def get_jwt_claim_attribute_map(self):
""" Returns a mapping of JWT claims to user model attributes.
Returns
dict
"""
return get_setting('JWT_PAYLOAD_USER_ATTRIBUTE_MAPPING')
def authenticate(self, request):
try:
user_and_auth = super(JwtAuthentication,
self).authenticate(request)
is_anonymous_access_rollout_enabled = get_setting(
ENABLE_ANONYMOUS_ACCESS_ROLLOUT)
# Use Django Setting for rollout to coordinate with frontend-auth changes for
# anonymous access being available across MFEs.
if not is_anonymous_access_rollout_enabled:
return user_and_auth
# Unauthenticated, CSRF validation not required
if not user_and_auth:
return user_and_auth
# Not using JWT cookies, CSRF validation not required
use_jwt_cookie_requested = request.META.get(USE_JWT_COOKIE_HEADER)
if not use_jwt_cookie_requested:
return user_and_auth
self.enforce_csrf(request)
# CSRF passed validation with authenticated user
return user_and_auth
except Exception as ex:
# Errors in production do not need to be logged (as they may be noisy),
# but debug logging can help quickly resolve issues during development.
logger.debug(ex)
raise
def get_jwt_claim_mergeable_attributes(self):
""" Returns a list of user model attributes that should be merged into from the JWT.
Returns
list
"""
return get_setting('JWT_PAYLOAD_MERGEABLE_USER_ATTRIBUTES')
def get_jwt_claim_attribute_map(self):
""" Returns a mapping of JWT claims to user model attributes.
Returns
dict
"""
return get_setting('JWT_PAYLOAD_USER_ATTRIBUTE_MAPPING')
def test_get_setting(self):
""" Verify the function returns the value of the specified setting from the EDX_DRF_EXTENSIONS dict. """
_settings = {'some-setting': 'some-value', 'another-one': False}
with override_settings(EDX_DRF_EXTENSIONS=_settings):
for key, value in _settings.items():
self.assertEqual(get_setting(key), value)
def process_view(self, request, view_func, view_args, view_kwargs): # pylint: disable=unused-argument
"""
Reconstitute the full JWT and add a new cookie on the request object.
"""
assert hasattr(
request, 'session'
), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'." # noqa E501 line too long
use_jwt_cookie_requested = request.META.get(USE_JWT_COOKIE_HEADER)
header_payload_cookie = request.COOKIES.get(
jwt_cookie_header_payload_name())
signature_cookie = request.COOKIES.get(jwt_cookie_signature_name())
is_set_request_user_for_jwt_cookie_enabled = get_setting(
ENABLE_SET_REQUEST_USER_FOR_JWT_COOKIE)
if use_jwt_cookie_requested and is_set_request_user_for_jwt_cookie_enabled:
# DRF does not set request.user until process_response. This makes it available in process_view.
# For more info, see https://github.com/jpadilla/django-rest-framework-jwt/issues/45#issuecomment-74996698
request.user = SimpleLazyObject(
lambda: _get_user_from_jwt(request, view_func))
if not use_jwt_cookie_requested:
metric_value = 'not-requested'
elif header_payload_cookie and signature_cookie:
# Reconstitute JWT auth cookie if split cookies are available and jwt cookie
# authentication was requested by the client.
request.COOKIES[jwt_cookie_name()] = '{}{}{}'.format(
header_payload_cookie,
JWT_DELIMITER,
signature_cookie,
)
metric_value = 'success'
elif header_payload_cookie or signature_cookie:
# Log unexpected case of only finding one cookie.
if not header_payload_cookie:
log_message, metric_value = self._get_missing_cookie_message_and_metric(
jwt_cookie_header_payload_name())
if not signature_cookie:
log_message, metric_value = self._get_missing_cookie_message_and_metric(
jwt_cookie_signature_name())
log.warning(log_message)
else:
metric_value = 'missing-both'
log.warning(
'Both JWT auth cookies missing. JWT auth cookies will not be reconstituted.'
)
monitoring.set_custom_metric('request_jwt_cookie', metric_value)
def get_user_info_url(self):
""" Returns the URL, hosted by the OAuth2 provider, from which user information can be pulled. """
return get_setting('OAUTH2_USER_INFO_URL')
