search

iMerica / dj-rest-auth

Authentication for Django Rest Framework
https://dj-rest-auth.readthedocs.io/en/latest/index.html
MIT License
1.64k stars 306 forks source link

Login Response is not returning refresh-token in dj-rest-auth v3.0.0 #485

Closed marcosdon28 closed 1 year ago

marcosdon28 commented 1 year ago

I have been using dj-rest-auth for a while, i installed the version 3.0.0 in my current project and it is not working properly. When i login a user the response return an empty string instead of a refresh. My solution was downgrading to and old version that i know thar works well (2.2.4)

{ "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNjc3MTU5NzE4LCJpYXQiOjE2NzY1NTk3MTgsImp0aSI6Ijk2Y2M3NDZmM2ZmOTQ3NWRiYzBmMGVkYzFlYTYyYmY2IiwidXNlcl9pZCI6MX0.rgrJVCs0kgxgU7h6G6lsI-mSly6IZJULQEIh0vQ9lSA", "refresh_token": "", "user": { "pk": 1, "username": "admin", "email": "EMAIL", "first_name": "Pepe", "last_name": "1234" } } It is an example for the response of version 3.0.0, the request show it empty but the cookie for the refresh token seems to be updated. image

My project config is : REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': [ 'dj_rest_auth.jwt_auth.JWTCookieAuthentication',

],

'DEFAULT_PERMISSION_CLASSES': [
    'rest_framework.permissions.IsAuthenticated',
],

}

REST_AUTH = { 'USE_JWT': True, 'JWT_AUTH_COOKIE': 'my-app-auth', 'JWT_AUTH_REFRESH_COOKIE': 'my-refresh-token', }

SIMPLE_JWT = { 'ACCESS_TOKEN_LIFETIME': timedelta(minutes=10000), 'REFRESH_TOKEN_LIFETIME': timedelta(days=10), 'ROTATE_REFRESH_TOKENS' : True, }

Skm1221 commented 1 year ago

If you add "JWT_AUTH_HTTPONLY": False, it will work.

REST_AUTH = {
    "USE_JWT": True,
    "JWT_AUTH_HTTPONLY": False,
    ...
}
MarcoGlauser commented 1 year ago

We had the same issue with version 3.0. Setting JWT_AUTH_HTTPONLY to False did the trick.

This line is probably causing the issue, since it previously defaulted to False for JWT_AUTH_HTTPONLY and the refresh token is set right after. https://github.com/iMerica/dj-rest-auth/compare/2.2.8...3.0.0#diff-6605a895156338ef26e802ff3d8fd57aa730b05e9340402bf69cd0a823e4b9dbL92

kiraware commented 1 year ago

Sorry for late response. Actually, i already add a note about this behaviour in docs here https://dj-rest-auth.readthedocs.io/en/latest/configuration.html#jwt-auth-httponly.

marcosdon28 commented 1 year ago

Thank you guys for you support !