Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option to allow inactive user authentication and token generation #834

6 changes: 4 additions & 2 deletions rest_framework_simplejwt/authentication.py
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ def get_user(self, validated_token: Token) -> AuthUser:
except self.user_model.DoesNotExist:
raise AuthenticationFailed(_("User not found"), code="user_not_found")

if not user.is_active:
if api_settings.CHECK_USER_IS_ACTIVE and not user.is_active:
raise AuthenticationFailed(_("User is inactive"), code="user_inactive")

if api_settings.CHECK_REVOKE_TOKEN:
Expand Down Expand Up @@ -175,4 +175,6 @@ def default_user_authentication_rule(user: AuthUser) -> bool:
# `AllowAllUsersModelBackend`. However, we explicitly prevent inactive
# users from authenticating to enforce a reasonable policy and provide
# sensible backwards compatibility with older Django versions.
return user is not None and user.is_active
return user is not None and (
not api_settings.CHECK_USER_IS_ACTIVE or user.is_active
)
1 change: 1 addition & 0 deletions rest_framework_simplejwt/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
"SLIDING_TOKEN_REFRESH_SERIALIZER": "rest_framework_simplejwt.serializers.TokenRefreshSlidingSerializer",
"CHECK_REVOKE_TOKEN": False,
"REVOKE_TOKEN_CLAIM": "hash_password",
"CHECK_USER_IS_ACTIVE": True,
}

IMPORT_STRINGS = (
Expand Down
25 changes: 25 additions & 0 deletions tests/test_authentication.py
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,31 @@ def test_get_user(self):
# Otherwise, should return correct user
self.assertEqual(self.backend.get_user(payload).id, u.id)

@override_api_settings(
CHECK_USER_IS_ACTIVE=False,
)
def test_get_inactive_user(self):
payload = {"some_other_id": "foo"}

# Should raise error if no recognizable user identification
with self.assertRaises(InvalidToken):
self.backend.get_user(payload)

payload[api_settings.USER_ID_CLAIM] = 42

# Should raise exception if user not found
with self.assertRaises(AuthenticationFailed):
self.backend.get_user(payload)

u = User.objects.create_user(username="markhamill")
u.is_active = False
u.save()

payload[api_settings.USER_ID_CLAIM] = getattr(u, api_settings.USER_ID_FIELD)

# should return correct user
self.assertEqual(self.backend.get_user(payload).id, u.id)

@override_api_settings(
CHECK_REVOKE_TOKEN=True, REVOKE_TOKEN_CLAIM="revoke_token_claim"
)
Expand Down
25 changes: 24 additions & 1 deletion tests/test_serializers.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
from django.conf import settings
from django.contrib.auth import get_user_model
from django.core import exceptions as django_exceptions
from django.test import TestCase
from django.test import TestCase, override_settings
from rest_framework import exceptions as drf_exceptions

from rest_framework_simplejwt.exceptions import TokenError
Expand Down Expand Up @@ -105,6 +105,29 @@ def test_it_should_raise_if_user_not_active(self):
with self.assertRaises(drf_exceptions.AuthenticationFailed):
s.is_valid()

@override_settings(
AUTHENTICATION_BACKENDS=[
"django.contrib.auth.backends.AllowAllUsersModelBackend",
"django.contrib.auth.backends.ModelBackend",
]
)
@override_api_settings(
CHECK_USER_IS_ACTIVE=False,
)
def test_it_should_validate_if_user_inactive_but_rule_allows(self):
self.user.is_active = False
self.user.save()

s = TokenObtainSerializer(
context=MagicMock(),
data={
TokenObtainSerializer.username_field: self.username,
"password": self.password,
},
)

self.assertTrue(s.is_valid())


class TestTokenObtainSlidingSerializer(TestCase):
def setUp(self):
Expand Down
Loading