dj-jwt-auth 1.7.0__tar.gz → 1.8.0__tar.gz

{dj_jwt_auth-1.7.0 → dj_jwt_auth-1.8.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dj-jwt-auth
-Version: 1.7.0
+Version: 1.8.0
 Summary: A Django package for JSON Web Token validation and verification. Using PyJWT.
 Home-page: https://www.example.com/
 Author: Konstantin Seleznev
@@ -137,3 +137,4 @@ Login URL will be available at `/admin/oidc/`.
 
 ### Testing:
 Run command `python runtests.py` to run tests.
+To run specific test use `python runtests.py <test_name>`, like `python runtests.py "tests.test.OIDCHandlerTest.test_new_email_exists"`.

{dj_jwt_auth-1.7.0 → dj_jwt_auth-1.8.0}/README.md

@@ -107,4 +107,5 @@ urlpatterns = [
 Login URL will be available at `/admin/oidc/`.
 
 ### Testing:
-Run command `python runtests.py` to run tests.
+Run command `python runtests.py` to run tests.
+To run specific test use `python runtests.py <test_name>`, like `python runtests.py "tests.test.OIDCHandlerTest.test_new_email_exists"`.

{dj_jwt_auth-1.7.0 → dj_jwt_auth-1.8.0}/dj_jwt_auth.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dj-jwt-auth
-Version: 1.7.0
+Version: 1.8.0
 Summary: A Django package for JSON Web Token validation and verification. Using PyJWT.
 Home-page: https://www.example.com/
 Author: Konstantin Seleznev
@@ -137,3 +137,4 @@ Login URL will be available at `/admin/oidc/`.
 
 ### Testing:
 Run command `python runtests.py` to run tests.
+To run specific test use `python runtests.py <test_name>`, like `python runtests.py "tests.test.OIDCHandlerTest.test_new_email_exists"`.

{dj_jwt_auth-1.7.0 → dj_jwt_auth-1.8.0}/django_jwt/config.py

@@ -6,7 +6,7 @@ import requests
 from jwt.algorithms import ECAlgorithm, RSAAlgorithm
 
 from django_jwt import settings
-from django_jwt.exceptions import ConfigException
+from django_jwt.exceptions import AlgorithmNotSupportedException, ConfigException
 
 
 def ensure_well_known(url: str) -> str:
@@ -24,6 +24,9 @@ class Config:
         if not self.route:
             raise ConfigException("OIDC_CONFIG_ROUTES is not set")
 
+        if alg not in self.route:
+            raise AlgorithmNotSupportedException(f"Algorithm {alg} is not supported")
+
         response = requests.get(ensure_well_known(self.route[alg]))
         response.raise_for_status()
         return response.json()

{dj_jwt_auth-1.7.0 → dj_jwt_auth-1.8.0}/django_jwt/exceptions.py

@@ -8,3 +8,9 @@ class BadRequestException(Exception):
     """Base class for exceptions in this module."""
 
     pass
+
+
+class AlgorithmNotSupportedException(Exception):
+    """Base class for exceptions in this module."""
+
+    pass

{dj_jwt_auth-1.7.0 → dj_jwt_auth-1.8.0}/django_jwt/middleware.py

@@ -5,6 +5,7 @@ from django.http import JsonResponse
 from django.utils.deprecation import MiddlewareMixin
 from jwt import ExpiredSignatureError
 
+from django_jwt.exceptions import AlgorithmNotSupportedException
 from django_jwt.user import UserHandler
 from django_jwt.utils import oidc_handler
 
@@ -27,6 +28,8 @@ class JWTAuthMiddleware(MiddlewareMixin):
         try:
             info = oidc_handler.decode_token(raw_token)
             request.user = request._cached_user = UserHandler(info, request, raw_token).get_user()
+        except AlgorithmNotSupportedException as exc:
+            return JsonResponse(status=HTTPStatus.UNAUTHORIZED.value, data={"detail": str(exc)})
         except ExpiredSignatureError:
             return JsonResponse(status=HTTPStatus.UNAUTHORIZED.value, data={"detail": "expired token"})
         except UnicodeDecodeError as exc:

{dj_jwt_auth-1.7.0 → dj_jwt_auth-1.8.0}/django_jwt/user.py

@@ -4,6 +4,8 @@ from logging import getLogger
 
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group, Permission
+from django.db import transaction
+from django.db.utils import IntegrityError
 from django.http.request import HttpRequest
 
 from django_jwt import settings
@@ -23,6 +25,7 @@ def mapper(user_data: dict) -> dict:
 
 class UserHandler:
     modified_at = None
+    userdata_collected = False
 
     def __init__(self, payload: dict, request: HttpRequest, access_token: str):
         self.payload = payload
@@ -41,10 +44,12 @@ class UserHandler:
     def _collect_user_data(self):
         """Collect user data from KeyCloak"""
 
-        user_data = oidc_handler.get_user_info(self.access_token)
-        log.info(f"[OIDC] User data: {user_data}")
-        self.kwargs["email"] = user_data["email"].lower()
-        self.kwargs.update(mapper(user_data))
+        if not self.userdata_collected:
+            user_data = oidc_handler.get_user_info(self.access_token)
+            log.debug(f"[OIDC] User data: {user_data}")
+            self.kwargs["email"] = user_data["email"].lower()
+            self.kwargs.update(mapper(user_data))
+            self.userdata_collected = True
 
     def _update_user(self, user):
         """Update user fields if they are changed"""
@@ -69,6 +74,7 @@ class UserHandler:
     def _get_by_email(self) -> model:
         """Get user from database by email and update to resave kc_id."""
 
+        self._collect_user_data()
         user = model.objects.get(email=self.kwargs["email"])
         self._update_user(user)
         if self.on_update:
@@ -84,17 +90,16 @@ class UserHandler:
                 user_modified_at = user_modified_at.replace(tzinfo=utc)
             is_modified = user_modified_at < self.modified_at
 
-            log.info(
-                f"[OIDC] User modified at: {user_modified_at}, "
-                f"modified_at: {self.modified_at}, "
-                f"is_modified: {is_modified}, "
-                f"email: {user.email}",
-            )
             if self.modified_at and is_modified:
                 self._update_user(user)
                 if self.on_update:
                     self.on_update(user, self.request, self.payload)
 
+    def _clean_kc_id(self):
+        model.objects.filter(**{settings.OIDC_USER_UID: self.kwargs[settings.OIDC_USER_UID]}).update(
+            **{settings.OIDC_USER_UID: None}
+        )
+
     def get_user(self) -> model:
         """
         Get user from database by kc_id or email.
@@ -103,18 +108,29 @@ class UserHandler:
         """
 
         try:
-            user = model.objects.get(**{settings.OIDC_USER_UID: self.kwargs[settings.OIDC_USER_UID]})
-            self._update_existing_user(user)
+            with transaction.atomic():
+                user = model.objects.get(**{settings.OIDC_USER_UID: self.kwargs[settings.OIDC_USER_UID]})
+                self._update_existing_user(user)
             return user
 
+        except IntegrityError:
+            # User with this email already exists
+            self._clean_kc_id()
+            return self._get_by_email()  # Will update kc_id
+
         except model.DoesNotExist:
             self._collect_user_data()
             try:
                 return self._get_by_email()
             except model.DoesNotExist:
                 return self._create_new_user()
+
         except model.MultipleObjectsReturned:
-            log.error(f"[OIDC] Multiple users found by {settings.OIDC_USER_UID}: {self.kwargs[settings.OIDC_USER_UID]}")
+            log.warning(
+                f"[OIDC] Multiple users found by {settings.OIDC_USER_UID}: {self.kwargs[settings.OIDC_USER_UID]}"
+            )
+            # clear kc_id if multiple users found
+            self._clean_kc_id()
             return self._get_by_email()
 
 

{dj_jwt_auth-1.7.0 → dj_jwt_auth-1.8.0}/setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = dj-jwt-auth
-version = 1.7.0
+version = 1.8.0
 description = A Django package for JSON Web Token validation and verification. Using PyJWT.
 long_description = file: README.md
 url = https://www.example.com/

{dj_jwt_auth-1.7.0 → dj_jwt_auth-1.8.0}/tests/models.py

@@ -6,3 +6,4 @@ from django.utils import timezone
 class User(AbstractUser):
     kc_id = models.CharField(max_length=255, null=True, blank=True)
     modified_timestamp = models.DateTimeField(auto_now=False, default=timezone.now)
+    email = models.EmailField(unique=True)

{dj_jwt_auth-1.7.0 → dj_jwt_auth-1.8.0}/tests/test.py

@@ -9,6 +9,8 @@ from django.urls import reverse
 from jwt.api_jwt import ExpiredSignatureError
 
 from django_jwt import settings
+from django_jwt.config import config
+from django_jwt.exceptions import ConfigException
 from django_jwt.middleware import JWTAuthMiddleware
 from django_jwt.roles import ROLE
 from django_jwt.user import role_handler
@@ -112,14 +114,36 @@ class OIDCHandlerTest(TestCase):
         self.assertUserWithPayload()
 
     def test_exists_multiple_kc_id(self, *_):
-        """User exists in database by email"""
-        user = User.objects.create(email="example@bk.com", kc_id="123")
-        User.objects.create(email="example@gmail.com", kc_id="123", username="other")
+        """
+        KC ID exists in database by email
+        """
+
+        user = User.objects.create(email="example@bk.com", kc_id="1234")
+        User.objects.create(email="example@gmail.com", kc_id="1234", username="other")
+
         self.middleware.process_request(self.request)
+
         self.assertEqual(self.request.user, user)
+        self.assertUserWithPayload()
 
-        # fields are updated if they are changed in KeyCloak
+    def test_new_email_exists(self, user_info, access_token):
+        """Test case when:
+        - some email 'A' exists in DB with some KC ID
+        - user change email in KC from 'B' to 'A'
+        - KC ID will be attached to existing user with email 'A'
+        """
+        user_info.return_value["email"] = "a@bk.com"
+        user_a = User.objects.create(email="a@bk.com", username="a")
+        user_b = User.objects.create(email="b@bk.com", kc_id="1234", username="b")
+
+        self.middleware.process_request(self.request)
+        user_a.refresh_from_db()
+        user_b.refresh_from_db()
+
+        self.assertEqual(self.request.user, user_a)
         self.assertUserWithPayload()
+        self.assertEqual(user_a.kc_id, "1234")
+        self.assertEqual(user_b.kc_id, None)
 
     def test_exists_email_differeent_kc_id_user(self, *_):
         """User exists in database by email but different kc_id"""
@@ -178,7 +202,7 @@ class OIDCHandlerTest(TestCase):
         self.middleware.process_request(self.request)
         self.assertEqual(self.request.user.username, "override")
 
-    def test_updated_at(self, access_token, user_info):
+    def test_updated_at(self, user_info, access_token):
         """Check that
         - the updated_at field saved correct
         - don't call userdata if updated_at is not changed
@@ -197,7 +221,26 @@ class OIDCHandlerTest(TestCase):
         self.middleware.process_request(self.request)
         user.refresh_from_db()
         self.assertEqual(user.modified_timestamp, updated_at)
-        # self.assertEqual(user_info.call_count, 1)
+        self.assertEqual(user_info.call_count, 1)
+
+
+@patch("django_jwt.utils.get_alg", return_value="HS256")
+class ConfigTest(TestCase):
+    def setUp(self):
+        self.middleware = JWTAuthMiddleware(get_response=lambda x: x)
+        self.request = Mock()
+        self.request.META = {"HTTP_AUTHORIZATION": "Bearer Token"}
+
+    @patch.object(config, "route", {})
+    def test_empty_routes(self, *_):
+        with self.assertRaises(ConfigException):
+            self.middleware.process_request(self.request)
+
+    @patch.object(config, "route", {"ES256": "http://localhost:8080"})
+    def test_not_supported_alg(self, *_):
+        response = self.middleware.process_request(self.request)
+        self.assertEqual(HTTPStatus.UNAUTHORIZED.value, response.status_code)
+        self.assertEqual(b'{"detail": "Algorithm HS256 is not supported"}', response.content)
 
 
 class RolesTest(TestCase):