LOGIN_MODE_SESSION does not support user with UUID primary key

yunojuno / django-request-token

Django app that uses JWT to manage one-time and expiring tokens to protected URLs. Not related to DRF.

MIT License

47 stars 23 forks source link

LOGIN_MODE_SESSION does not support user with UUID primary key #18

Closed alo-is closed 3 years ago

alo-is commented 7 years ago

Hi,

It seems that when user model is custom and uses an UUID as primary key, things goes wrong when serializing the object, with a classic UUID('xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxx') is not JSON serializable error.

Fixing it just requires to check if user.id type is uuid or not, and cast with str() the value.

Thanks for help in solving this (little) issue !

stevejalim commented 7 years ago

Hi @maloddon - thanks for bringing this to our attention.

If this is an urgent problem, do you have time to make a quick fork of this repo and implement the fix (am assuming you'll need to do that to get django-request-token working for your project)?

If you could then add a test and raise a PR, we'd be very happy to merge it back to this repo.

timomeara commented 3 years ago

if you also want to support custom user models (and why wouldn't you?) i think all you need to do is: claims["aud"] = str(self.user.pk) that's working for me anyway...

hugorodgerbrown commented 3 years ago

Hi @timomeara - thanks for the comment. I would strongly recommend moving to django-magic-link if you are still using the session mode - it's a cleaner implementation that came out of this library, and LOGIN_MODE_SESSION is due for deprecation.

timomeara commented 3 years ago

hey @hugorodgerbrown i'm not using LOGIN_MODE_SESSION but i am using the django-request-token a little differently.

i'm building a rest api for a mobile app so i'm not using the middleware. my endpoints expect the tokens in post data. i decode the token and retrieve the RequestToken object manually using values from the claim

regardless, the problem arises when building the claims for the token.

if there's a user it'll try to set the claims AUD value to user.id (LOGIN_MODE_REQUEST would do that too)

all i'm saying in that the safe, compatible way to do that would be: str(user.pk)

that'll support uuid's as well as custom models where the pk field is called something other than 'id'

here's a PR for the changes https://github.com/yunojuno/django-request-token/pull/52

hugorodgerbrown commented 3 years ago

@timomeara this is now out as v0.15. thanks for the submission.