def test_refresh_token_after_changing_jwt_secret(self, client, user):
refresh_token = str(RefreshToken.for_user(user))
user.update(jwt_secret=uuid.uuid4())
response = client.post(TOKEN_REFRESH_URL, {
'refresh': refresh_token,
})
assert response.status_code == status.HTTP_200_OK
auth_backend = JWTAuthentication()
access = auth_backend.get_validated_token(response.data['access'])
with pytest.raises(AuthenticationFailed):
auth_backend.get_user(access)
def post(self, request):
"""
Save the landzones a user submits
:author Munir Safi
:since 2020-11-14
:param {request} the incoming rest_framework http request object
"""
if request.headers.get('Authorization', None) is not None:
header_token = request.headers['Authorization'].split(' ')[1]
jwt_object = JWTAuthentication()
valid_token = jwt_object.get_validated_token(header_token)
user_email = jwt_object.get_user(valid_token)
AuthUser = get_user_model()
user = AuthUser.objects.get(email=user_email)
for landzone in request.data['landzones']:
if landzone.get('geoJSON', None) is not None:
land_zone = LandZone(geo_json=landzone['geoJSON'],
owner=user)
land_zone.save()
else:
return Response(
{
'message':
'You must include a \'geoJSON\' property in your array of objects'
},
status=status.HTTP_400_BAD_REQUEST)
return Response(status=status.HTTP_200_OK)
else:
return Response(
{'message': 'You must be logged in to register a new zone!'},
status=status.HTTP_401_UNAUTHORIZED)
def post(self, request):
"""
Validates the current user, then updates their password using the new
given password
:author Munir Safi
:since 2020-11-14
:param {request} the incoming rest_framework http request object
"""
if request.headers.get('Authorization', None) is not None:
header_token = request.headers['Authorization'].split(' ')[1]
jwt_object = JWTAuthentication()
valid_token = jwt_object.get_validated_token(header_token)
user_email = jwt_object.get_user(valid_token)
AuthUser = get_user_model()
user = AuthUser.objects.get(email=user_email)
user.set_password(request.data['password'])
user.save()
refresh = RefreshToken.for_user(user)
return Response({
'refresh': str(refresh),
'access': str(refresh.access_token)
})
else:
return Response(
{
'message':
'Cannot change user password if no user is active'
},
status=status.HTTP_400_BAD_REQUEST)
def has_permission(self, request, view):
jwt_object = JWTAuthentication()
header = jwt_object.get_header(request)
raw_token = jwt_object.get_raw_token(header)
validated_token = jwt_object.get_validated_token(raw_token)
user = jwt_object.get_user(validated_token)
return user.is_staff
def validate(self, attrs):
refresh = RefreshToken(attrs['refresh'])
data = {'access': str(refresh.access_token)}
if settings.SIMPLE_JWT['ROTATE_REFRESH_TOKENS']:
if settings.SIMPLE_JWT['BLACKLIST_AFTER_ROTATION']:
try:
# Attempt to blacklist the given refresh token
refresh.blacklist()
except AttributeError:
# If blacklist app not installed, `blacklist` method will
# not be present
pass
refresh.set_jti()
refresh.set_exp()
data['refresh'] = str(refresh)
jwt_obj = JWTAuthentication()
user = jwt_obj.get_user(refresh.access_token)
user_serializer = UserSerializer(user)
data['user'] = user_serializer.data
data['token_expire_at'] = refresh.access_token.get('exp')
data['refresh_token_expire_at'] = refresh.get('exp')
return data
def delete(self, request):
"""
Deletes a list of given landzones
:author Munir Safi
:since 2020-11-19
:param {request} the incoming rest_framework http request object
"""
if request.headers.get('Authorization', None) is not None:
header_token = request.headers['Authorization'].split(' ')[1]
jwt_object = JWTAuthentication()
valid_token = jwt_object.get_validated_token(header_token)
user_email = jwt_object.get_user(valid_token)
AuthUser = get_user_model()
user = AuthUser.objects.get(email=user_email)
for landzone_uuid in request.data:
zone = LandZone.objects.get(uuid=landzone_uuid)
if zone.owner == user:
zone.delete()
else:
return Response(
{
'message':
'You are attempting to delete an area that you have no privelages for'
},
status=status.HTTP_401_UNAUTHORIZED)
return Response(status=status.HTTP_200_OK)
else:
return Response(
{'message': 'You must be logged in to delete a zone!'},
status=status.HTTP_401_UNAUTHORIZED)
def get(self, request):
header = JWTAuthentication().get_header(request)
raw_token = JWTAuthentication.get_raw_token(self, header)
validated_token = JWTAuthentication().get_validated_token(raw_token)
user = JWTAuthentication.get_user(self, validated_token)
# print(user.created_at)
return Response(
{
"email": user.email,
"name": user.name,
"username": user.username,
"is_superuser": user.is_superuser,
"is_staff": user.is_staff,
"is_verified": user.is_verified,
# "created_at": user.created_at,
# "updated_at": user.updated_at,
# 'tokens': user.tokens,
},
status=status.HTTP_200_OK)
def get_user_from_access_token_or_401(access_token):
jwt_authenticaton = JWTAuthentication()
validated_token = jwt_authenticaton.get_validated_token(access_token)
try:
return jwt_authenticaton.get_user(validated_token)
except AuthenticationFailed:
raise NotAuthenticated401
def validate(self, attrs):
data = super().validate(attrs)
jwt_object = JWTAuthentication()
validated_token = jwt_object.get_validated_token(attrs.get('token'))
user = jwt_object.get_user(validated_token)
user_serializer = UserSerializer(user)
data['user'] = user_serializer.data
return data
def get_user_for_token(token_key):
try:
jwt_object = JWTAuthentication()
validated_token = jwt_object.get_validated_token(token_key)
user = jwt_object.get_user(validated_token)
return user
except Token.DoesNotExist:
return AnonymousUser()
def authenticate_from_token(request):
jwt_object = JWTAuthentication()
header = jwt_object.get_header(request)
raw_token = jwt_object.get_raw_token(header)
validated_token = jwt_object.get_validated_token(raw_token)
user = jwt_object.get_user(validated_token)
request.data["user"] = user.id
return request
def process_view(self, request, view_func, view_args, view_kwargs):
jwt_object = JWTAuthentication()
header = jwt_object.get_header(request)
if header is not None:
raw_token = jwt_object.get_raw_token(header)
validated_token = jwt_object.get_validated_token(raw_token)
request.user = jwt_object.get_user(validated_token)
return None
return Response({'error': "Invalid Token"}, status=200)
def get_current_user(request):
jwt_obj = JWTAuthentication()
val_token = jwt_obj.get_validated_token(
request.META.get('HTTP_AUTHORIZATION').replace('JWT ', ''))
user = jwt_obj.get_user(val_token)
return JsonResponse({
"uid": user.id,
"username": user.username,
"is_staff": user.is_staff
})
def helper_jwt_get_user(self, request):
"""
www_authenticate_realm = 'api'
HelperJwtGetUser(self, request)
이런식으로 사용하여 토큰에서 user정보를 찾아내는 uitll입니다.
"""
JWToken_user = j.get_user(
self,
j.get_validated_token(self,
request.headers['Authorization'].split(' ')[1]))
return JWToken_user
def __call__(self, request):
try:
access_token = request.COOKIES["token-access"]
refresh_token = request.COOKIES["token-refresh"]
except:
print("cookies not set")
access_token = False
refresh_token = False
try:
permanent_token = request.COOKIES["token-permanent"]
except:
print("permanent cookie not set")
permanent_token = False
if permanent_token:
# token = Token.objects.get(key=permanent_token)
# user = User.objects.get(key=token.user_id)
request.META["HTTP_AUTHORIZATION"] = "Token " + permanent_token
response = self.get_response(request)
elif access_token and refresh_token:
jwt = JWTAuthentication()
try:
validated_token = jwt.get_validated_token(access_token)
user = jwt.get_user(validated_token)
except:
user = False
print("invalid credentials but i need this silent so the user can still log in")
if not "login/" in request.path :
if request.COOKIES.get("warning") == "false" or request.COOKIES.get("warning") == None:
response = JsonResponse({"detail" : "Your credentials are invalid, this authentication requires a login after 10 minutes of inactivity please log in again, if you dont you will continue as anonymous"}, status = 401)
response.set_cookie("warning", "true")
return response
if user:
request.META["HTTP_AUTHORIZATION"] = "Bearer " + access_token
response = self.get_response(request)
refresh = RefreshToken.for_user(user)
response.set_cookie("token-access", str(refresh.access_token))
response.set_cookie("token-refresh", str(refresh))
response.set_cookie("warning", "false")
else:
response = self.get_response(request)
else:
response = self.get_response(request)
return response
def test_refresh_token(self, client, user):
refresh_token = str(RefreshToken.for_user(user))
response = client.post(TOKEN_REFRESH_URL, {
'refresh': refresh_token,
})
assert response.status_code == status.HTTP_200_OK
assert 'access' in response.data
assert 'refresh' in response.data
auth_backend = JWTAuthentication()
access = auth_backend.get_validated_token(response.data['access'])
assert auth_backend.get_user(access) == user
def test_access_token(self, client, user):
response = client.post(LOGIN_URL, {
'email': user.email,
'password': DEFAULT_USER_PASSWORD,
})
assert response.status_code == status.HTTP_200_OK
assert 'access' in response.data
assert 'refresh' in response.data
auth_backend = JWTAuthentication()
access = auth_backend.get_validated_token(response.data['access'])
assert auth_backend.get_user(access) == user
async def authenticate(self, query):
query = (parse.parse_qs(query.decode('utf-8')))
auth_token = query.get('Authentication', '')[-1].split(' ')[-1]
authentication = JWTAuthentication()
try:
user = authentication.get_user(
authentication.get_validated_token(auth_token))
self.scope['user'] = user
except InvalidToken:
await self.accept()
await self.send(text_data=json.dumps({'message': 'bad_token'}))
await self.close()
return False
return True
def verify_user(request, userId):
# we extract the authorization token from the headers
raw_token = request.META['HTTP_AUTHORIZATION'].split()[1]
obj = JWTAuthentication()
validated_token = obj.get_validated_token(raw_token)
user = obj.get_user(validated_token)
try:
new_user = User.objects.get(id=userId)
if user == new_user:
return user
else:
return None
except User.DoesNotExist:
return None
def get_user_data(request):
if request.method == 'GET':
raw_token = request.META['HTTP_AUTHORIZATION'].split()[1]
obj = JWTAuthentication(
) # create a class instance first to call the non-static method
validated_token = obj.get_validated_token(raw_token)
user = obj.get_user(validated_token)
if user:
data = {}
user_data = UserSerializer(user).data
return Response({'user': user_data, 'msg': 'success'}, status=200)
else:
return Response({'msg': 'user not found'}, status=404)
def __call__(self, scope):
headers = dict(scope["headers"])
# Close old database connections to prevent usage of timed out connections
close_old_connections()
if b"authorization" in headers:
try:
key, value = headers[b"authorization"].decode().split()
if key == "Token":
jwt_auth = JWTAuthentication()
token = jwt_auth.self.get_validated_token(value)
user = jwt_auth.get_user(token)
scope["user"] = user
except (InvalidToken, AuthenticationFailed):
scope["user"] = AnonymousUser()
return self.inner(scope)
def get_user(scope):
close_old_connections()
query_string = parse_qs(scope['query_string'].decode())
token = query_string.get('token')
if not token:
return AnonymousUser()
try:
jwt_obj = JWTAuthentication()
access_token = AccessToken(token[0])
user = jwt_obj.get_user(access_token)
except ObjectDoesNotExist as e:
return AnonymousUser()
if not user.is_active:
return AnonymousUser()
return user
def get(self, request):
token = request.GET.get('token')
try:
jwt_object = JWTAuthentication()
# raw_token = jwt_object.get_raw_token(token)
validated_token = jwt_object.get_validated_token(token)
user = jwt_object.get_user(validated_token)
print("This is the username" + user.username)
if not user.is_verified:
user.is_verified = True
user.save()
return Response({'email': 'Successfully activated'}, status=status.HTTP_200_OK)
except jwt.ExpiredSignatureError as identifier:
return Response({'error': 'Activation Expired'}, status=status.HTTP_400_BAD_REQUEST)
except jwt.exceptions.DecodeError as identifier:
return Response({'error': 'Invalid token'}, status=status.HTTP_400_BAD_REQUEST)
def preview_private_picture(request, type, picture_id):
try:
token = request.GET.get('access_token')
jWTAuthentication = JWTAuthentication()
validated_token = jWTAuthentication.get_validated_token(
raw_token=token)
user = jWTAuthentication.get_user(validated_token=validated_token)
picture = Picture.objects.get(id=picture_id)
response = HttpResponse(content_type='image/jpg')
response[
'X-Sendfile'] = '/var/www/static.phographe.marc-antoinea.fr/{}/{}.jpg'.format(
type, picture_id)
return response
except:
return HttpResponseForbidden()
def chek_and_return(request):
jwt_object = JWTAuthentication()
header = jwt_object.get_header(request)
raw_token = jwt_object.get_raw_token(header)
validated_token = jwt_object.get_validated_token(raw_token)
user = jwt_object.get_user(validated_token)
user = User.objects.get(username=user).id
data = request.data
""" remember old state, set to mutable, сhange the values, set mutable flag back """
_mutable = data._mutable
data._mutable = True
data['user'] = str(user)
data._mutable = _mutable
# print(data)
return data
def __call__(self, scope):
cookies = [x[1] for x in scope['headers'] if 'cookie' in str(x[0])][0]
token = None
for x in str(cookies).split(';'):
if 'X-Authentication' in str(x):
token = re.sub('[\']', '', x.split('=')[1])
print(token)
assert (token, 'No token received!')
jwt_auth = JWTAuthentication()
validated_token = jwt_auth.get_validated_token(token)
user = jwt_auth.get_user(validated_token)
# user = GetTogetherUser.objects.get(pk=token.user.pk)
# Return the inner application directly and let it run everything else
return self.inner(dict(scope, user=user))
def put(self, request):
"""
Updates a list of given landzones
:author Munir Safi
:since 2020-11-19
:param {request} the incoming rest_framework http request object
"""
if request.headers.get('Authorization', None) is not None:
header_token = request.headers['Authorization'].split(' ')[1]
jwt_object = JWTAuthentication()
valid_token = jwt_object.get_validated_token(header_token)
user_email = jwt_object.get_user(valid_token)
AuthUser = get_user_model()
user = AuthUser.objects.get(email=user_email)
for landzone in request.data['landzones']:
if landzone.get('geoJSON', None) is not None:
zone = LandZone.objects.get(uuid=landzone.get('uuid'))
if zone.owner == user:
zone.geo_json = landzone.get('geoJSON')
zone.save()
else:
return Response(
{
'message':
'You are attempting to modify an area that you have no privelages for'
},
status=status.HTTP_401_UNAUTHORIZED)
else:
return Response(
{
'message':
'You must include a \'geoJSON\' property in your array of objects'
},
status=status.HTTP_400_BAD_REQUEST)
return Response(status=status.HTTP_200_OK)
else:
return Response(
{'message': 'You must be logged in to update a zone!'},
status=status.HTTP_401_UNAUTHORIZED)
def __call__(self, scope):
if scope['query_string']:
query_string = scope['query_string'].decode('utf-8')
if query_string.startswith('token='):
try:
print("token OK")
token = query_string.replace('token=', '')
print("token is %s" % token)
auth = JWTAuthentication()
validated_token = auth.get_validated_token(token)
scope['user'] = auth.get_user(validated_token)
print("user is %s" % scope['user'].username)
close_old_connections()
except InvalidToken:
scope['user'] = AnonymousUser()
print("token invalid")
else:
print("no QS")
return self.inner(scope)
def post(self, request):
"""
Validates the current user, then updates their profile using the new
values provided
:author Munir Safi
:since 2020-11-14
:param {request} the incoming rest_framework http request object
"""
if request.headers.get('Authorization', None) is not None:
header_token = request.headers['Authorization'].split(' ')[1]
jwt_object = JWTAuthentication()
valid_token = jwt_object.get_validated_token(header_token)
user_email = jwt_object.get_user(valid_token)
AuthUser = get_user_model()
user = AuthUser.objects.get(email=user_email)
editable_fields = user.get_editable_fields()
print(request.data)
for field, value in request.data.items():
if field in editable_fields:
setattr(user, field, value)
user.save()
refresh = AuthUserToken.for_user(user)
return Response({
'refresh': str(refresh),
'access': str(refresh.access_token)
})
else:
return Response(
{'message': 'Cannot update profile if no user is active'},
status=status.HTTP_400_BAD_REQUEST)
def chek_and_return(request):
jwt_object = JWTAuthentication()
header = jwt_object.get_header(request)
raw_token = jwt_object.get_raw_token(header)
validated_token = jwt_object.get_validated_token(raw_token)
user = jwt_object.get_user(validated_token)
user = User.objects.get(username=user).profile.id
data = request.data
# now = datetime.datetime.now().date
time_date = datetime.datetime.strptime(data['start_time'],
'%H:%M:%S').time()
print('time_date ***** ', time_date)
end_time = datetime.time(time_date.hour + 1, time_date.minute,
time_date.second)
chek_busy = busy_time(date=data['start_date'],
time=time_date,
master=data['master'],
end_t=end_time)
if chek_busy['busy_status'] == True:
return False
else:
end_time = datetime.time(time_date.hour + 1, time_date.minute,
time_date.second)
print(end_time)
""" remember old state, set to mutable, сhange the values, set mutable flag back """
_mutable = data._mutable
data._mutable = True
data['profile'] = str(user)
data['end_time'] = end_time
data._mutable = _mutable
print(data)
return data
