Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add JwtAuthentication as a default DRF auth class. #32802

Merged
merged 2 commits into from
Nov 2, 2023
Merged

feat: Add JwtAuthentication as a default DRF auth class. #32802

merged 2 commits into from
Nov 2, 2023

Commits on Nov 1, 2023

  1. feat!: Add JwtAuthentication as a default DRF auth class. 

    By default DRF sets 'DEFAULT_AUTHENTICATION_CLASSES' to:

```
[
    'rest_framework.authentication.SessionAuthentication',
    'rest_framework.authentication.BasicAuthentication'
]
```

We also want to allow for JWT Authentication as a valid default auth
choice.  This will allow users to send JWT tokens in the authorization
header to any existing API endpoints and access them. If any APIs have
set custom authentication classes, this will not override that.

I believe this is a fairly safe change to make since it only adds one
authentication class and does not impact authorization of any of the
endpoints that might be affected.

Note: This change changes the default for both the LMS and CMS because
`cms/envs/common.py` imports this value from the LMS.

BREAKING CHANGE: For any affected endpoint that also required the user
to be authenticated, the endpoint will now return a 401 in place of a
403 when the user is not authenticated.

- See [these DRF docs](https://github.com/encode/django-rest-framework/blob/master/docs/api-guide/authentication.md#unauthorized-and-forbidden-responses) for a deeper explanation about why this changes.

- Here is [an example endpoint](https://github.com/openedx/edx-platform/blob/b8ecfed67dc0520b8c4d95de3096b35acc083611/openedx/core/djangoapps/embargo/views.py#L20-L21) that does not override defaults and checks for IsAuthenticated.

Generally speaking, this is should not be a problem. An issue would
appear only if the caller of the endpoint is specifically handling 403s
in a way that would be missed for 401s.
    @feanil
    feanil committed Nov 1, 2023
    Configuration menu
    Copy the full SHA
    7af2b1d View commit details
    Browse the repository at this point in the history

  2. test: Update tests to the new return code. 

    When including `JwtAuthentication`, the auth_header becomes `JWT
realm="api"`. Without it, it is `None`. This changes the behavior of the
code in DRF and returns a slightly different auth response.

Relevant Code: https://github.com/encode/django-rest-framework/blob/56946fac8f29aa44ce84391f138d63c4c8a2a285/rest_framework/views.py#L456C3-L456C3
    @feanil
    feanil committed Nov 1, 2023
    Configuration menu
    Copy the full SHA
    ac2cc15 View commit details
    Browse the repository at this point in the history