search

jpadilla / django-rest-framework-jwt

JSON Web Token Authentication support for Django REST Framework
http://jpadilla.github.io/django-rest-framework-jwt/
MIT License
3.19k stars 650 forks source link

Optional user based secret key #419

Open slykar opened 6 years ago

slykar commented 6 years ago

Use JWT_GET_USER_SECRET_KEY only when you actually pass user_id in the payload.

This way you are able to use user-based secret keys and fallback to a default secret key when user is irrelevant.

Also, without this check, you will be getting DoesNotExist error when trying to generate a token for payload without user_id.

slykar commented 6 years ago

This could be also achieved with #416 from what I can see

codecov[bot] commented 6 years ago

Codecov Report

Merging #419 into master will decrease coverage by 0.33%. The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #419      +/-   ##
==========================================
- Coverage   90.67%   90.34%   -0.34%     
==========================================
  Files          14       12       -2     
  Lines         847      818      -29     
  Branches       29       29              
==========================================
- Hits          768      739      -29     
  Misses         66       66              
  Partials       13       13
Flag Coverage Δ
#codecov 90.34% <ø> (-0.34%) :arrow_down:
#dj110 87.04% <ø> (-0.45%) :arrow_down:
#dj111 87.04% <ø> (-0.45%) :arrow_down:
#dj18 89.48% <ø> (-0.36%) :arrow_down:
#dj19 89.48% <ø> (-0.36%) :arrow_down:
#drf31 89.48% <ø> (-0.36%) :arrow_down:
#drf32 89.48% <ø> (-0.36%) :arrow_down:
#drf33 89.48% <ø> (-0.36%) :arrow_down:
#drf34 90.34% <ø> (-0.34%) :arrow_down:
#drf35 89.97% <ø> (-0.35%) :arrow_down:
#drf36 89.97% <ø> (-0.35%) :arrow_down:
#py27 90.34% <ø> (-0.34%) :arrow_down:
#py33 89.11% <ø> (-0.38%) :arrow_down:
#py34 89.97% <ø> (+0.48%) :arrow_up:
#py35 87.04% <ø> (?)
#py36 87.04% <ø> (?)
Impacted Files Coverage Δ
rest_framework_jwt/models.py

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 0a0bd40...7abc026. Read the comment docs.

sergeynikiforov commented 6 years ago

@slykar Hey, what about wrapping the call to User.objects.get(...) in try...except catching DoesNotExist errors and re-raising them as jwt.InvalidTokenError or smth?

slykar commented 6 years ago

@sergeynikiforov I'm not sure. What I would like to achieve is to use the default key if user_id is not passed. I wan't to control whether to use user based secret or not when calling jwt_encode_handler.