Bug: API response for activating users returns 403 Forbidden

[codesankalp]

Describe the bug

The backend is not able to handle the activate request and responds with:

{
    "detail": "Authentication credentials were not provided."
}

To Reproduce

Steps to reproduce the behavior:

1. In settings.py change the email backend to console.
   EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
2. Register a new user by making a POST request on http://127.0.0.1:8000/api/token_auth/register/ by posting the below-mentioned data.

   {
       "username":"test",
       "password":"123",
       "confirm_password":"123",
       "email":"[email protected]"
   }
   

3. After this you will receive an email in the console which contains an activation link for the new account. This account verification link is in the format http://localhost:3000/< uidb64 >/< token >. (example: http://localhost:3000/Nw/5o6-b655d39d1a9b37aa56e2)
4. Copy these uidb64 and token and make a get request on http://127.0.0.1:8000/api/token_auth/activate/< uidb64 >/< token >/ (For example, it will resemble like this: http://127.0.0.1:8000/api/token_auth/activate/Nw/5o6-b655d39d1a9b37aa56e2), it must return Invalid Link or email-confirmed as a response but it returns the above-mentioned error.

Expected behavior

Invalid Link or Email confirmed must be returned as a response.
This is due to the permission_classes in token_auth/views/register.py which is not able to patch permission class with custom methods like activate() which uses @api_view.

Screenshots

Desktop (please complete the following information):

• OS: [e.g. Ubuntu]
• Browser [e.g. chrome]

How to solve?

Instead of adding the permission_classes variable use decorators separately.
Reason: permission_classes doesn't patch with activate method. I also tried with permission_classes_by_action but it is also not working.
The tested and working method is mentioned below:

from rest_framework.decorators import api_view, permission_classes
from rest_framework.permissions import AllowAny

@permission_classes([AllowAny])
class RegisterView(APIView):
    
    def post(self, request, *args, **kwargs):
        pass
    
    @api_view(("GET",))
    @permission_classes([AllowAny])
    def activate(request, uidb64, token):
        pass

[codesankalp]

@isabelcosta This issue needs to be solved so that activating users will work from the frontend.
Can you add labels to it?

[decon-harsh]

Hey , Can I do this?

[codesankalp]

@decon-harsh Please wait, The issue is to be verified by admin @isabelcosta first.
After the addition of labels, you can work on it!

[isabelcosta]

@codesankalp the reproduce steps, could you be a little more clear on that. The request URL you show there is supposed to mean anything specific, or is it just a random URL? Will that be the same URL for another contributor running the project locally?

[codesankalp]

@isabelcosta I have updated how to reproduce this issue. You can check ☺️ .

[decon-harsh]

@isabelcosta I think this is a one time url . Accessing it first time should give a message "Email confirmed" . Accessing again should give Invalid Link . This url is for confirmation of email.

[decon-harsh]

@codesankalp Since the labels got added , should I start the work?

[Amulya-coder]

@codesankalp @isabelcosta I would like to work on this issue.

[codesankalp]

@decon-harsh Since you are assigned to #78 I am assigning this to @Amulya-coder.
@Amulya-coder You can take reference from this https://github.com/codesankalp/open-source-programs-backend/blob/activate/token_auth/views/register.py

[decon-harsh]

Yeah sure , @Amulya-coder happy coding!

[Amulya-coder]

Api format

Json

@codesankalp can you please confirm me I have tried to reproduce the behaviour and it shows like this

[codesankalp]

Yes, @Amulya-coder this is the issue as activation does not require any pre credentials for activating user, you have to make the activation method available without any auth credentials.
Compare the views/register.py and https://github.com/codesankalp/open-source-programs-backend/blob/activate/token_auth/views/register.py and you will get what's needed to be changed here.