search

Styria-Digital / django-rest-framework-jwt

JSON Web Token Authentication support for Django REST Framework
https://styria-digital.github.io/django-rest-framework-jwt/
MIT License
192 stars 60 forks source link

Refresh Token Issue #25

Open wuuuduu opened 4 years ago

wuuuduu commented 4 years ago

RefreshAuthTokenSerializer has bug in validate method. In situation if token is expired, but still could be refreshed it returns an error saying "Token is expired", but is should not raise this error.

As I see, we are calling payload = _check_payload(token=token) which is responsible for raising this error.

One of many ways to fix it:

file loc: rest_framework_jwt.serializers._check_payload
def _check_payload(token):
      try:
          payload = JSONWebTokenAuthentication.jwt_decode_token(token)

=> 

def _check_payload(token, *args, **kwargs):
      try:
          payload = JSONWebTokenAuthentication.jwt_decode_token(token, *args, **kwargs)
file loc:  rest_framework_jwt.serializers.RefreshAuthTokenSerializer.validate
payload = _check_payload(token=token)

=>

payload = _check_payload(token=token, check_jwt_verify_expiration=False)
file loc: rest_framework_jwt.utils.jwt_decode_token
def jwt_decode_token(token):
  options = {
        'verify_exp': api_settings.JWT_VERIFY_EXPIRATION,
     }

=>

def jwt_decode_token(token, check_jwt_verify_expiration=True):
  options = {
        'verify_exp': api_settings.JWT_VERIFY_EXPIRATION and check_jwt_verify_expiration,
     }
wuuuduu commented 4 years ago

and I think we should introduce new setting which will tell if app should rotate refresh token.

For now, we are not rotating token, because: new_payload['orig_iat'] = orig_iat <- which won't change life time of refresh token we could do something like this: file: rest_framework_jwt.serializers.RefreshAuthTokenSerializer.validate

if api_settings.ROTATE_REFRESH_TOKEN **is False**:
   `new_payload['orig_iat'] = orig_iat`