Open nigel-gott opened 3 years ago
Note that Django can be configured to use AUTHENTICATION_BACKENDS = ['django.contrib.auth.backends.AllowAllUsersModelBackend']
, which will allows inactive users to authenticate.
Luckily we caught this in tests, otherwise it would've suddenly be possible to get tokens for inactive users.
As a workaround the is_active
flag is now checked in a custom JWT_RESPONSE_PAYLOAD_HANDLER
Hi, I am currently upgrading a project to use this fork from the original jpadilla version. So far the breaking changes have been clearly documented however I ran across this one which was not.
Previously
ObtainJSONWebTokenView
in jpadilla's version would raiseValidationError("User account is disabled.")
if a non active user attempted to use the view and obtain a token. However now in the "Dropped support for drf<3.7, django<1.11. Refactored tests. " commitJSONWebTokenSerializer.validate
was changed to no longer fail if the user was inactive.The other views provided by this library use serializers like
VerifyAuthTokenSerializer
andRefreshAuthTokenSerializer
which callcheck_user
in their validate method which does raise for inactive users, howeverObtainJSONWebTokenView
usesJSONWebTokenSerializer
which no longer does.We can work around this change in our usage of drf-jwt for now, however:
If there is a good reason for this change then I am happy to open an MR updating the documentation to clearly state this change. However if not and we believe this should be fixed then I am also happy to fix it. To do so my initial thoughts are:
check_user
inJSONWebTokenSerializer.validate
check_user
JSONWebTokenSerializer.validate
back into this libraries versionLet me know which if any of these you would prefer.
Thanks for the fork and all the new features!