def dispatch(self, request, *args, **kwargs):
""" Verify & decode JWT, storing its payload.
Disable CSRF validation on these requests, since they will be
all be cross-origin, and validation is done entirely by JWT.
"""
try:
token = jwt_token_from_headers(request)
except ValueError:
return JsonResponse({'message': 'token missing'}, status=401)
secret = settings.MEMBERSHIP_SECRET_KEY
try:
self.payload = jwt.decode(token, secret)
except (jwt.exceptions.InvalidTokenError, KeyError):
return JsonResponse({'message': 'invalid token'}, status=401)
return super().dispatch(request, *args, **kwargs)
def test_raises_valueerror_on_missing_token(self):
request = HttpRequest()
self.assertNotIn('HTTP_AUTHORIZATION', request.META)
with self.assertRaises(ValueError):
api.jwt_token_from_headers(request)
def test_auth_token_extracted(self):
"""A JWT is extracted from a bearer token."""
request = HttpRequest()
request.META['HTTP_AUTHORIZATION'] = f'Bearer: {TOKEN}'
self.assertEqual(api.jwt_token_from_headers(request), TOKEN)
def test_raises_valueerror_on_non_bearer_token(self):
request = HttpRequest()
request.META['HTTP_AUTHORIZATION'] = TOKEN
with self.assertRaises(ValueError):
api.jwt_token_from_headers(request)