dj-jwt-auth 1.7.1__tar.gz → 1.9.0__tar.gz

{dj_jwt_auth-1.7.1 → dj_jwt_auth-1.9.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dj-jwt-auth
-Version: 1.7.1
+Version: 1.9.0
 Summary: A Django package for JSON Web Token validation and verification. Using PyJWT.
 Home-page: https://www.example.com/
 Author: Konstantin Seleznev

{dj_jwt_auth-1.7.1 → dj_jwt_auth-1.9.0}/dj_jwt_auth.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dj-jwt-auth
-Version: 1.7.1
+Version: 1.9.0
 Summary: A Django package for JSON Web Token validation and verification. Using PyJWT.
 Home-page: https://www.example.com/
 Author: Konstantin Seleznev

{dj_jwt_auth-1.7.1 → dj_jwt_auth-1.9.0}/django_jwt/user.py

@@ -4,6 +4,8 @@ from logging import getLogger
 
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group, Permission
+from django.db import transaction
+from django.db.utils import IntegrityError
 from django.http.request import HttpRequest
 
 from django_jwt import settings
@@ -23,6 +25,7 @@ def mapper(user_data: dict) -> dict:
 
 class UserHandler:
     modified_at = None
+    userdata_collected = False
 
     def __init__(self, payload: dict, request: HttpRequest, access_token: str):
         self.payload = payload
@@ -41,10 +44,12 @@ class UserHandler:
     def _collect_user_data(self):
         """Collect user data from KeyCloak"""
 
-        user_data = oidc_handler.get_user_info(self.access_token)
-        log.info(f"[OIDC] User data: {user_data}")
-        self.kwargs["email"] = user_data["email"].lower()
-        self.kwargs.update(mapper(user_data))
+        if not self.userdata_collected:
+            user_data = oidc_handler.get_user_info(self.access_token)
+            log.debug(f"[OIDC] User data: {user_data}")
+            self.kwargs["email"] = user_data["email"].lower()
+            self.kwargs.update(mapper(user_data))
+            self.userdata_collected = True
 
     def _update_user(self, user):
         """Update user fields if they are changed"""
@@ -69,6 +74,7 @@ class UserHandler:
     def _get_by_email(self) -> model:
         """Get user from database by email and update to resave kc_id."""
 
+        self._collect_user_data()
         user = model.objects.get(email=self.kwargs["email"])
         self._update_user(user)
         if self.on_update:
@@ -84,17 +90,16 @@ class UserHandler:
                 user_modified_at = user_modified_at.replace(tzinfo=utc)
             is_modified = user_modified_at < self.modified_at
 
-            log.info(
-                f"[OIDC] User modified at: {user_modified_at}, "
-                f"modified_at: {self.modified_at}, "
-                f"is_modified: {is_modified}, "
-                f"email: {user.email}",
-            )
             if self.modified_at and is_modified:
                 self._update_user(user)
                 if self.on_update:
                     self.on_update(user, self.request, self.payload)
 
+    def _clean_kc_id(self):
+        model.objects.filter(**{settings.OIDC_USER_UID: self.kwargs[settings.OIDC_USER_UID]}).update(
+            **{settings.OIDC_USER_UID: None}
+        )
+
     def get_user(self) -> model:
         """
         Get user from database by kc_id or email.
@@ -103,18 +108,29 @@ class UserHandler:
         """
 
         try:
-            user = model.objects.get(**{settings.OIDC_USER_UID: self.kwargs[settings.OIDC_USER_UID]})
-            self._update_existing_user(user)
+            with transaction.atomic():
+                user = model.objects.get(**{settings.OIDC_USER_UID: self.kwargs[settings.OIDC_USER_UID]})
+                self._update_existing_user(user)
             return user
 
+        except IntegrityError:
+            # User with this email already exists
+            self._clean_kc_id()
+            return self._get_by_email()  # Will update kc_id
+
         except model.DoesNotExist:
             self._collect_user_data()
             try:
                 return self._get_by_email()
             except model.DoesNotExist:
                 return self._create_new_user()
+
         except model.MultipleObjectsReturned:
-            log.error(f"[OIDC] Multiple users found by {settings.OIDC_USER_UID}: {self.kwargs[settings.OIDC_USER_UID]}")
+            log.warning(
+                f"[OIDC] Multiple users found by {settings.OIDC_USER_UID}: {self.kwargs[settings.OIDC_USER_UID]}"
+            )
+            # clear kc_id if multiple users found
+            self._clean_kc_id()
             return self._get_by_email()
 
 

{dj_jwt_auth-1.7.1 → dj_jwt_auth-1.9.0}/django_jwt/views.py

@@ -39,68 +39,84 @@ def index_response(request, msg, status=400):
     )
 
 
-class AbsView(View):
-    def dispatch(self, request, *args, **kwargs):
-        try:
-            return super().dispatch(request, *args, **kwargs)
-        except HTTPError as exc:
-            log.warning(f"OIDC Admin HTTPError: {exc}")
-            return index_response(request=request, msg=exc.response.text, status=exc.response.status_code)
-        except ConfigException as exc:
-            return HttpResponse(content=str(exc), status=500)
-        except BadRequestException as exc:
-            return index_response(request=request, msg=str(exc))
-        except Exception as exc:
-            return index_response(request=request, msg=str(exc))
+class InitiateView(View):
+    callback_view_name = "receive_redirect_view"
+    client_id = None
+    scope = "openid"
 
-
-class StartOIDCAuthView(AbsView):
     def get(self, request):
         pkce_secret = PKCESecret()
-        redirect_uri = jwt_settings.OIDC_ADMIN_REDIRECT_URI
-        if not redirect_uri:
-            redirect_uri = request.build_absolute_uri(reverse("receive_redirect_view"))
+        redirect_uri = request.build_absolute_uri(reverse(self.callback_view_name))
         authorization_endpoint = config.admin().get("authorization_endpoint")
         state = base64.urlsafe_b64encode(get_random_string().encode()).decode()
         params = {
-            "client_id": jwt_settings.OIDC_ADMIN_CLIENT_ID,
+            "client_id": self.client_id,
             "redirect_uri": redirect_uri,
             "response_type": "code",
             "state": state,
-            "scope": jwt_settings.OIDC_ADMIN_SCOPE,
+            "scope": self.scope,
             "code_challenge": pkce_secret.challenge,
             "code_challenge_method": pkce_secret.challenge_method,
             "ui_locales": "en",
             "nonce": get_random_string(),
         }
         cache.set(state, str(pkce_secret), timeout=600)
-        log.info(f"OIDC Admin login: {authorization_endpoint}?{urlencode(params)}")
+        log.info(f"OIDC Initiate: {authorization_endpoint}?{urlencode(params)}")
         return redirect(f"{authorization_endpoint}?{urlencode(params)}")
 
 
-class ReceiveRedirectView(AbsView):
-    def get(self, request):
+class CallbackView(View):
+    callback_view_name = "receive_redirect_view"
+    user = None
+    payload = None
+
+    def fail(self, request, msg):
+        raise BadRequestException(msg)
+
+    def dispatch(self, request, *args, **kwargs):
         code = request.GET.get("code")
         state = request.GET.get("state")
         if not code or not state:
-            log.warning(f"No code or state in the request {request.GET}")
-            raise BadRequestException("No code or state in the request")
+            log.warning(f"OIDC No code or state in the request {request.GET}")
+            return self.fail(request, "No code or state in the request")
 
-        redirect_uri = request.build_absolute_uri(reverse("receive_redirect_view"))
+        redirect_uri = request.build_absolute_uri(self.callback_view_name)
         if state := cache.get(state):
             token = get_access_token(code, redirect_uri, state)
-            data = oidc_handler.decode_token(token)
-            user = UserHandler(data, request, token).get_user()
-            log.info(f"OIDC Admin login: {user}", extra={"data": data})
-            roles = role_handler.apply(user, data)
-            if not user.is_staff:
-                raise BadRequestException(f"User {user.email} is not staff\nRoles: {roles}")
-            login(request, user, backend=jwt_settings.OIDC_AUTHORIZATION_BACKEND)
-            return redirect("admin:index")
+            self.payload = oidc_handler.decode_token(token)
+            self.user = UserHandler(self.payload, request, token).get_user()
+            return super().dispatch(request, *args, **kwargs)
+        return self.fail(request, "No PKCE secret found in cache")
 
-        raise BadRequestException("No PKCE secret found in cache")
+
+class StartOIDCAuthView(InitiateView):
+    client_id = jwt_settings.OIDC_ADMIN_CLIENT_ID
+    scope = jwt_settings.OIDC_ADMIN_SCOPE
+
+
+class ReceiveRedirectView(CallbackView):
+    def dispatch(self, request, *args, **kwargs):
+        try:
+            return super().dispatch(request, *args, **kwargs)
+        except HTTPError as exc:
+            log.warning(f"OIDC Admin HTTPError: {exc}")
+            return index_response(request=request, msg=exc.response.text, status=exc.response.status_code)
+        except ConfigException as exc:
+            return HttpResponse(content=str(exc), status=500)
+        except BadRequestException as exc:
+            return index_response(request=request, msg=str(exc))
+        except Exception as exc:
+            return index_response(request=request, msg=str(exc))
+
+    def get(self, request):
+        log.info(f"OIDC Admin login: {self.user}", extra={"data": self.payload})
+        roles = role_handler.apply(self.user, self.payload)
+        if not self.user.is_staff:
+            raise BadRequestException(f"User {self.user.email} is not staff\nRoles: {roles}")
+        login(request, self.user, backend=jwt_settings.OIDC_AUTHORIZATION_BACKEND)
+        return redirect("admin:index")
 
 
-class LogoutView(AbsView):
+class LogoutView(View):
     def get(self, request):
         return index_response(request, "Logged out", status=401)

{dj_jwt_auth-1.7.1 → dj_jwt_auth-1.9.0}/setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = dj-jwt-auth
-version = 1.7.1
+version = 1.9.0
 description = A Django package for JSON Web Token validation and verification. Using PyJWT.
 long_description = file: README.md
 url = https://www.example.com/

{dj_jwt_auth-1.7.1 → dj_jwt_auth-1.9.0}/tests/models.py

@@ -6,3 +6,4 @@ from django.utils import timezone
 class User(AbstractUser):
     kc_id = models.CharField(max_length=255, null=True, blank=True)
     modified_timestamp = models.DateTimeField(auto_now=False, default=timezone.now)
+    email = models.EmailField(unique=True)

{dj_jwt_auth-1.7.1 → dj_jwt_auth-1.9.0}/tests/test.py

@@ -114,14 +114,36 @@ class OIDCHandlerTest(TestCase):
         self.assertUserWithPayload()
 
     def test_exists_multiple_kc_id(self, *_):
-        """User exists in database by email"""
-        user = User.objects.create(email="example@bk.com", kc_id="123")
-        User.objects.create(email="example@gmail.com", kc_id="123", username="other")
+        """
+        KC ID exists in database by email
+        """
+
+        user = User.objects.create(email="example@bk.com", kc_id="1234")
+        User.objects.create(email="example@gmail.com", kc_id="1234", username="other")
+
         self.middleware.process_request(self.request)
+
         self.assertEqual(self.request.user, user)
+        self.assertUserWithPayload()
 
-        # fields are updated if they are changed in KeyCloak
+    def test_new_email_exists(self, user_info, access_token):
+        """Test case when:
+        - some email 'A' exists in DB with some KC ID
+        - user change email in KC from 'B' to 'A'
+        - KC ID will be attached to existing user with email 'A'
+        """
+        user_info.return_value["email"] = "a@bk.com"
+        user_a = User.objects.create(email="a@bk.com", username="a")
+        user_b = User.objects.create(email="b@bk.com", kc_id="1234", username="b")
+
+        self.middleware.process_request(self.request)
+        user_a.refresh_from_db()
+        user_b.refresh_from_db()
+
+        self.assertEqual(self.request.user, user_a)
         self.assertUserWithPayload()
+        self.assertEqual(user_a.kc_id, "1234")
+        self.assertEqual(user_b.kc_id, None)
 
     def test_exists_email_differeent_kc_id_user(self, *_):
         """User exists in database by email but different kc_id"""
@@ -180,7 +202,7 @@ class OIDCHandlerTest(TestCase):
         self.middleware.process_request(self.request)
         self.assertEqual(self.request.user.username, "override")
 
-    def test_updated_at(self, access_token, user_info):
+    def test_updated_at(self, user_info, access_token):
         """Check that
         - the updated_at field saved correct
         - don't call userdata if updated_at is not changed
@@ -199,7 +221,7 @@ class OIDCHandlerTest(TestCase):
         self.middleware.process_request(self.request)
         user.refresh_from_db()
         self.assertEqual(user.modified_timestamp, updated_at)
-        # self.assertEqual(user_info.call_count, 1)
+        self.assertEqual(user_info.call_count, 1)
 
 
 @patch("django_jwt.utils.get_alg", return_value="HS256")