search

iMerica / dj-rest-auth

Authentication for Django Rest Framework
https://dj-rest-auth.readthedocs.io/en/latest/index.html
MIT License
1.62k stars 302 forks source link

JWT Authentication is still using the v2 path for the cookies #584

Open Parbelaez opened 5 months ago

Parbelaez commented 5 months ago

Hello,

I am new to Django, so probably I am doing something wrong, but this is what I found in case that it helps correcting this issue:

While creating an API, I noticed that the BE was always asking for the Bearer Token header, and not using the cookies at all. I have seen that since version 3, there is a new configuration in the settings using the REST_AUTH dictionary. Nevertheless, dj-rest-auth/dj_rest_auth/jwt_auth.py is still checking the cookies from v2:

...
def authenticate(self, request):
        cookie_name = api_settings.JWT_AUTH_COOKIE
...

As it is now located in the dictionary, I extended the class like this, and it worked:

from rest_framework_simplejwt.authentication import JWTAuthentication
from rest_framework.authentication import CSRFCheck
from rest_framework import exceptions, serializers
from dj_rest_auth import jwt_auth
from django.conf import settings

class CustomCookieAuthentication(jwt_auth.JWTCookieAuthentication):

    def authenticate(self, request):
        cookie_name = settings.REST_AUTH['JWT_AUTH_COOKIE']
...

Probably this will need to be also implemented for the refresh cookie.

I would appreciate your comments on this, either by telling me if I am wrong, or if not, how should I proceed to fix it.

Thanks!

haccks commented 2 weeks ago

api_settings is an object of type APISettings that eventually inherits APISettings class of DRF. If you look in DRF settings.py, there is a magic method __getattr__. This is what enables getting attribute using . as in api_settings.JWT_AUTH_COOKIE. I would suggest reading about __getattr__ method in details.