def save(self, **kwargs):
try:
RefreshToken(self.token).blacklist()
except TokenError:
self.fail('bad_token')
def assert_authenticated(client):
assert REFRESH_TOKEN_SESSION_KEY in client.session
RefreshToken(client.session[REFRESH_TOKEN_SESSION_KEY])
result = client.post(reverse("authentication:token_refresh"),
content_type="application/json")
assert result.status_code == 200
assert "access" in result.json()
def logout(self, request):
try:
request.user.auth_token.delete()
except (AttributeError, ObjectDoesNotExist):
pass
if getattr(settings, 'REST_SESSION_LOGIN', True):
django_logout(request)
response = Response(
{'detail': _('Successfully logged out.')},
status=status.HTTP_200_OK,
)
if getattr(settings, 'REST_USE_JWT', False):
# NOTE: this import occurs here rather than at the top level
# because JWT support is optional, and if `REST_USE_JWT` isn't
# True we shouldn't need the dependency
from rest_framework_simplejwt.exceptions import TokenError
from rest_framework_simplejwt.tokens import RefreshToken
from .jwt_auth import unset_jwt_cookies
cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None)
unset_jwt_cookies(response)
if 'rest_framework_simplejwt.token_blacklist' in settings.INSTALLED_APPS:
# add refresh token to blacklist
try:
token = RefreshToken(request.data['refresh'])
token.blacklist()
except KeyError:
response.data = {
'detail':
_('Refresh token was not included in request data.')
}
response.status_code = status.HTTP_401_UNAUTHORIZED
except (TokenError, AttributeError, TypeError) as error:
if hasattr(error, 'args'):
if 'Token is blacklisted' in error.args or 'Token is invalid or expired' in error.args:
response.data = {'detail': _(error.args[0])}
response.status_code = status.HTTP_401_UNAUTHORIZED
else:
response.data = {
'detail': _('An error has occurred.')
}
response.status_code = status.HTTP_500_INTERNAL_SERVER_ERROR
else:
response.data = {'detail': _('An error has occurred.')}
response.status_code = status.HTTP_500_INTERNAL_SERVER_ERROR
elif not cookie_name:
message = _(
'Neither cookies or blacklist are enabled, so the token '
'has not been deleted server side. Please make sure the token is deleted client side.',
)
response.data = {'detail': message}
response.status_code = status.HTTP_200_OK
return response
def post(self, request):
try:
refresh_token = request.data.get("refresh_token", False)
if not refresh_token:
capture_message("No refresh token provided")
return Response(
{
"error": "Something went wrong. Please try again later or contact the support team."
},
status=status.HTTP_400_BAD_REQUEST,
)
user = User.objects.get(pk=request.user.id)
user.last_logout_time = timezone.now()
user.last_logout_ip = request.META.get("REMOTE_ADDR")
user.save()
token = RefreshToken(refresh_token)
token.blacklist()
return Response({"message": "success"}, status=status.HTTP_200_OK)
except Exception as e:
capture_exception(e)
return Response(
{
"error": "Something went wrong. Please try again later or contact the support team."
},
status=status.HTTP_400_BAD_REQUEST,
)
def validate(self, attrs):
refresh = RefreshToken(attrs['refresh_token'])
data = {'access_token': text_type(refresh.access_token)}
return data
def LogoutView(request):
"""Blacklist the refresh token: extract token from the header
during logout request user and refresh token is provided"""
Refresh_token = request.data["refresh"]
token = RefreshToken(Refresh_token)
token.blacklist()
return Response("Successful Logout", status=status.HTTP_200_OK)
def post(self, request):
try:
refresh_token = request.data['refresh-token']
token = RefreshToken(refresh_token)
token.blacklist()
except Exception as e:
return Response(status=status.HTTP_400_BAD_REQUEST)
def test_it_should_ignore_token_type(self):
token = RefreshToken()
token[api_settings.TOKEN_TYPE_CLAIM] = "fake_type"
res = self.view_post(data={"token": str(token)})
self.assertEqual(res.status_code, 200)
self.assertEqual(len(res.data), 0)
def validate(self, attrs):
data = super().validate(attrs)
# Generate the new access token
refresh_token = RefreshToken(attrs['refresh'])
access_token = refresh_token.access_token
user_id = access_token[api_settings.USER_ID_CLAIM]
user = get_user_model().objects.filter(pk=user_id).first()
if not user:
raise ValidationError({'user': '******'})
# Give the expiry time by base-role
token_lifetime = self.get_lifetime(user)
access_token.set_exp(from_time=refresh_token.current_time,
lifetime=token_lifetime)
access_token.payload['exp'] = datetime_to_epoch(
access_token.current_time + token_lifetime)
return {
**data, 'access': str(access_token),
'access_token_expiry': int(token_lifetime.total_seconds())
}
def test_it_should_blacklist_refresh_token_if_everything_ok(self):
self.assertEqual(OutstandingToken.objects.count(), 0)
self.assertEqual(BlacklistedToken.objects.count(), 0)
refresh = RefreshToken()
refresh["test_claim"] = "arst"
old_jti = refresh["jti"]
# Serializer validates
ser = TokenBlacklistSerializer(data={"refresh": str(refresh)})
now = aware_utcnow() - api_settings.ACCESS_TOKEN_LIFETIME / 2
with patch("rest_framework_simplejwt.tokens.aware_utcnow"
) as fake_aware_utcnow:
fake_aware_utcnow.return_value = now
self.assertTrue(ser.is_valid())
self.assertEqual(OutstandingToken.objects.count(), 1)
self.assertEqual(BlacklistedToken.objects.count(), 1)
# Assert old refresh token is blacklisted
self.assertEqual(BlacklistedToken.objects.first().token.jti, old_jti)
def test_it_should_not_raise_token_error_if_token_has_wrong_type(self):
token = RefreshToken()
token[api_settings.TOKEN_TYPE_CLAIM] = 'wrong_type'
s = TokenVerifySerializer(data={'token': str(token)})
self.assertTrue(s.is_valid())
def invalidate_all_tokens(user):
tokens = OutstandingToken.objects.filter(user=user)
for token in tokens:
try:
RefreshToken(token.token).blacklist()
except TokenError:
# If raised, don't interrupt the process
pass
def post(self, request):
try:
refresh_token = request.data["refresh_token"]
token = RefreshToken(refresh_token)
token.blacklist()
return Response({}, status=status.HTTP_200_OK)
except Exception as e:
return Response({}, status=status.HTTP_200_OK)
def post(self, request):
try:
refresh_token = request.data.get('refresh_token')
token_obj = RefreshToken(refresh_token)
token_obj.blacklist()
return Response(status=status.HTTP_200_OK)
except Exception as e:
return Response(status=status.HTTP_400_BAD_REQUEST)
def logout(self, request, pk=None) -> Response:
try:
refresh_token = request.data['refresh_token']
token = RefreshToken(refresh_token)
token.blacklist()
return Response(status=status.HTTP_205_RESET_CONTENT)
except Exception:
return Response(status=status.HTTP_400_BAD_REQUEST)
def post(self, request, *args, **kwargs):
try:
refresh_token = request.data['refresh_token']
token = RefreshToken(refresh_token)
token.blacklist()
return Response(status=status.HTTP_200_OK)
except KeyError:
return Response(status=status.HTTP_400_BAD_REQUEST)
def test_it_should_not_validate_if_token_has_wrong_type(self):
token = RefreshToken()
token[api_settings.TOKEN_TYPE_CLAIM] = 'wrong_type'
s = TokenRefreshSerializer(data={'refresh': str(token)})
self.assertFalse(s.is_valid())
self.assertIn('non_field_errors', s.errors)
self.assertIn("wrong type", s.errors['non_field_errors'][0])
def post(self, request):
try:
refresh_token = request.data["refresh"]
token = RefreshToken(refresh_token)
token.blacklist()
return Response(status=200)
except Exception as e:
return Response(status=400)
def test_it_should_blacklist_refresh_token_if_tokens_should_be_rotated_and_blacklisted(
self, ):
self.assertEqual(OutstandingToken.objects.count(), 0)
self.assertEqual(BlacklistedToken.objects.count(), 0)
refresh = RefreshToken()
refresh["test_claim"] = "arst"
old_jti = refresh["jti"]
old_exp = refresh["exp"]
# Serializer validates
ser = TokenRefreshSerializer(data={"refresh": str(refresh)})
now = aware_utcnow() - api_settings.ACCESS_TOKEN_LIFETIME / 2
with override_api_settings(ROTATE_REFRESH_TOKENS=True,
BLACKLIST_AFTER_ROTATION=True):
with patch("rest_framework_simplejwt.tokens.aware_utcnow"
) as fake_aware_utcnow:
fake_aware_utcnow.return_value = now
self.assertTrue(ser.is_valid())
access = AccessToken(ser.validated_data["access"])
new_refresh = RefreshToken(ser.validated_data["refresh"])
self.assertEqual(refresh["test_claim"], access["test_claim"])
self.assertEqual(refresh["test_claim"], new_refresh["test_claim"])
self.assertNotEqual(old_jti, new_refresh["jti"])
self.assertNotEqual(old_exp, new_refresh["exp"])
self.assertEqual(
access["exp"],
datetime_to_epoch(now + api_settings.ACCESS_TOKEN_LIFETIME))
self.assertEqual(
new_refresh["exp"],
datetime_to_epoch(now + api_settings.REFRESH_TOKEN_LIFETIME),
)
self.assertEqual(OutstandingToken.objects.count(), 1)
self.assertEqual(BlacklistedToken.objects.count(), 1)
# Assert old refresh token is blacklisted
self.assertEqual(BlacklistedToken.objects.first().token.jti, old_jti)
def save(self, **kwargs):
try:
token = self.token
return RefreshToken(token).blacklist()
except TokenError:
raise serializers.ValidationError(
{"message": "Invalid token sent"})
def post(self, request, format='json'):
try:
refresh_token = request.data["refresh_token"]
token = RefreshToken(refresh_token)
token.blacklist()
return Response(status=status.HTTP_205_RESET_CONTENT)
except Exception as e:
return Response(data={"error": str(e)}, status=status.HTTP_400_BAD_REQUEST)
def validate(self, data):
try:
token = RefreshToken(data['refresh_token'])
except TokenError:
raise ValidationError({'refresh_token': 'Invalid token'})
data['exp'] = token.payload['exp']
return data
def save(self, **kwargs):
try:
RefreshToken(self.token).blacklist()
except TokenError:
raise serializers.ValidationError({'status' : 'failed',
'token':'bad_token'})
def save(self, **kwargs):
try:
RefreshToken(self.token).blacklist()
except TokenError:
# self.fail()
print("error")
def test_logout_blacklists_user_tokens(self, client,
authenticate_and_test):
authenticate_and_test("authentication:register", USER_DATA)
user = User.objects.get(email=USER_DATA["email"])
user_token = str(RefreshToken.for_user(user))
client.get(reverse("logout"))
with pytest.raises(TokenError):
RefreshToken(user_token)
def validate(self, attrs):
try:
refresh = RefreshToken(attrs["refresh"])
self.access = str(refresh.access_token)
except TokenError:
raise serializers.ValidationError("Данные авторизации устарели.")
return attrs
def logout_and_blacklist_token(request):
try:
refresh_token = request.data['refresh_token']
token = RefreshToken(refresh_token)
token.blacklist()
return Response(status=status.HTTP_205_RESET_CONTENT)
except Exception as e:
return Response(status=status.HTTP_400_BAD_REQUEST)
def post(self, request, format=None):
try:
refresh = request.data['refresh_token']
refresh = RefreshToken(refresh)
refresh.blacklist()
return Response(status=status.HTTP_205_RESET_CONTENT)
except:
return Response(status=status.HTTP_400_BAD_REQUEST)
def post(self, request):
try:
refresh_token = request.data["refresh_token"]
token = RefreshToken(refresh_token)
token.blacklist()
return Response(status=status.HTTP_205_RESET_CONTENT)
except Exception as e:
return Response(status=status.HTTP_400_BAD_REQUEST)
def user_logout(request):
if "refresh" not in request.data:
return Response(status=HTTP_400_BAD_REQUEST)
refresh = RefreshToken(request.data["refresh"])
refresh.blacklist()
return Response(status=HTTP_204_NO_CONTENT)
