Add option to allow inactive user authentication and token generation (jazzband#834)

Author: zxkeyy

rest_framework_simplejwt/authentication.py

@@ -131,7 +131,7 @@ def get_user(self, validated_token: Token) -> AuthUser:
         except self.user_model.DoesNotExist:
             raise AuthenticationFailed(_("User not found"), code="user_not_found")
 
-        if not user.is_active:
+        if api_settings.CHECK_USER_IS_ACTIVE and not user.is_active:
             raise AuthenticationFailed(_("User is inactive"), code="user_inactive")
 
         if api_settings.CHECK_REVOKE_TOKEN:
@@ -175,4 +175,6 @@ def default_user_authentication_rule(user: AuthUser) -> bool:
     # `AllowAllUsersModelBackend`.  However, we explicitly prevent inactive
     # users from authenticating to enforce a reasonable policy and provide
     # sensible backwards compatibility with older Django versions.
-    return user is not None and user.is_active
+    return user is not None and (
+        not api_settings.CHECK_USER_IS_ACTIVE or user.is_active
+    )

rest_framework_simplejwt/settings.py

@@ -44,6 +44,7 @@
     "SLIDING_TOKEN_REFRESH_SERIALIZER": "rest_framework_simplejwt.serializers.TokenRefreshSlidingSerializer",
     "CHECK_REVOKE_TOKEN": False,
     "REVOKE_TOKEN_CLAIM": "hash_password",
+    "CHECK_USER_IS_ACTIVE": True,
 }
 
 IMPORT_STRINGS = (

tests/test_authentication.py

@@ -161,6 +161,31 @@ def test_get_user(self):
         # Otherwise, should return correct user
         self.assertEqual(self.backend.get_user(payload).id, u.id)
 
+    @override_api_settings(
+        CHECK_USER_IS_ACTIVE=False,
+    )
+    def test_get_inactive_user(self):
+        payload = {"some_other_id": "foo"}
+
+        # Should raise error if no recognizable user identification
+        with self.assertRaises(InvalidToken):
+            self.backend.get_user(payload)
+
+        payload[api_settings.USER_ID_CLAIM] = 42
+
+        # Should raise exception if user not found
+        with self.assertRaises(AuthenticationFailed):
+            self.backend.get_user(payload)
+
+        u = User.objects.create_user(username="markhamill")
+        u.is_active = False
+        u.save()
+
+        payload[api_settings.USER_ID_CLAIM] = getattr(u, api_settings.USER_ID_FIELD)
+
+        # should return correct user
+        self.assertEqual(self.backend.get_user(payload).id, u.id)
+
     @override_api_settings(
         CHECK_REVOKE_TOKEN=True, REVOKE_TOKEN_CLAIM="revoke_token_claim"
     )

tests/test_serializers.py

@@ -5,7 +5,7 @@
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.core import exceptions as django_exceptions
-from django.test import TestCase
+from django.test import TestCase, override_settings
 from rest_framework import exceptions as drf_exceptions
 
 from rest_framework_simplejwt.exceptions import TokenError
@@ -105,6 +105,29 @@ def test_it_should_raise_if_user_not_active(self):
         with self.assertRaises(drf_exceptions.AuthenticationFailed):
             s.is_valid()
 
+    @override_settings(
+        AUTHENTICATION_BACKENDS=[
+            "django.contrib.auth.backends.AllowAllUsersModelBackend",
+            "django.contrib.auth.backends.ModelBackend",
+        ]
+    )
+    @override_api_settings(
+        CHECK_USER_IS_ACTIVE=False,
+    )
+    def test_it_should_validate_if_user_inactive_but_rule_allows(self):
+        self.user.is_active = False
+        self.user.save()
+
+        s = TokenObtainSerializer(
+            context=MagicMock(),
+            data={
+                TokenObtainSerializer.username_field: self.username,
+                "password": self.password,
+            },
+        )
+
+        self.assertTrue(s.is_valid())
+
 
 class TestTokenObtainSlidingSerializer(TestCase):
     def setUp(self):