Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add option to enable/disable verify jti claim (default: enabled) #195

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: add option to enable/disable verify jti claim (default: enabled) #195

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
362ad17
feat: add option to enable/disable verify jti claim (default: enabled)
TheTiz Dec 12, 2019
e8d38ec
update comment
TheTiz Dec 23, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 44 additions & 41 deletions rest_framework_simplejwt/settings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,61 +7,64 @@

from .utils import format_lazy

USER_SETTINGS = getattr(settings, 'SIMPLE_JWT', None)
USER_SETTINGS = getattr(settings, "SIMPLE_JWT", None)

DEFAULTS = {
'ACCESS_TOKEN_LIFETIME': timedelta(minutes=5),
'REFRESH_TOKEN_LIFETIME': timedelta(days=1),
'ROTATE_REFRESH_TOKENS': False,
'BLACKLIST_AFTER_ROTATION': True,
'UPDATE_LAST_LOGIN': False,

'ALGORITHM': 'HS256',
'SIGNING_KEY': settings.SECRET_KEY,
'VERIFYING_KEY': None,
'AUDIENCE': None,
'ISSUER': None,

'AUTH_HEADER_TYPES': ('Bearer',),
'AUTH_HEADER_NAME': 'HTTP_AUTHORIZATION',
'USER_ID_FIELD': 'id',
'USER_ID_CLAIM': 'user_id',
'USER_AUTHENTICATION_RULE': 'rest_framework_simplejwt.authentication.default_user_authentication_rule',

'AUTH_TOKEN_CLASSES': ('rest_framework_simplejwt.tokens.AccessToken',),
'TOKEN_TYPE_CLAIM': 'token_type',

'JTI_CLAIM': 'jti',
'TOKEN_USER_CLASS': 'rest_framework_simplejwt.models.TokenUser',

'SLIDING_TOKEN_REFRESH_EXP_CLAIM': 'refresh_exp',
'SLIDING_TOKEN_LIFETIME': timedelta(minutes=5),
'SLIDING_TOKEN_REFRESH_LIFETIME': timedelta(days=1),
"ACCESS_TOKEN_LIFETIME": timedelta(minutes=5),
"REFRESH_TOKEN_LIFETIME": timedelta(days=1),
"ROTATE_REFRESH_TOKENS": False,
"BLACKLIST_AFTER_ROTATION": True,
"UPDATE_LAST_LOGIN": False,
"JTI_CLAIM_IS_MENDATORY": True,
"ALGORITHM": "HS256",
"SIGNING_KEY": settings.SECRET_KEY,
"VERIFYING_KEY": None,
"AUDIENCE": None,
"ISSUER": None,
"AUTH_HEADER_TYPES": ("Bearer",),
"AUTH_HEADER_NAME": "HTTP_AUTHORIZATION",
"USER_ID_FIELD": "id",
"USER_ID_CLAIM": "user_id",
"USER_AUTHENTICATION_RULE": "rest_framework_simplejwt.authentication.default_user_authentication_rule",
"AUTH_TOKEN_CLASSES": ("rest_framework_simplejwt.tokens.AccessToken",),
"TOKEN_TYPE_CLAIM": "token_type",
"JTI_CLAIM": "jti",
"TOKEN_USER_CLASS": "rest_framework_simplejwt.models.TokenUser",
"SLIDING_TOKEN_REFRESH_EXP_CLAIM": "refresh_exp",
"SLIDING_TOKEN_LIFETIME": timedelta(minutes=5),
"SLIDING_TOKEN_REFRESH_LIFETIME": timedelta(days=1),
}

IMPORT_STRINGS = (
'AUTH_TOKEN_CLASSES',
'TOKEN_USER_CLASS',
"AUTH_TOKEN_CLASSES",
"TOKEN_USER_CLASS",
)

REMOVED_SETTINGS = (
'AUTH_HEADER_TYPE',
'AUTH_TOKEN_CLASS',
'SECRET_KEY',
'TOKEN_BACKEND_CLASS',
"AUTH_HEADER_TYPE",
"AUTH_TOKEN_CLASS",
"SECRET_KEY",
"TOKEN_BACKEND_CLASS",
)


class APISettings(_APISettings): # pragma: no cover
def __check_user_settings(self, user_settings):
SETTINGS_DOC = 'https://github.com/SimpleJWT/django-rest-framework-simplejwt#settings'
SETTINGS_DOC = (
"https://github.com/SimpleJWT/django-rest-framework-simplejwt#settings"
)

for setting in REMOVED_SETTINGS:
if setting in user_settings:
raise RuntimeError(format_lazy(
_("The '{}' setting has been removed. Please refer to '{}' for available settings."),
setting, SETTINGS_DOC,
))
raise RuntimeError(
format_lazy(
_(
"The '{}' setting has been removed. Please refer to '{}' for available settings."
),
setting,
SETTINGS_DOC,
)
)

return user_settings

Expand All @@ -72,9 +75,9 @@ def __check_user_settings(self, user_settings):
def reload_api_settings(*args, **kwargs): # pragma: no cover
global api_settings

setting, value = kwargs['setting'], kwargs['value']
setting, value = kwargs["setting"], kwargs["value"]

if setting == 'SIMPLE_JWT':
if setting == "SIMPLE_JWT":
api_settings = APISettings(value, DEFAULTS, IMPORT_STRINGS)


Expand Down
6 changes: 4 additions & 2 deletions rest_framework_simplejwt/tokens.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,8 +93,10 @@ def verify(self):
# claim. We don't want any zombie tokens walking around.
self.check_exp()

# Ensure token id is present
if api_settings.JTI_CLAIM not in self.payload:
# According to RFC 7519, the "jti" claim is OPTIONAL
# (https://tools.ietf.org/html/rfc7519#section-4.1.7)
# Ensure token id is present only if JTI_CLAIM_IS_MENDATORY is set to True (default)
if api_settings.JTI_CLAIM_IS_MENDATORY and api_settings.JTI_CLAIM not in self.payload:
raise TokenError(_('Token has no id'))

self.verify_token_type()
Expand Down
12 changes: 12 additions & 0 deletions tests/test_tokens.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,18 @@ def test_init_no_jti_token_given(self):
with self.assertRaises(TokenError):
MyToken(str(t))

def test_init_no_verify_jti_token_if_speficied(self):
t = MyToken()
del t['jti']
default_jti_claim_is_mendatory = api_settings.JTI_CLAIM_IS_MENDATORY
api_settings.JTI_CLAIM_IS_MENDATORY = False

try:
MyToken(str(t))
except TokenError:
self.fail("Token init raised TokenError unexpectedly!")
api_settings.JTI_CLAIM_IS_MENDATORY = default_jti_claim_is_mendatory

def test_str(self):
token = MyToken()
token.set_exp(
Expand Down