def validate(self, data):
token = data['token']
payload = _check_payload(token=token)
user = _check_user(payload=payload)
# Get and check 'orig_iat'
orig_iat = payload.get('orig_iat')
if orig_iat is None:
msg = _('orig_iat field not found in token.')
raise serializers.ValidationError(msg)
# Verify expiration
refresh_limit = \
api_settings.JWT_REFRESH_EXPIRATION_DELTA.total_seconds()
expiration_timestamp = orig_iat + refresh_limit
now_timestamp = unix_epoch()
if now_timestamp > expiration_timestamp:
msg = _('Refresh has expired.')
raise serializers.ValidationError(msg)
new_payload = JSONWebTokenAuthentication.jwt_create_payload(user)
new_payload['orig_iat'] = orig_iat
return {
'token':
JSONWebTokenAuthentication.jwt_encode_payload(new_payload),
'user': user,
'issued_at': new_payload.get('iat', unix_epoch())
}
def save(self, **kwargs):
token = self.validated_data.get('token')
payload = JSONWebTokenAuthentication.jwt_decode_token(token)
iat = payload.get('iat', unix_epoch())
expires_at_unix_time = iat + api_settings.JWT_EXPIRATION_DELTA.total_seconds(
)
# For refreshed tokens, record the token id of the original token.
# This allows us to invalidate the whole family of tokens from
# the same original authentication event.
token_id = payload.get('orig_jti') or payload.get('jti')
self.validated_data.update({
'token_id':
token_id,
'user':
check_user(payload),
'expires_at':
make_aware(datetime.utcfromtimestamp(expires_at_unix_time)),
})
# Don't store the token if we can rely on token IDs.
# The token values are still sensitive until they expire.
if api_settings.JWT_TOKEN_ID == 'require':
del self.validated_data['token']
return super(BlacklistTokenSerializer, self).save(**kwargs)
def validate(self, data):
user = data["user"]
payload = JSONWebTokenAuthentication.jwt_create_payload(user)
check_user(payload)
token = JSONWebTokenAuthentication.jwt_encode_payload(payload)
return {
"user": user,
"token": token,
"issued_at": payload.get('iat', unix_epoch())
}
def save(self, **kwargs):
token = self.validated_data.get('token')
payload = JSONWebTokenAuthentication.jwt_decode_token(token)
iat = payload.get('iat', unix_epoch())
expires_at_unix_time = iat + api_settings.JWT_EXPIRATION_DELTA.total_seconds()
self.validated_data.update({
'user': check_user(payload),
'expires_at':
make_aware(datetime.utcfromtimestamp(expires_at_unix_time)),
})
return super(BlacklistTokenSerializer, self).save(**kwargs)
def refresh_token(token):
payload = check_payload(token=token)
user = check_user(payload=payload)
# Get and check 'orig_iat'
orig_iat = payload.get('orig_iat')
if orig_iat is None:
msg = _('orig_iat field not found in token.')
raise RuntimeError(msg)
# Verify expiration
refresh_limit = \
api_settings.JWT_REFRESH_EXPIRATION_DELTA.total_seconds()
expiration_timestamp = orig_iat + refresh_limit
now_timestamp = unix_epoch()
if now_timestamp > expiration_timestamp:
msg = _('Refresh has expired.')
raise RuntimeError(msg)
new_payload = JSONWebTokenAuthentication.jwt_create_payload(user)
new_payload['orig_iat'] = orig_iat
# Track the token ID of the original token, if it exists
orig_jti = payload.get('orig_jti') or payload.get('jti')
if orig_jti:
new_payload['orig_jti'] = orig_jti
elif api_settings.JWT_TOKEN_ID == 'require':
msg = _('orig_jti or jti field not found in token.')
raise RuntimeError(msg)
return {
'token': JSONWebTokenAuthentication.jwt_encode_payload(new_payload),
'user': user,
'issued_at': new_payload.get('iat', unix_epoch())
}
def test(user):
"""
Create JWT claims token.
To be more standards-compliant please refer to the official JWT standards
specification: https://tools.ietf.org/html/rfc7519#section-4.1
"""
issued_at_time = datetime.utcnow()
expiration_time = issued_at_time + api_settings.JWT_EXPIRATION_DELTA
payload = {
'user_id': user.pk,
'username': user.get_username(),
'iat': unix_epoch(issued_at_time),
'exp': expiration_time,
'govno': 'govnoo'
}
# It's common practice to have user object attached to profile objects.
# If you have some other implementation feel free to create your own
# `jwt_create_payload` method with custom payload.
if hasattr(user, 'profile'):
payload['user_profile_id'] = user.profile.pk if user.profile else None,
# Include original issued at time for a brand new token
# to allow token refresh
if api_settings.JWT_ALLOW_REFRESH:
payload['orig_iat'] = unix_epoch(issued_at_time)
if api_settings.JWT_AUDIENCE is not None:
payload['aud'] = api_settings.JWT_AUDIENCE
if api_settings.JWT_ISSUER is not None:
payload['iss'] = api_settings.JWT_ISSUER
return payload
def validate(self, data):
credentials = {
self.username_field: data.get(self.username_field),
'password': data.get('password')
}
user = authenticate(**credentials)
if not user:
msg = _('Unable to log in with provided credentials.')
raise serializers.ValidationError(msg)
payload = JSONWebTokenAuthentication.jwt_create_payload(user)
return {
'token': JSONWebTokenAuthentication.jwt_encode_payload(payload),
'user': user,
'issued_at': payload.get('iat', unix_epoch())
}
