From 65b3a64f8109e44c7389ae944883d764069656d0 Mon Sep 17 00:00:00 2001 From: Will Stott Date: Thu, 4 Nov 2021 16:23:23 +0000 Subject: [PATCH 1/2] Handle early Responses Responses can be returned by middleware before reaching AuthenticationMiddleware - in these cases there is no request.user attribute. This happnes with the default Django MIDDLEWARE ordering if the current host is disallowed (not in ALLOWED_HOSTS) --- django_session_jwt/middleware/session.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/django_session_jwt/middleware/session.py b/django_session_jwt/middleware/session.py index 975c296..19a77b9 100644 --- a/django_session_jwt/middleware/session.py +++ b/django_session_jwt/middleware/session.py @@ -172,7 +172,7 @@ def process_request(self, request): request.session['jwt'] = fields def process_response(self, request, response): - if not request.user.is_authenticated: + if not hasattr(request, 'user') or not request.user.is_authenticated: # The user is unauthenticated. Try to determine the user by the # session JWT User = get_user_model() From f5db669e87eeb976c8aaaa5447389a50b9f7bdf7 Mon Sep 17 00:00:00 2001 From: Will S Date: Fri, 5 Nov 2021 10:13:50 +0000 Subject: [PATCH 2/2] Add test for AuthenticationMiddleware not being reached (and no user attribute on Request) --- django_session_jwt/settings.py | 3 ++- django_session_jwt/tests.py | 10 ++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/django_session_jwt/settings.py b/django_session_jwt/settings.py index 3f2dc5e..fb257f7 100644 --- a/django_session_jwt/settings.py +++ b/django_session_jwt/settings.py @@ -75,8 +75,9 @@ ) MIDDLEWARE = ( - 'django.middleware.common.CommonMiddleware', 'django_session_jwt.middleware.SessionMiddleware', + # MiddlewareFailTestCase relies on this ordering. + 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', diff --git a/django_session_jwt/tests.py b/django_session_jwt/tests.py index 64a9f27..5f35388 100644 --- a/django_session_jwt/tests.py +++ b/django_session_jwt/tests.py @@ -133,6 +133,16 @@ def test_unauthenicated_view(self): r.cookies.get(settings.SESSION_COOKIE_NAME).value) self.assertNotEqual(jwt1['iat'], jwt2['iat']) + def test_middleware_early_return(self): + """ + By passing an incorrect HOST, CommonMiddleware returns early before + AuthenticationMiddleware is reached. We test this to ensure we don't error in + process_response, and end up hiding the real error with a HTTP 500 + """ + response = self.client.post('/login/', {'username': 'john', 'password': 'password'}, + HTTP_HOST="blahblah.com") + self.assertEqual(response.status_code, 400) + class TestClientTestCase(BaseTestCase): def test_login(self):