1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
|
from datetime import timedelta
from importlib import reload
from django.contrib.auth import get_user_model
from django.test import TestCase
from rest_framework.test import APIRequestFactory
from rest_framework_simplejwt import authentication
from rest_framework_simplejwt.exceptions import AuthenticationFailed, InvalidToken
from rest_framework_simplejwt.models import TokenUser
from rest_framework_simplejwt.settings import api_settings
from rest_framework_simplejwt.tokens import AccessToken, SlidingToken
from rest_framework_simplejwt.utils import get_md5_hash_password
from .utils import override_api_settings
User = get_user_model()
AuthToken = api_settings.AUTH_TOKEN_CLASSES[0]
class TestJWTAuthentication(TestCase):
def setUp(self):
self.factory = APIRequestFactory()
self.backend = authentication.JWTAuthentication()
self.fake_token = b"TokenMcTokenface"
self.fake_header = b"Bearer " + self.fake_token
def test_get_header(self):
# Should return None if no authorization header
request = self.factory.get("/test-url/")
self.assertIsNone(self.backend.get_header(request))
# Should pull correct header off request
request = self.factory.get("/test-url/", HTTP_AUTHORIZATION=self.fake_header)
self.assertEqual(self.backend.get_header(request), self.fake_header)
# Should work for unicode headers
request = self.factory.get(
"/test-url/", HTTP_AUTHORIZATION=self.fake_header.decode("utf-8")
)
self.assertEqual(self.backend.get_header(request), self.fake_header)
@override_api_settings(AUTH_HEADER_NAME="HTTP_X_ACCESS_TOKEN")
def test_get_header_x_access_token(self):
# Should pull correct header off request when using X_ACCESS_TOKEN
request = self.factory.get("/test-url/", HTTP_X_ACCESS_TOKEN=self.fake_header)
self.assertEqual(self.backend.get_header(request), self.fake_header)
# Should work for unicode headers when using
request = self.factory.get(
"/test-url/", HTTP_X_ACCESS_TOKEN=self.fake_header.decode("utf-8")
)
self.assertEqual(self.backend.get_header(request), self.fake_header)
def test_get_raw_token(self):
reload(authentication)
# Should return None if an empty AUTHORIZATION header is sent
self.assertIsNone(self.backend.get_raw_token(b""))
# Should raise error if header is malformed
with self.assertRaises(AuthenticationFailed):
self.backend.get_raw_token(b"Bearer one two")
with self.assertRaises(AuthenticationFailed):
self.backend.get_raw_token(b"Bearer")
# Otherwise, should return unvalidated token in header
self.assertEqual(self.backend.get_raw_token(self.fake_header), self.fake_token)
@override_api_settings(AUTH_HEADER_TYPES="JWT")
def test_get_raw_token_incorrect_header_keyword(self):
# Should return None if header lacks correct type keyword
# AUTH_HEADER_TYPES is "JWT", but header is "Bearer"
reload(authentication)
self.assertIsNone(self.backend.get_raw_token(self.fake_header))
@override_api_settings(AUTH_HEADER_TYPES=("JWT", "Bearer"))
def test_get_raw_token_multi_header_keyword(self):
# Should return token if header has one of many valid token types
reload(authentication)
self.assertEqual(
self.backend.get_raw_token(self.fake_header),
self.fake_token,
)
def test_get_validated_token(self):
# Should raise InvalidToken if token not valid
token = AuthToken()
token.set_exp(lifetime=-timedelta(days=1))
with self.assertRaises(InvalidToken):
self.backend.get_validated_token(str(token))
# Otherwise, should return validated token
token.set_exp()
self.assertEqual(
self.backend.get_validated_token(str(token)).payload, token.payload
)
@override_api_settings(
AUTH_TOKEN_CLASSES=("rest_framework_simplejwt.tokens.AccessToken",),
)
def test_get_validated_token_reject_unknown_token(self):
# Should not accept tokens not included in AUTH_TOKEN_CLASSES
sliding_token = SlidingToken()
with self.assertRaises(InvalidToken) as e:
self.backend.get_validated_token(str(sliding_token))
messages = e.exception.detail["messages"]
self.assertEqual(1, len(messages))
self.assertEqual(
{
"token_class": "AccessToken",
"token_type": "access",
"message": "Token has wrong type",
},
messages[0],
)
@override_api_settings(
AUTH_TOKEN_CLASSES=(
"rest_framework_simplejwt.tokens.AccessToken",
"rest_framework_simplejwt.tokens.SlidingToken",
),
)
def test_get_validated_token_accept_known_token(self):
# Should accept tokens included in AUTH_TOKEN_CLASSES
access_token = AccessToken()
sliding_token = SlidingToken()
self.backend.get_validated_token(str(access_token))
self.backend.get_validated_token(str(sliding_token))
def test_get_user(self):
payload = {"some_other_id": "foo"}
# Should raise error if no recognizable user identification
with self.assertRaises(InvalidToken):
self.backend.get_user(payload)
payload[api_settings.USER_ID_CLAIM] = 42
# Should raise exception if user not found
with self.assertRaises(AuthenticationFailed):
self.backend.get_user(payload)
u = User.objects.create_user(username="markhamill")
u.is_active = False
u.save()
payload[api_settings.USER_ID_CLAIM] = getattr(u, api_settings.USER_ID_FIELD)
# Should raise exception if user is inactive
with self.assertRaises(AuthenticationFailed):
self.backend.get_user(payload)
u.is_active = True
u.save()
# Otherwise, should return correct user
self.assertEqual(self.backend.get_user(payload).id, u.id)
@override_api_settings(
CHECK_USER_IS_ACTIVE=False,
)
def test_get_inactive_user(self):
payload = {"some_other_id": "foo"}
# Should raise error if no recognizable user identification
with self.assertRaises(InvalidToken):
self.backend.get_user(payload)
payload[api_settings.USER_ID_CLAIM] = 42
# Should raise exception if user not found
with self.assertRaises(AuthenticationFailed):
self.backend.get_user(payload)
u = User.objects.create_user(username="markhamill")
u.is_active = False
u.save()
payload[api_settings.USER_ID_CLAIM] = getattr(u, api_settings.USER_ID_FIELD)
# should return correct user
self.assertEqual(self.backend.get_user(payload).id, u.id)
@override_api_settings(
CHECK_REVOKE_TOKEN=True, REVOKE_TOKEN_CLAIM="revoke_token_claim"
)
def test_get_user_with_check_revoke_token(self):
payload = {"some_other_id": "foo"}
# Should raise error if no recognizable user identification
with self.assertRaises(InvalidToken):
self.backend.get_user(payload)
payload[api_settings.USER_ID_CLAIM] = 42
# Should raise exception if user not found
with self.assertRaises(AuthenticationFailed):
self.backend.get_user(payload)
u = User.objects.create_user(username="markhamill")
u.is_active = False
u.save()
payload[api_settings.USER_ID_CLAIM] = getattr(u, api_settings.USER_ID_FIELD)
# Should raise exception if user is inactive
with self.assertRaises(AuthenticationFailed):
self.backend.get_user(payload)
u.is_active = True
u.save()
# Should raise exception if hash password is different
with self.assertRaises(AuthenticationFailed):
self.backend.get_user(payload)
if api_settings.CHECK_REVOKE_TOKEN:
payload[api_settings.REVOKE_TOKEN_CLAIM] = get_md5_hash_password(u.password)
# Otherwise, should return correct user
self.assertEqual(self.backend.get_user(payload).id, u.id)
def test_get_user_with_str_user_id_claim(self):
"""
Verify that even though the user id is an int, it can be verified
and retrieved if the user id claim value is a string
"""
user = User.objects.create_user(username="testuser")
payload = {api_settings.USER_ID_CLAIM: str(user.id)}
auth_user = self.backend.get_user(payload)
self.assertEqual(auth_user.id, user.id)
class TestJWTStatelessUserAuthentication(TestCase):
def setUp(self):
self.backend = authentication.JWTStatelessUserAuthentication()
def test_get_user(self):
payload = {"some_other_id": "foo"}
# Should raise error if no recognizable user identification
with self.assertRaises(InvalidToken):
self.backend.get_user(payload)
payload[api_settings.USER_ID_CLAIM] = 42
# Otherwise, should return a token user object
user = self.backend.get_user(payload)
self.assertIsInstance(user, TokenUser)
self.assertEqual(user.id, 42)
def test_custom_tokenuser(self):
from django.utils.functional import cached_property
class BobSaget(TokenUser):
@cached_property
def username(self):
return "bsaget"
temp = api_settings.TOKEN_USER_CLASS
api_settings.TOKEN_USER_CLASS = BobSaget
# Should return a token user object
payload = {api_settings.USER_ID_CLAIM: 42}
user = self.backend.get_user(payload)
self.assertIsInstance(user, api_settings.TOKEN_USER_CLASS)
self.assertEqual(user.id, 42)
self.assertEqual(user.username, "bsaget")
# Restore default TokenUser for future tests
api_settings.TOKEN_USER_CLASS = temp
|
