSION_LOGIN', True): if getattr(settings, 'REST_SESSION_LOGIN', True):
django_logout(request) django_logout(request)
response = Response({"detail": _("Successfully logged out.")}, response = Response({"detail": _("Successfully logged out.")},
status=status.HTTP_200_OK) status=status.HTTP_200_OK)
if getattr(settings, 'REST_USE_JWT', False): if getattr(settings, 'REST_USE_JWT', False):
cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None) cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None)
if cookie_name: if cookie_name:
response.delete_cookie(cookie_name) response.delete_cookie(cookie_name)
else:
elif 'rest_framework_simplejwt.token_blacklist' in settings.INSTALLED_APPS:
# add refresh token to blacklist # add refresh token to blacklist
try: try:
token = RefreshToken(request.data['refresh']) token = RefreshToken(request.data['refresh'])
token.blacklist() token.blacklist()
except KeyError: except KeyError:
response = Response({"detail": _("Refresh token was not included in request data.")}, response = Response({"detail": _("Refresh token was not included in request data.")},
status=status.HTTP_401_UNAUTHORIZED) status=status.HTTP_401_UNAUTHORIZED)
@ -157,10 +161,6 @@ class LogoutView(APIView):
response = Response({"detail": _(error.args[0])}, response = Response({"detail": _(error.args[0])},
status=status.HTTP_404_NOT_FOUND) status=status.HTTP_404_NOT_FOUND)
# warn user blacklist is not enabled
elif "'RefreshToken' object has no attribute 'blacklist'" in error.args:
response = Response({"detail": _("Blacklist is not enabled in INSTALLED_APPS.")},
status=status.HTTP_501_NOT_IMPLEMENTED)
else: else:
response = Response({"detail": _("An error has occurred.")}, response = Response({"detail": _("An error has occurred.")},
status=status.HTTP_500_INTERNAL_SERVER_ERROR) status=status.HTTP_500_INTERNAL_SERVER_ERROR)
@ -169,6 +169,12 @@ class LogoutView(APIView):
response = Response({"detail": _("An error has occurred.")}, response = Response({"detail": _("An error has occurred.")},
status=status.HTTP_500_INTERNAL_SERVER_ERROR) status=status.HTTP_500_INTERNAL_SERVER_ERROR)
else:
response = Response({
"detail": _("Neither cookies or blacklist are enabled, so the token has not been deleted server "
"side. Please make sure the token is deleted client side."
)}, status=status.HTTP_200_OK)
return response return response