def save(self, **kwargs): try: RefreshToken(self.token).blacklist() except TokenError: self.fail('bad_token')
def assert_authenticated(client): assert REFRESH_TOKEN_SESSION_KEY in client.session RefreshToken(client.session[REFRESH_TOKEN_SESSION_KEY]) result = client.post(reverse("authentication:token_refresh"), content_type="application/json") assert result.status_code == 200 assert "access" in result.json()
def logout(self, request): try: request.user.auth_token.delete() except (AttributeError, ObjectDoesNotExist): pass if getattr(settings, 'REST_SESSION_LOGIN', True): django_logout(request) response = Response( {'detail': _('Successfully logged out.')}, status=status.HTTP_200_OK, ) if getattr(settings, 'REST_USE_JWT', False): # NOTE: this import occurs here rather than at the top level # because JWT support is optional, and if `REST_USE_JWT` isn't # True we shouldn't need the dependency from rest_framework_simplejwt.exceptions import TokenError from rest_framework_simplejwt.tokens import RefreshToken from .jwt_auth import unset_jwt_cookies cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None) unset_jwt_cookies(response) if 'rest_framework_simplejwt.token_blacklist' in settings.INSTALLED_APPS: # add refresh token to blacklist try: token = RefreshToken(request.data['refresh']) token.blacklist() except KeyError: response.data = { 'detail': _('Refresh token was not included in request data.') } response.status_code = status.HTTP_401_UNAUTHORIZED except (TokenError, AttributeError, TypeError) as error: if hasattr(error, 'args'): if 'Token is blacklisted' in error.args or 'Token is invalid or expired' in error.args: response.data = {'detail': _(error.args[0])} response.status_code = status.HTTP_401_UNAUTHORIZED else: response.data = { 'detail': _('An error has occurred.') } response.status_code = status.HTTP_500_INTERNAL_SERVER_ERROR else: response.data = {'detail': _('An error has occurred.')} response.status_code = status.HTTP_500_INTERNAL_SERVER_ERROR elif not cookie_name: message = _( 'Neither cookies or blacklist are enabled, so the token ' 'has not been deleted server side. Please make sure the token is deleted client side.', ) response.data = {'detail': message} response.status_code = status.HTTP_200_OK return response
def post(self, request): try: refresh_token = request.data.get("refresh_token", False) if not refresh_token: capture_message("No refresh token provided") return Response( { "error": "Something went wrong. Please try again later or contact the support team." }, status=status.HTTP_400_BAD_REQUEST, ) user = User.objects.get(pk=request.user.id) user.last_logout_time = timezone.now() user.last_logout_ip = request.META.get("REMOTE_ADDR") user.save() token = RefreshToken(refresh_token) token.blacklist() return Response({"message": "success"}, status=status.HTTP_200_OK) except Exception as e: capture_exception(e) return Response( { "error": "Something went wrong. Please try again later or contact the support team." }, status=status.HTTP_400_BAD_REQUEST, )
def validate(self, attrs): refresh = RefreshToken(attrs['refresh_token']) data = {'access_token': text_type(refresh.access_token)} return data
def LogoutView(request): """Blacklist the refresh token: extract token from the header during logout request user and refresh token is provided""" Refresh_token = request.data["refresh"] token = RefreshToken(Refresh_token) token.blacklist() return Response("Successful Logout", status=status.HTTP_200_OK)
def post(self, request): try: refresh_token = request.data['refresh-token'] token = RefreshToken(refresh_token) token.blacklist() except Exception as e: return Response(status=status.HTTP_400_BAD_REQUEST)
def test_it_should_ignore_token_type(self): token = RefreshToken() token[api_settings.TOKEN_TYPE_CLAIM] = "fake_type" res = self.view_post(data={"token": str(token)}) self.assertEqual(res.status_code, 200) self.assertEqual(len(res.data), 0)
def validate(self, attrs): data = super().validate(attrs) # Generate the new access token refresh_token = RefreshToken(attrs['refresh']) access_token = refresh_token.access_token user_id = access_token[api_settings.USER_ID_CLAIM] user = get_user_model().objects.filter(pk=user_id).first() if not user: raise ValidationError({'user': '******'}) # Give the expiry time by base-role token_lifetime = self.get_lifetime(user) access_token.set_exp(from_time=refresh_token.current_time, lifetime=token_lifetime) access_token.payload['exp'] = datetime_to_epoch( access_token.current_time + token_lifetime) return { **data, 'access': str(access_token), 'access_token_expiry': int(token_lifetime.total_seconds()) }
def test_it_should_blacklist_refresh_token_if_everything_ok(self): self.assertEqual(OutstandingToken.objects.count(), 0) self.assertEqual(BlacklistedToken.objects.count(), 0) refresh = RefreshToken() refresh["test_claim"] = "arst" old_jti = refresh["jti"] # Serializer validates ser = TokenBlacklistSerializer(data={"refresh": str(refresh)}) now = aware_utcnow() - api_settings.ACCESS_TOKEN_LIFETIME / 2 with patch("rest_framework_simplejwt.tokens.aware_utcnow" ) as fake_aware_utcnow: fake_aware_utcnow.return_value = now self.assertTrue(ser.is_valid()) self.assertEqual(OutstandingToken.objects.count(), 1) self.assertEqual(BlacklistedToken.objects.count(), 1) # Assert old refresh token is blacklisted self.assertEqual(BlacklistedToken.objects.first().token.jti, old_jti)
def test_it_should_not_raise_token_error_if_token_has_wrong_type(self): token = RefreshToken() token[api_settings.TOKEN_TYPE_CLAIM] = 'wrong_type' s = TokenVerifySerializer(data={'token': str(token)}) self.assertTrue(s.is_valid())
def invalidate_all_tokens(user): tokens = OutstandingToken.objects.filter(user=user) for token in tokens: try: RefreshToken(token.token).blacklist() except TokenError: # If raised, don't interrupt the process pass
def post(self, request): try: refresh_token = request.data["refresh_token"] token = RefreshToken(refresh_token) token.blacklist() return Response({}, status=status.HTTP_200_OK) except Exception as e: return Response({}, status=status.HTTP_200_OK)
def post(self, request): try: refresh_token = request.data.get('refresh_token') token_obj = RefreshToken(refresh_token) token_obj.blacklist() return Response(status=status.HTTP_200_OK) except Exception as e: return Response(status=status.HTTP_400_BAD_REQUEST)
def logout(self, request, pk=None) -> Response: try: refresh_token = request.data['refresh_token'] token = RefreshToken(refresh_token) token.blacklist() return Response(status=status.HTTP_205_RESET_CONTENT) except Exception: return Response(status=status.HTTP_400_BAD_REQUEST)
def post(self, request, *args, **kwargs): try: refresh_token = request.data['refresh_token'] token = RefreshToken(refresh_token) token.blacklist() return Response(status=status.HTTP_200_OK) except KeyError: return Response(status=status.HTTP_400_BAD_REQUEST)
def test_it_should_not_validate_if_token_has_wrong_type(self): token = RefreshToken() token[api_settings.TOKEN_TYPE_CLAIM] = 'wrong_type' s = TokenRefreshSerializer(data={'refresh': str(token)}) self.assertFalse(s.is_valid()) self.assertIn('non_field_errors', s.errors) self.assertIn("wrong type", s.errors['non_field_errors'][0])
def post(self, request): try: refresh_token = request.data["refresh"] token = RefreshToken(refresh_token) token.blacklist() return Response(status=200) except Exception as e: return Response(status=400)
def test_it_should_blacklist_refresh_token_if_tokens_should_be_rotated_and_blacklisted( self, ): self.assertEqual(OutstandingToken.objects.count(), 0) self.assertEqual(BlacklistedToken.objects.count(), 0) refresh = RefreshToken() refresh["test_claim"] = "arst" old_jti = refresh["jti"] old_exp = refresh["exp"] # Serializer validates ser = TokenRefreshSerializer(data={"refresh": str(refresh)}) now = aware_utcnow() - api_settings.ACCESS_TOKEN_LIFETIME / 2 with override_api_settings(ROTATE_REFRESH_TOKENS=True, BLACKLIST_AFTER_ROTATION=True): with patch("rest_framework_simplejwt.tokens.aware_utcnow" ) as fake_aware_utcnow: fake_aware_utcnow.return_value = now self.assertTrue(ser.is_valid()) access = AccessToken(ser.validated_data["access"]) new_refresh = RefreshToken(ser.validated_data["refresh"]) self.assertEqual(refresh["test_claim"], access["test_claim"]) self.assertEqual(refresh["test_claim"], new_refresh["test_claim"]) self.assertNotEqual(old_jti, new_refresh["jti"]) self.assertNotEqual(old_exp, new_refresh["exp"]) self.assertEqual( access["exp"], datetime_to_epoch(now + api_settings.ACCESS_TOKEN_LIFETIME)) self.assertEqual( new_refresh["exp"], datetime_to_epoch(now + api_settings.REFRESH_TOKEN_LIFETIME), ) self.assertEqual(OutstandingToken.objects.count(), 1) self.assertEqual(BlacklistedToken.objects.count(), 1) # Assert old refresh token is blacklisted self.assertEqual(BlacklistedToken.objects.first().token.jti, old_jti)
def save(self, **kwargs): try: token = self.token return RefreshToken(token).blacklist() except TokenError: raise serializers.ValidationError( {"message": "Invalid token sent"})
def post(self, request, format='json'): try: refresh_token = request.data["refresh_token"] token = RefreshToken(refresh_token) token.blacklist() return Response(status=status.HTTP_205_RESET_CONTENT) except Exception as e: return Response(data={"error": str(e)}, status=status.HTTP_400_BAD_REQUEST)
def validate(self, data): try: token = RefreshToken(data['refresh_token']) except TokenError: raise ValidationError({'refresh_token': 'Invalid token'}) data['exp'] = token.payload['exp'] return data
def save(self, **kwargs): try: RefreshToken(self.token).blacklist() except TokenError: raise serializers.ValidationError({'status' : 'failed', 'token':'bad_token'})
def save(self, **kwargs): try: RefreshToken(self.token).blacklist() except TokenError: # self.fail() print("error")
def test_logout_blacklists_user_tokens(self, client, authenticate_and_test): authenticate_and_test("authentication:register", USER_DATA) user = User.objects.get(email=USER_DATA["email"]) user_token = str(RefreshToken.for_user(user)) client.get(reverse("logout")) with pytest.raises(TokenError): RefreshToken(user_token)
def validate(self, attrs): try: refresh = RefreshToken(attrs["refresh"]) self.access = str(refresh.access_token) except TokenError: raise serializers.ValidationError("Данные авторизации устарели.") return attrs
def logout_and_blacklist_token(request): try: refresh_token = request.data['refresh_token'] token = RefreshToken(refresh_token) token.blacklist() return Response(status=status.HTTP_205_RESET_CONTENT) except Exception as e: return Response(status=status.HTTP_400_BAD_REQUEST)
def post(self, request, format=None): try: refresh = request.data['refresh_token'] refresh = RefreshToken(refresh) refresh.blacklist() return Response(status=status.HTTP_205_RESET_CONTENT) except: return Response(status=status.HTTP_400_BAD_REQUEST)
def post(self, request): try: refresh_token = request.data["refresh_token"] token = RefreshToken(refresh_token) token.blacklist() return Response(status=status.HTTP_205_RESET_CONTENT) except Exception as e: return Response(status=status.HTTP_400_BAD_REQUEST)
def user_logout(request): if "refresh" not in request.data: return Response(status=HTTP_400_BAD_REQUEST) refresh = RefreshToken(request.data["refresh"]) refresh.blacklist() return Response(status=HTTP_204_NO_CONTENT)