Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify Serializer Should Honour Blacklist #239

Merged
merged 7 commits into from
Jul 7, 2021
Merged

Verify Serializer Should Honour Blacklist #239

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
7d691c8
add blacklist check on verfify endpoint
Apr 16, 2020
c9c6c54
add review improvements
Jul 9, 2020
b26c799
fix tests
Jul 10, 2020
2af7747
Merge branch 'master' into blacklisted_token_should_not_verify
Andrew-Chen-Wang Nov 24, 2020
ad26e66
fix lint
Dec 11, 2020
7da1152
Merge branch 'master' into blacklisted_token_should_not_verify
Andrew-Chen-Wang Apr 6, 2021
a2d5ac6
Merge branch 'master' into blacklisted_token_should_not_verify
Andrew-Chen-Wang Jul 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions rest_framework_simplejwt/serializers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
from django.conf import settings
from django.contrib.auth import authenticate
from django.utils.translation import gettext_lazy as _
from rest_framework import exceptions, serializers
Expand All @@ -9,7 +8,7 @@
from .state import User
from .tokens import RefreshToken, SlidingToken, UntypedToken

if 'rest_framework_simplejwt.token_blacklist' in settings.INSTALLED_APPS:
if api_settings.BLACKLIST_AFTER_ROTATION:
from .token_blacklist.models import BlacklistedToken

class PasswordField(serializers.CharField):
Expand Down Expand Up @@ -146,7 +145,7 @@ class TokenVerifySerializer(serializers.Serializer):
def validate(self, attrs):
UntypedToken(attrs['token'])

if 'rest_framework_simplejwt.token_blacklist' in settings.INSTALLED_APPS:
if api_settings.BLACKLIST_AFTER_ROTATION:
try:
token = RefreshToken(attrs['token'])
# not a refresh token
Expand All @@ -155,6 +154,6 @@ def validate(self, attrs):

jti = token.get(api_settings.JTI_CLAIM)
if BlacklistedToken.objects.filter(token__jti=jti).exists():
raise ValidationError(_('Token is blacklisted'))
return {}

return {}
31 changes: 25 additions & 6 deletions tests/test_token_blacklist.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,11 +193,30 @@ def test_jti_field_should_contain_uuid_hex_strings(self):
self.assertEqual(actual_hexes, self.expected_hexes)


class TokenVerifySerializerShouldHonourBlacklist(TestCase):
class TokenVerifySerializerShouldHonourBlacklist(MigrationTestCase):
migrate_from = ('token_blacklist', '0002_outstandingtoken_jti_hex')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is testing migration but the PR is not showing any migration changes, or it was already done but not tested?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea those migrations were already done and come from https://github.com/jazzband/django-rest-framework-simplejwt/tree/master/rest_framework_simplejwt/token_blacklist/migrations

migrate_to = ('token_blacklist', '0003_auto_20171017_2007')

def setUp(self):
self.user = User.objects.create(
username='test_user',
password='test_password',
)

super().setUp()

def test_token_verify_serializer_should_honour_blacklist_if_blacklisting_enabled(self):
with self.settings(REST_FRAMEWORK={'BLACKLIST_AFTER_ROTATION': True}):
TeresaSiegmantel marked this conversation as resolved.
Show resolved Hide resolved
refresh_token = RefreshToken.for_user(self.user)
refresh_token.blacklist()

serializer = TokenVerifySerializer(data={"token": str(refresh_token)})
self.assertFalse(serializer.is_valid())

def token_verify_serializer_shouldHonour_blacklist(self):
refresh_token = RefreshToken()
refresh_token.blacklist()
def test_token_verify_serializer_should_not_honour_blacklist_if_blacklisting_not_enabled(self):
with self.settings(REST_FRAMEWORK={'BLACKLIST_AFTER_ROTATION': False}):
TeresaSiegmantel marked this conversation as resolved.
Show resolved Hide resolved
refresh_token = RefreshToken.for_user(self.user)
refresh_token.blacklist()

serializer = TokenVerifySerializer({"token": refresh_token.payload})
self.assertFalse(serializer.is_valid())
serializer = TokenVerifySerializer(data={"token": str(refresh_token)})
self.assertTrue(serializer.is_valid())