diff --git a/django_session_jwt/middleware/session.py b/django_session_jwt/middleware/session.py index 975c296..19a77b9 100644 --- a/django_session_jwt/middleware/session.py +++ b/django_session_jwt/middleware/session.py @@ -172,7 +172,7 @@ def process_request(self, request): request.session['jwt'] = fields def process_response(self, request, response): - if not request.user.is_authenticated: + if not hasattr(request, 'user') or not request.user.is_authenticated: # The user is unauthenticated. Try to determine the user by the # session JWT User = get_user_model() diff --git a/django_session_jwt/settings.py b/django_session_jwt/settings.py index 3f2dc5e..fb257f7 100644 --- a/django_session_jwt/settings.py +++ b/django_session_jwt/settings.py @@ -75,8 +75,9 @@ ) MIDDLEWARE = ( - 'django.middleware.common.CommonMiddleware', 'django_session_jwt.middleware.SessionMiddleware', + # MiddlewareFailTestCase relies on this ordering. + 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', diff --git a/django_session_jwt/tests.py b/django_session_jwt/tests.py index 64a9f27..5f35388 100644 --- a/django_session_jwt/tests.py +++ b/django_session_jwt/tests.py @@ -133,6 +133,16 @@ def test_unauthenicated_view(self): r.cookies.get(settings.SESSION_COOKIE_NAME).value) self.assertNotEqual(jwt1['iat'], jwt2['iat']) + def test_middleware_early_return(self): + """ + By passing an incorrect HOST, CommonMiddleware returns early before + AuthenticationMiddleware is reached. We test this to ensure we don't error in + process_response, and end up hiding the real error with a HTTP 500 + """ + response = self.client.post('/login/', {'username': 'john', 'password': 'password'}, + HTTP_HOST="blahblah.com") + self.assertEqual(response.status_code, 400) + class TestClientTestCase(BaseTestCase): def test_login(self):