def test_post_form_failing_jwt_auth_changed_user_secret_key(self):
"""
Ensure changin secret key on USER level makes tokens invalid
"""
# fine tune settings
api_settings.JWT_GET_USER_SECRET_KEY = get_jwt_secret
tmp_user = CustomUser.objects.create(email='*****@*****.**')
payload = utils.jwt_payload_handler(tmp_user)
token = utils.jwt_encode_handler(payload)
auth = 'JWT {0}'.format(token)
response = self.csrf_client.post('/jwt/', {'example': 'example'},
HTTP_AUTHORIZATION=auth,
format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
# change token, verify
tmp_user.jwt_secret = uuid.uuid4()
tmp_user.save()
response = self.csrf_client.post('/jwt/', {'example': 'example'},
HTTP_AUTHORIZATION=auth)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
# revert api settings
api_settings.JWT_GET_USER_SECRET_KEY = DEFAULTS[
'JWT_GET_USER_SECRET_KEY']
def test_jwt_encode(self):
payload = utils.jwt_payload_handler(self.user)
token = utils.jwt_encode_handler(payload)
payload_data = base64url_decode(token.split('.')[1].encode('utf-8'))
payload_from_token = json.loads(payload_data.decode('utf-8'))
self.assertEqual(payload_from_token, payload)
def test_jwt_decode_verify_exp(self):
api_settings.JWT_VERIFY_EXPIRATION = False
payload = utils.jwt_payload_handler(self.user)
payload['exp'] = 1
token = utils.jwt_encode_handler(payload)
utils.jwt_decode_handler(token)
api_settings.JWT_VERIFY_EXPIRATION = True
def create_token(self, user, exp=None, orig_iat=None):
payload = utils.jwt_payload_handler(user)
if exp:
payload['exp'] = exp
if orig_iat:
payload['orig_iat'] = timegm(orig_iat.utctimetuple())
token = utils.jwt_encode_handler(payload)
return token
def test_post_json_passing_jwt_auth(self):
"""
Ensure POSTing JSON over JWT auth with correct credentials
passes and does not require CSRF
"""
payload = utils.jwt_payload_handler(self.user)
token = utils.jwt_encode_handler(payload)
auth = 'JWT {0}'.format(token)
response = self.csrf_client.post('/jwt/', {'example': 'example'},
HTTP_AUTHORIZATION=auth,
format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_post_form_passing_jwt_invalid_payload(self):
"""
Ensure POSTing json over JWT auth with invalid payload fails
"""
payload = dict(email=None)
token = utils.jwt_encode_handler(payload)
auth = 'JWT {0}'.format(token)
response = self.csrf_client.post('/jwt/', {'example': 'example'},
HTTP_AUTHORIZATION=auth)
msg = 'Invalid payload.'
self.assertEqual(response.data['detail'], msg)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_post_passing_jwt_auth_with_oauth2_priority(self):
"""
Ensure POSTing over JWT auth with correct credentials
passes and does not require CSRF when OAuth2Authentication
has priority on authentication_classes
"""
payload = utils.jwt_payload_handler(self.user)
token = utils.jwt_encode_handler(payload)
auth = 'JWT {0}'.format(token)
response = self.csrf_client.post('/oauth2-jwt/',
{'example': 'example'},
HTTP_AUTHORIZATION=auth,
format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK, response)
def test_post_expired_token_failing_jwt_auth(self):
"""
Ensure POSTing over JWT auth with expired token fails
"""
payload = utils.jwt_payload_handler(self.user)
payload['exp'] = 1
token = utils.jwt_encode_handler(payload)
auth = 'JWT {0}'.format(token)
response = self.csrf_client.post('/jwt/', {'example': 'example'},
HTTP_AUTHORIZATION=auth,
format='json')
msg = 'Signature has expired.'
self.assertEqual(response.data['detail'], msg)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
self.assertEqual(response['WWW-Authenticate'], 'JWT realm="api"')
def test_jwt_login_with_expired_token(self):
"""
Ensure JWT login view works even if expired token is provided
"""
payload = utils.jwt_payload_handler(self.user)
payload['exp'] = 1
token = utils.jwt_encode_handler(payload)
auth = 'JWT {0}'.format(token)
client = APIClient(enforce_csrf_checks=True)
response = client.post('/auth-token/',
self.data,
HTTP_AUTHORIZATION=auth,
format='json')
decoded_payload = utils.jwt_decode_handler(response.data['token'])
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(decoded_payload['username'], self.username)
def test_different_auth_header_prefix(self):
"""
Ensure using a different setting for `JWT_AUTH_HEADER_PREFIX` and
with correct credentials passes.
"""
api_settings.JWT_AUTH_HEADER_PREFIX = 'Bearer'
payload = utils.jwt_payload_handler(self.user)
token = utils.jwt_encode_handler(payload)
auth = 'Bearer {0}'.format(token)
response = self.csrf_client.post('/jwt/', {'example': 'example'},
HTTP_AUTHORIZATION=auth,
format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
# Restore original settings
api_settings.JWT_AUTH_HEADER_PREFIX = DEFAULTS[
'JWT_AUTH_HEADER_PREFIX']
def test_post_form_passing_jwt_auth(self):
"""
Ensure POSTing form over JWT auth with correct credentials
passes and does not require CSRF
"""
payload = utils.jwt_payload_handler(self.user)
token = utils.jwt_encode_handler(payload)
auth = 'JWT {0}'.format(token)
response = self.csrf_client.post('/jwt/', {'example': 'example'},
HTTP_AUTHORIZATION=auth)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.content, b'mockview-post')
# Ensure `authenticate` returned the decoded payload.
self.assertEqual(response.wsgi_request.user, self.user)
payload = response.wsgi_request.auth
self.assertIsInstance(payload, dict)
self.assertEqual(set(payload.keys()),
{'user_id', 'username', 'exp', 'email'})
def test_fail_audience_missing(self):
payload = utils.jwt_payload_handler(self.user)
del payload['aud']
token = utils.jwt_encode_handler(payload)
with self.assertRaises(jwt.exceptions.MissingRequiredClaimError):
utils.jwt_decode_handler(token)
def test_jwt_response_payload(self):
payload = utils.jwt_payload_handler(self.user)
token = utils.jwt_encode_handler(payload)
response_data = utils.jwt_response_payload_handler(token)
self.assertEqual(response_data, dict(token=token))
def test_jwt_decode(self):
payload = utils.jwt_payload_handler(self.user)
token = utils.jwt_encode_handler(payload)
decoded_payload = utils.jwt_decode_handler(token)
self.assertEqual(decoded_payload, payload)
def test_fail_issuer_wrong(self):
payload = utils.jwt_payload_handler(self.user)
payload['iss'] = 'example2.com'
token = utils.jwt_encode_handler(payload)
with self.assertRaises(jwt.exceptions.InvalidIssuerError):
utils.jwt_decode_handler(token)
def test_fail_audience_wrong(self):
payload = utils.jwt_payload_handler(self.user)
payload['aud'] = 'my_aud2'
token = utils.jwt_encode_handler(payload)
with self.assertRaises(jwt.exceptions.InvalidAudienceError):
utils.jwt_decode_handler(token)