def get_user_by_context(context: WSGIRequest):
if not context.user.is_authenticated:
raise GraphQLError('User is anonymous')
token = context.headers['Authorization'].replace('Bearer ', '')
user = get_user_by_token(token, context)
return user
def authenticate(self, request=None, **credentials):
if request is None:
return None
token = get_jwt_cookie(request)
if token is not None:
user = get_user_by_token(token)
return user
return None
def resolve(self, next, root, info, **args):
headers = info.context.headers
if 'Authorization' in headers.keys() and len(headers['Authorization']):
token = headers['Authorization'].split(' ')[1]
user = get_user_by_token(token)
info.context.user = user
return next(root, info, **args)
def get_user(request: HttpRequest):
try:
return shortcuts.get_user_by_token(
request.headers.get("Authorization", "").replace("Bearer ", ""))
except Exception as e:
print(f"get user exc {e}")
t = request.headers.get("Authorization", "").replace("Bearer ", "")
print(f"jwt was: {t}")
return AnonymousUser()
def _get_user(self, token):
user = get_user_by_token(token)
if user is None:
raise exceptions.JSONWebTokenError(_("User does not exists"))
if not user.is_authenticated:
raise exceptions.JSONWebTokenError(
_("Invalid authentication credentials"))
return user
def authenticate(self, request=None, **kwargs):
if request is None or getattr(request, "_jwt_token_auth", False):
return None
token = get_credentials(request, **kwargs)
try: # +++
if token is not None:
return get_user_by_token(token, request)
except JSONWebTokenError: # +++
pass # +++
return None
def mutate(self, info, code):
errors = list()
user = None
try:
token = info.context.headers['AUTHORIZATION'].split(' ')[1]
user = get_user_by_token(token)
except (JSONWebTokenError, IndexError, KeyError):
errors.append("Auth token isn't valid.")
return VerifyUserMutation(errors=errors, user=None)
if user.last_verification_code == code:
user.is_verified = True
user.save()
else:
errors.append('Code is incorrect.')
return VerifyUserMutation(errors=errors, user=None)
return VerifyUserMutation(errors=errors, user=user)
def subscribe(root, info, token, discussion_id, **kwargs):
user = get_user_by_token(token)
if user is None:
raise PermissionError(
'You do not have the permission to perform this action')
try:
discussion = Discussion.objects.get(pk=discussion_id)
except Discussion.DoesNotExist:
return 'This discussion does not exist'
if discussion.sender != user and discussion.receiver != user:
raise PermissionError(
'You do not have the permission to perform this action')
group_name = f'discussion@{discussion.id}'
return [group_name]
def test_jwt_auth(self):
"""
Test that a JWT for the correct user can be created using an API Token
"""
response = self.client.execute(f"""
query {{
jwtToken(
token: "{self.token.token}"
) {{
jwtToken
refreshToken
}}
}}
""")
jwt_token = response.data['jwtToken']['jwtToken']
self.assertEqual(get_user_by_token(jwt_token), self.user,
"user not being correctly encoded into jwt")
def resolve_new_message(self, info, token, room_id, **kwargs):
user = shortcuts.get_user_by_token(token)
user_id = user.pk
room = Room.objects.get(pk=room_id)
room.members.get(pk=user.pk)
source = Subject()
def handler(event):
if event is not None:
source.on_next(event)
pubsub = redis_client.pubsub()
pubsub.subscribe(**{f'room-{room_id}': handler})
pubsub.run_in_thread(sleep_time=0.001)
return source.filter(lambda event: isinstance(event['data'], bytes))\
.map(lambda event: json.loads(event['data'].decode()))\
.filter(lambda event: event['type'] == 'NEW_MESSAGE')\
.map(lambda event: Message.objects.get(pk=event['pk']))\
.filter(lambda message: message.room.pk == room_id)
def receive_json(self, content):
if content['type'] == 'auth':
token = content['text']
user = get_user_by_token(token)
Client.objects.create(channel_name=self.channel_name, user=user)
def test_get_token(self):
token = shortcuts.get_token(self.user)
user = shortcuts.get_user_by_token(token)
self.assertEqual(user, self.user)
def __call__(self, request):
session_created = False
has_token = False
# add user
request.user = SimpleLazyObject(lambda: get_user(request))
token = get_credentials(request)
if token is not None and token != '' and token != 'None' and \
not token_is_expired(token):
user = get_user_by_token(token, request)
request.user = user
has_token = True
# add session
if not hasattr(request, 'session'):
session_engine = import_module(settings.SESSION_ENGINE)
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
# if the session cannot be saved, start with an empty session
try:
request.session = session_engine.SessionStore(session_key)
request.session.save()
session_created = True
except UpdateError:
response = redirect(request.get_full_path())
response.delete_cookie(
settings.SESSION_COOKIE_NAME,
path=settings.SESSION_COOKIE_PATH,
domain=settings.SESSION_COOKIE_DOMAIN,
)
response.delete_cookie(jwt_settings.JWT_COOKIE_NAME)
patch_vary_headers(response, ('Cookie',))
return response
max_age = request.session.get_expiry_age()
expires_time = time.time() + max_age
anti_expires_time = cookie_date(time.time() - max_age)
cookie_expires = cookie_date(expires_time)
if request.session.get_expire_at_browser_close():
max_age = None
cookie_expires = None
if token and token_is_expired(token):
cookie_token = request.COOKIES.get(jwt_settings.JWT_COOKIE_NAME)
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
if cookie_token and cookie_token != '""':
try:
user = get_user_from_session_key(session_key)
request.user = user
refresh_token_lazy(request.user)
token = get_token(request.user)
refresh_token_rotated.send(
sender=SRIJWTAuthMiddleware,
request=request,
refresh_token=self,
)
signals.token_issued.send(
sender=SRIJWTAuthMiddleware, request=request, user=request.user)
except ObjectDoesNotExist:
## fallback solution
response = redirect(request.get_full_path())
delete_jwt_cookie(request, response)
patch_vary_headers(response, ('Cookie',))
return response
# process response with inner middleware
response = self.get_response(request)
if request.user.is_authenticated and not has_token:
token = get_token(request.user)
signals.token_issued.send(
sender=SRIJWTAuthMiddleware, request=request, user=request.user)
# if token is expired, refresh it
if token_is_expired(token):
refresh_token_lazy(request.user)
token = get_token(request.user)
refresh_token_rotated.send(
sender=SRIJWTAuthMiddleware,
request=request,
refresh_token=self,
)
signals.token_issued.send(
sender=SRIJWTAuthMiddleware, request=request, user=request.user)
#expires = datetime.utcnow() + jwt_settings.JWT_EXPIRATION_DELTA
response.set_cookie(
jwt_settings.JWT_COOKIE_NAME,
token,
domain=settings.COOKIE_DOMAIN,
max_age=max_age,
expires=cookie_expires,
secure=settings.JWT_COOKIE_SECURE or None,
httponly=settings.JWT_COOKIE_HTTPONLY or None,
samesite='Lax',
)
patch_vary_headers(response, ('Cookie',))
accessed = request.session.accessed
modified = request.session.modified
empty = request.session.is_empty()
# we'll force the session cookie creation if:
# * we have a valid token but we didn't have a session for the user
# * the session was not created because the user is logged in
create_session_cookie = token and session_created \
or token and not request.user.is_authenticated
if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
response.delete_cookie(
settings.SESSION_COOKIE_NAME,
path=settings.SESSION_COOKIE_PATH,
domain=settings.SESSION_COOKIE_DOMAIN,
)
response.delete_cookie(jwt_settings.JWT_COOKIE_NAME)
patch_vary_headers(response, ('Cookie',))
else:
if accessed:
patch_vary_headers(response, ('Cookie',))
try:
SESSION_SAVE_EVERY_REQUEST = settings.SESSION_SAVE_EVERY_REQUEST
except AttributeError:
SESSION_SAVE_EVERY_REQUEST = None
if (modified or SESSION_SAVE_EVERY_REQUEST) and not empty or create_session_cookie:
# Save the session data and refresh the client cookie.
# Skip session save for 500 responses, refs #3881.
if response.status_code != 500:
try:
request.session.save()
except UpdateError:
raise SuspiciousOperation(
"The request's session was deleted before the "
"request completed. The user may have logged "
"out in a concurrent request, for example."
)
response.set_cookie(
settings.SESSION_COOKIE_NAME,
request.session.session_key, max_age=max_age,
expires=cookie_expires, domain=settings.SESSION_COOKIE_DOMAIN,
path=settings.SESSION_COOKIE_PATH,
secure=settings.SESSION_COOKIE_SECURE or None,
httponly=settings.SESSION_COOKIE_HTTPONLY or None,
samesite='Strict',
)
return response
def assert_token(self, token, user):
user = User.objects.get(username=user.username)
self.assertEqual(len(token), 157)
self.assertEqual(get_user_by_token(token), user)
