TokenRefreshView throws 403 Forbidden error upon adding IsAuthenticated to permission_classes attribute

[amitkbiswas01]

I'm trying to set an HTTP-only cookie on TokenRefreshView. I've extended the original TokenRefreshView class to add the logic to the post method. and it's working unless I change the permission class attribute to IsAuthenticated, now it's throwing a 403 forbidden error.

urls.py

.......
if getattr(settings, "REST_USE_JWT", False):
    from rest_framework_simplejwt.views import TokenVerifyView

    urlpatterns += [
        path("token/verify/", TokenVerifyView.as_view(), name="token_verify"),
        path(
            "token/refresh/",
            CustomTokenRefreshView.as_view(),
            name="token_refresh",
        ),
    ]

views.py

class CustomTokenRefreshView(TokenRefreshView):
    permission_classes = (IsAuthenticated,)

    def post(self, request, *args, **kwargs):
        serializer = self.get_serializer(data=request.data)

        try:
            serializer.is_valid(raise_exception=True)
        except TokenError as e:
            raise InvalidToken(e.args[0])

        response = Response(serializer.validated_data, status=status.HTTP_200_OK)

        if getattr(settings, "REST_USE_JWT", False):
            cookie_name = getattr(settings, "JWT_AUTH_COOKIE", None)
            cookie_secure = getattr(settings, "JWT_AUTH_SECURE", False)
            cookie_httponly = getattr(settings, "JWT_AUTH_HTTPONLY", True)
            cookie_samesite = getattr(settings, "JWT_AUTH_SAMESITE", "Lax")
            if cookie_name:

                expiration = datetime.utcnow() + jwt_settings.ACCESS_TOKEN_LIFETIME
                response.set_cookie(
                    cookie_name,
                    serializer.validated_data["access"],
                    expires=expiration,
                    secure=cookie_secure,
                    httponly=cookie_httponly,
                    samesite=cookie_samesite,
                )
        return response

settings.py

.......
REST_FRAMEWORK = {
    "DEFAULT_PERMISSION_CLASSES": [
        "rest_framework.permissions.IsAuthenticated",
        "rest_framework.permissions.IsAdminUser",
    ],
    "DEFAULT_AUTHENTICATION_CLASSES": (
        "dj_rest_auth.jwt_auth.JWTCookieAuthentication",
    ),
}

I am using this with dj-rest-auth package. afaik, they use simplejwt directly for token/verify and token/refresh paths. So posting it here. Please help. Thanks in advance.

[Andrew-Chen-Wang]

You might have some look checking out #71's linked PR

[amitkbiswas01]

@Andrew-Chen-Wang Thanks for the link. It was a really good read regarding the issue of security in JWT. However, I didn't find this specific problem being mentioned there. I'm new to Django and JWT in general so am I missing something? Thanks.

[Andrew-Chen-Wang]

That's my fault. The code is at #157. Sorry about redirecting you unclearly; I thought you'd see the PR, but even I couldn't find it at first glance.

[amitkbiswas01]

Looked into the code and PR. Still unsure how changing permission_classes results in 403 :(

[Andrew-Chen-Wang]

Hmm well I was hoping you just copied and pasted wrong, but you're in the wrong repository:

dj_rest_auth.jwt_auth.JWTCookieAuthentication

That's a different package. Either that, or you means to use rest_framework_simplejwt's authentication method?

[amitkbiswas01]

as dj_rest_auth uses simplejwt internally for JWT, I thought the issue might be related to simplejwt. The TokenRefreshView class they use for this purpose directly from simplejwt. Maybe I misunderstood. Sorry for the trouble. I'm closing the issue.

[Andrew-Chen-Wang]

@amitkbiswas0 Not a prob. If you've got any further issues that might be pinned to this same problem, just ping me and reopen the issue.