def validate(self, data): token = data['token'] payload = _check_payload(token=token) user = _check_user(payload=payload) # Get and check 'orig_iat' orig_iat = payload.get('orig_iat') if orig_iat is None: msg = _('orig_iat field not found in token.') raise serializers.ValidationError(msg) # Verify expiration refresh_limit = \ api_settings.JWT_REFRESH_EXPIRATION_DELTA.total_seconds() expiration_timestamp = orig_iat + refresh_limit now_timestamp = unix_epoch() if now_timestamp > expiration_timestamp: msg = _('Refresh has expired.') raise serializers.ValidationError(msg) new_payload = JSONWebTokenAuthentication.jwt_create_payload(user) new_payload['orig_iat'] = orig_iat return { 'token': JSONWebTokenAuthentication.jwt_encode_payload(new_payload), 'user': user, 'issued_at': new_payload.get('iat', unix_epoch()) }
def save(self, **kwargs): token = self.validated_data.get('token') payload = JSONWebTokenAuthentication.jwt_decode_token(token) iat = payload.get('iat', unix_epoch()) expires_at_unix_time = iat + api_settings.JWT_EXPIRATION_DELTA.total_seconds( ) # For refreshed tokens, record the token id of the original token. # This allows us to invalidate the whole family of tokens from # the same original authentication event. token_id = payload.get('orig_jti') or payload.get('jti') self.validated_data.update({ 'token_id': token_id, 'user': check_user(payload), 'expires_at': make_aware(datetime.utcfromtimestamp(expires_at_unix_time)), }) # Don't store the token if we can rely on token IDs. # The token values are still sensitive until they expire. if api_settings.JWT_TOKEN_ID == 'require': del self.validated_data['token'] return super(BlacklistTokenSerializer, self).save(**kwargs)
def validate(self, data): user = data["user"] payload = JSONWebTokenAuthentication.jwt_create_payload(user) check_user(payload) token = JSONWebTokenAuthentication.jwt_encode_payload(payload) return { "user": user, "token": token, "issued_at": payload.get('iat', unix_epoch()) }
def save(self, **kwargs): token = self.validated_data.get('token') payload = JSONWebTokenAuthentication.jwt_decode_token(token) iat = payload.get('iat', unix_epoch()) expires_at_unix_time = iat + api_settings.JWT_EXPIRATION_DELTA.total_seconds() self.validated_data.update({ 'user': check_user(payload), 'expires_at': make_aware(datetime.utcfromtimestamp(expires_at_unix_time)), }) return super(BlacklistTokenSerializer, self).save(**kwargs)
def refresh_token(token): payload = check_payload(token=token) user = check_user(payload=payload) # Get and check 'orig_iat' orig_iat = payload.get('orig_iat') if orig_iat is None: msg = _('orig_iat field not found in token.') raise RuntimeError(msg) # Verify expiration refresh_limit = \ api_settings.JWT_REFRESH_EXPIRATION_DELTA.total_seconds() expiration_timestamp = orig_iat + refresh_limit now_timestamp = unix_epoch() if now_timestamp > expiration_timestamp: msg = _('Refresh has expired.') raise RuntimeError(msg) new_payload = JSONWebTokenAuthentication.jwt_create_payload(user) new_payload['orig_iat'] = orig_iat # Track the token ID of the original token, if it exists orig_jti = payload.get('orig_jti') or payload.get('jti') if orig_jti: new_payload['orig_jti'] = orig_jti elif api_settings.JWT_TOKEN_ID == 'require': msg = _('orig_jti or jti field not found in token.') raise RuntimeError(msg) return { 'token': JSONWebTokenAuthentication.jwt_encode_payload(new_payload), 'user': user, 'issued_at': new_payload.get('iat', unix_epoch()) }
def test(user): """ Create JWT claims token. To be more standards-compliant please refer to the official JWT standards specification: https://tools.ietf.org/html/rfc7519#section-4.1 """ issued_at_time = datetime.utcnow() expiration_time = issued_at_time + api_settings.JWT_EXPIRATION_DELTA payload = { 'user_id': user.pk, 'username': user.get_username(), 'iat': unix_epoch(issued_at_time), 'exp': expiration_time, 'govno': 'govnoo' } # It's common practice to have user object attached to profile objects. # If you have some other implementation feel free to create your own # `jwt_create_payload` method with custom payload. if hasattr(user, 'profile'): payload['user_profile_id'] = user.profile.pk if user.profile else None, # Include original issued at time for a brand new token # to allow token refresh if api_settings.JWT_ALLOW_REFRESH: payload['orig_iat'] = unix_epoch(issued_at_time) if api_settings.JWT_AUDIENCE is not None: payload['aud'] = api_settings.JWT_AUDIENCE if api_settings.JWT_ISSUER is not None: payload['iss'] = api_settings.JWT_ISSUER return payload
def validate(self, data): credentials = { self.username_field: data.get(self.username_field), 'password': data.get('password') } user = authenticate(**credentials) if not user: msg = _('Unable to log in with provided credentials.') raise serializers.ValidationError(msg) payload = JSONWebTokenAuthentication.jwt_create_payload(user) return { 'token': JSONWebTokenAuthentication.jwt_encode_payload(payload), 'user': user, 'issued_at': payload.get('iat', unix_epoch()) }