Merge pull request #73 from HackSoftware/jwt-based-authentication

JWT based authentication

Author: RadoRado

README.md

@@ -16,7 +16,7 @@ The structure is inspired by [cookiecutter-django](https://github.com/pydanny/co
 Few important things:
 
 * Linux / Ubuntu is our primary OS and things are tested for that. It will mostly not work on Mac & certainly not work on Windows.
-* It uses Postgres as primary database.
+* It uses Postgres as the primary database.
 * It comes with GitHub Actions support, [based on that article](https://hacksoft.io/github-actions-in-action-setting-up-django-and-postgres/)
 * It comes with examples for writing tests with fakes & factories, based on the following articles - <https://www.hacksoft.io/blog/improve-your-tests-django-fakes-and-factories>, <https://www.hacksoft.io/blog/improve-your-tests-django-fakes-and-factories-advanced-usage>
 * It comes with [`whitenoise`](http://whitenoise.evans.io/en/stable/) setup.
@@ -41,11 +41,46 @@ CORS_ALLOW_ALL_ORIGINS = False
 CORS_ORIGIN_WHITELIST = env.list('CORS_ORIGIN_WHITELIST', default=[])
 ```
 
-### DRF
+## Authentication - JWT
 
-We have removed the default authentication classes, since they were causing trouble.
+The project is using <https://github.com/Styria-Digital/django-rest-framework-jwt> for having authentication via JWT capabilities.
 
-## Authentication - General
+### Settings
+
+All JWT related settings are located in `config/settings/jwt.py`.
+
+> ⚠️ We highly recommend reading the entire settings page from the project documentation - <https://styria-digital.github.io/django-rest-framework-jwt/#additional-settings> - to figure out your needs & the proper defaults for you!
+
+The default settings also include the JWT token as a cookie.
+
+The specific details about how the cookie is set, can be found here - <https://github.com/Styria-Digital/django-rest-framework-jwt/blob/master/src/rest_framework_jwt/compat.py#L43>
+
+### APIs
+
+The JWT related APIs are:
+
+1. `/api/auth/jwt/login/`
+1. `/api/auth/jwt/logout/`
+
+The current implementation of the login API returns just the token:
+
+```json
+{
+    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InJhZG9yYWRvQGhhY2tzb2Z0LmlvIiwiaWF0IjoxNjQxMjIxMDMxLCJleHAiOjE2NDE4MjU4MzEsImp0aSI6ImIyNTEyNmY4LTM3ZDctNGI5NS04Y2M0LTkzZjI3MjE4ZGZkOSIsInVzZXJfaWQiOjJ9.TUoQQPSijO2O_3LN-Pny4wpQp-0rl4lpTs_ulkbxzO4"
+}
+```
+
+This can be changed from `auth_jwt_response_payload_handler`.
+
+
+### Requiring authentication
+
+We follow this concept:
+
+1. All APIs are public by default (no default authentication classes)
+1. If you want a certain API to require authentication, you add the `ApiAuthMixin` to it.
+
+## Authentication - Sessions
 
 This project is using the already existing [**cookie-based session authentication**](https://docs.djangoproject.com/en/3.1/topics/auth/default/#how-to-log-a-user-in) in Django:
 
@@ -104,22 +139,15 @@ We have the following general cases:
 1. If the backend is located on `*.domain.com` and the frontend is located on `*.domain.com`, the configuration is going to work out of the box.
 1. If the backend is located on `somedomain.com` and the frontend is located on `anotherdomain.com`, then you'll need to set `SESSION_COOKIE_SAMESITE = 'None'` and `SESSION_COOKIE_SECURE = True`
 
-### Reading list
-
-Since cookies can be somewhat elusive, check the following urls:
-
-1. <https://docs.djangoproject.com/en/3.1/ref/settings/#sessions> - It's a good idea to just read every description for `SESSION_*`
-1. <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies> - It's a good idea to read everything, several times.
-
-## Authentication APIs
+### APIs
 
-1. `POST` <http://localhost:8000/api/auth/login/> requires JSON body with `email` and `password`.
-1. `GET` <http://localhost:8000/api/auth/me/> returns the current user information, if the request is authenticated (has the corresponding `sessionid` cookie)
-1. `GET` or `POST` <http://localhost:8000/api/auth/logout/> will remove the `sessionid` cookie, effectively logging you out.
+1. `POST` to `/api/auth/session/login/` requires JSON body with `email` and `password`.
+1. `GET` to `/api/auth/me/` returns the current user information, if the request is authenticated (has the corresponding `sessionid` cookie)
+1. `GET` or `POST` to `/api/auth/logout/` will remove the `sessionid` cookie, effectively logging you out.
 
 ### `HTTP Only` / `SameSite`
 
-The current implementation of `/auth/login` does 2 things:
+The current implementation of `/api/auth/session/login` does 2 things:
 
 1. Sets a `HTTP Only` cookie with the session id.
 1. Returns the actual session id from the JSON payload.
@@ -128,6 +156,14 @@ The second thing is required, because Safari is not respecting the `SameSite = N
 
 More on the issue here - <https://www.chromium.org/updates/same-site/incompatible-clients>
 
+### Reading list
+
+Since cookies can be somewhat elusive, check the following urls:
+
+1. <https://docs.djangoproject.com/en/3.1/ref/settings/#sessions> - It's a good idea to just read every description for `SESSION_*`
+1. <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies> - It's a good idea to read everything, several times.
+
+
 ## Example List API
 
 You can find the `UserListApi` in [`styleguide_example/users/apis.py`](https://github.com/HackSoftware/Styleguide-Example/blob/master/styleguide_example/users/apis.py#L12)

config/django/base.py

@@ -50,6 +50,7 @@
     'django_filters',
     'corsheaders',
     'django_extensions',
+    'rest_framework_jwt',
 ]
 
 INSTALLED_APPS = [
@@ -169,6 +170,7 @@
 }
 
 from config.settings.cors import *  # noqa
+from config.settings.jwt import *  # noqa
 from config.settings.sessions import *  # noqa
 from config.settings.celery import *  # noqa
 from config.settings.sentry import *  # noqa

config/settings/jwt.py

@@ -0,0 +1,26 @@
+import datetime
+
+from config.env import env
+
+# For more settings
+# Read everything from here - https://styria-digital.github.io/django-rest-framework-jwt/#additional-settings
+
+# Default to 7 days
+JWT_EXPIRATION_DELTA_SECONDS = env("JWT_EXPIRATION_DELTA_SECONDS", default=60 * 60 * 24 * 7)
+JWT_AUTH_COOKIE = env("JWT_AUTH_COOKIE", default="jwt")
+JWT_AUTH_COOKIE_SAMESITE = env("JWT_AUTH_COOKIE_SAMESITE", default="Lax")
+JWT_AUTH_HEADER_PREFIX = env("JWT_AUTH_HEADER_PREFIX", default="Bearer")
+
+
+JWT_AUTH = {
+    "JWT_GET_USER_SECRET_KEY": "styleguide_example.authentication.services.auth_user_get_jwt_secret_key",
+    "JWT_RESPONSE_PAYLOAD_HANDLER": "styleguide_example.authentication.services.auth_jwt_response_payload_handler",
+    "JWT_EXPIRATION_DELTA": datetime.timedelta(seconds=JWT_EXPIRATION_DELTA_SECONDS),
+    "JWT_ALLOW_REFRESH": False,
+
+    "JWT_AUTH_COOKIE": JWT_AUTH_COOKIE,
+    "JWT_AUTH_COOKIE_SECURE": True,
+    "JWT_AUTH_COOKIE_SAMESITE": JWT_AUTH_COOKIE_SAMESITE,
+
+    "JWT_AUTH_HEADER_PREFIX": JWT_AUTH_HEADER_PREFIX
+}

requirements/base.txt

@@ -12,3 +12,5 @@ whitenoise==5.3.0
 django-filter==21.1
 django-cors-headers==3.10.1
 django-extensions==3.1.5
+
+drf-jwt==1.19.1

styleguide_example/api/mixins.py

@@ -7,6 +7,8 @@
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.authentication import SessionAuthentication, BaseAuthentication
 
+from rest_framework_jwt.authentication import JSONWebTokenAuthentication
+
 
 def get_auth_header(headers):
     value = headers.get('Authorization')
@@ -59,5 +61,9 @@ def enforce_csrf(self, request):
 
 
 class ApiAuthMixin:
-    authentication_classes = (CsrfExemptedSessionAuthentication, SessionAsHeaderAuthentication)
+    authentication_classes = (
+        CsrfExemptedSessionAuthentication,
+        SessionAsHeaderAuthentication,
+        JSONWebTokenAuthentication
+    )
     permission_classes = (IsAuthenticated, )

styleguide_example/authentication/apis.py

@@ -1,16 +1,21 @@
 from django.contrib.auth import authenticate, login, logout
+from django.conf import settings
 
 from rest_framework.views import APIView
 from rest_framework.response import Response
 from rest_framework import serializers
 from rest_framework import status
 
+from rest_framework_jwt.views import ObtainJSONWebTokenView
+
 from styleguide_example.api.mixins import ApiAuthMixin
 
+from styleguide_example.authentication.services import auth_logout
+
 from styleguide_example.users.selectors import user_get_login_data
 
 
-class UserLoginApi(APIView):
+class UserSessionLoginApi(APIView):
     """
     Following https://docs.djangoproject.com/en/3.1/topics/auth/default/#how-to-log-a-user-in
     """
@@ -22,12 +27,10 @@ def post(self, request):
         serializer = self.InputSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)
 
-        print(request.user)
         user = authenticate(request, **serializer.validated_data)
-        print(user)
 
         if user is None:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
+            return Response(status=status.HTTP_400_BAD_REQUEST)
 
         login(request, user)
 
@@ -40,7 +43,7 @@ def post(self, request):
         })
 
 
-class UserLogoutApi(APIView):
+class UserSessionLogoutApi(APIView):
     def get(self, request):
         logout(request)
 
@@ -52,6 +55,30 @@ def post(self, request):
         return Response()
 
 
+class UserJwtLoginApi(ObtainJSONWebTokenView):
+    def post(self, request, *args, **kwargs):
+        # We are redefining post so we can change the response status on success
+        # Mostly for consistency with the session-based API
+        response = super().post(request, *args, **kwargs)
+
+        if response.status_code == status.HTTP_201_CREATED:
+            response.status_code = status.HTTP_200_OK
+
+        return response
+
+
+class UserJwtLogoutApi(ApiAuthMixin, APIView):
+    def post(self, request):
+        auth_logout(request.user)
+
+        response = Response()
+
+        if settings.JWT_AUTH['JWT_AUTH_COOKIE'] is not None:
+            response.delete_cookie(settings.JWT_AUTH['JWT_AUTH_COOKIE'])
+
+        return response
+
+
 class UserMeApi(ApiAuthMixin, APIView):
     def get(self, request):
         data = user_get_login_data(user=request.user)

styleguide_example/authentication/services.py

@@ -0,0 +1,22 @@
+import uuid
+
+from styleguide_example.users.models import BaseUser
+
+
+def auth_user_get_jwt_secret_key(user: BaseUser) -> str:
+    return str(user.jwt_key)
+
+
+def auth_jwt_response_payload_handler(token, user=None, request=None, issued_at=None):
+    """
+    Default implementation. Add whatever suits you here.
+    """
+    return {"token": token}
+
+
+def auth_logout(user: BaseUser) -> BaseUser:
+    user.jwt_key = uuid.uuid4()
+    user.full_clean()
+    user.save(update_fields=["jwt_key"])
+
+    return user