Skip to content

fix: Avoid DoesNotExist exception in TokenRefreshSerializer #861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix: Avoid DoesNotExist exception in TokenRefreshSerializer #861

wants to merge 3 commits into from

Conversation

yuekui
Copy link

@yuekui yuekui commented Feb 6, 2025
edited
Loading

#860
For deleted users, they should be treated the same as when no active user is found. This DoesNotExist exception was introduced in the previous version.

@vgrozdanic vgrozdanic mentioned this pull request Feb 26, 2025
Open
3 tasks
vgrozdanic
vgrozdanic approved these changes Feb 26, 2025
View reviewed changes
Copy link
Contributor

@vgrozdanic vgrozdanic left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thank you for the contribution!

I added this PR on a checklist for next major release since it does some breaking changes: #871

Andrew-Chen-Wang
Andrew-Chen-Wang requested changes Feb 27, 2025
View reviewed changes
rest_framework_simplejwt/serializers.py
Comment on lines +116 to +119
user = (
get_user_model()
.objects.filter(**{api_settings.USER_ID_FIELD: user_id})
.first()
Copy link
Member

@Andrew-Chen-Wang Andrew-Chen-Wang Feb 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this may not be expected since the USER_AUTHENTICATION_RULE expects a user object, not None

djangorestframework-simplejwt/rest_framework_simplejwt/authentication.py

Line 170 in faeea49

def default_user_authentication_rule(user: AuthUser) -> bool:

suggestion: simply check if the user exists OR check authentication rule does not pass rather than solely rely on the authentication rule

Copy link
Author

@yuekui yuekui Feb 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the USER_AUTHENTICATION_RULE method already performs the user is not None check, would adding another check outside the method introduce unnecessary code duplication?

djangorestframework-simplejwt/rest_framework_simplejwt/authentication.py

Line 178 in faeea49

return user is not None and (

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yea, the problem is the initial typing was typed assuming the user object is valid...

I mean that's my fault for not checking that. I guess this is fine, but we should also update the typing for the authentication rule?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, updated

Andrew-Chen-Wang
Andrew-Chen-Wang approved these changes Feb 27, 2025
View reviewed changes
Copy link
Member

@Andrew-Chen-Wang Andrew-Chen-Wang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome thank you!

@vgrozdanic vgrozdanic self-assigned this Mar 2, 2025
@mjbogusz mjbogusz mentioned this pull request Mar 14, 2025
Open
@Andrew-Chen-Wang
Copy link
Member

qq @yuekui @mjbogusz : are you facing 500 error exceptions with this? In other words, are you having to manually catch this edge case? I noticed that the DRF exception does not inherit from the user not found exception, making this a breaking change

@mjbogusz
Copy link

I didn't get as far as getting 500s, as I was upgrading from 5.0 and our unit tests failed on previously unexpected UserNotFound.

AuthenticationFailed is already handled by DRF's APIView:handle_exception() and it's consistent with neighboring behavior for a not active account, so I've added handling this edge case by raising the same type of error and our tests passed again without any additional error handling.

@yuekui
Copy link
Author

yuekui commented Mar 17, 2025

qq @yuekui @mjbogusz : are you facing 500 error exceptions with this? In other words, are you having to manually catch this edge case? I noticed that the DRF exception does not inherit from the user not found exception, making this a breaking change

Yes, it's a 500 error and a breaking change for me. That's why I opened the issue and submitted the patch right after v5.4.0 was released.

@Andrew-Chen-Wang
Copy link
Member

Got it, it sounds like a patch release is necessary rather than a minor/major version upgrade.

@mjbogusz
Copy link

I'd say this sounds like a minor-release-level change, as it shouldn't require immediate code adjustments whether or not someone has implemented a workaround like my example in #860; the behavior will change slightly though.

The exception thrown is the same as previously and is handled by DRF already so I wouldn't say it's a breaking change either.

But of course the final decision is up to the maintainers - I'm just hoping the fix will land soon ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vgrozdanic vgrozdanic vgrozdanic approved these changes

@Andrew-Chen-Wang Andrew-Chen-Wang Andrew-Chen-Wang approved these changes

Assignees

@vgrozdanic vgrozdanic

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@yuekui @Andrew-Chen-Wang @mjbogusz @vgrozdanic