models pk instead of models id (#1446)

* use user.pk instead of user.id which allows for a custom model to have a different PK.


---------

Co-authored-by: Alan Crosswell <[email protected]>

Author: sahama

AUTHORS

@@ -104,6 +104,7 @@ Rustem Saiargaliev
 Sandro Rodrigues
 Shaheed Haque
 Shaun Stanworth
+Sayyid Hamid Mahdavi
 Silvano Cerza
 Sora Yanai
 Sören Wegener

CHANGELOG.md

@@ -20,8 +20,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1404 Add a new setting `REFRESH_TOKEN_REUSE_PROTECTION`
 ### Changed
 * Update token to TextField from CharField with 255 character limit and SHA-256 checksum in AbstractAccessToken model. Removing the 255 character limit enables supporting JWT tokens with additional claims
-
 * Update middleware, validators, and views to use token checksums instead of token for token retrieval and validation.
+* #1446 use generic models pk instead of id.
+
 ### Deprecated
 ### Removed
 * #1425 Remove deprecated `RedirectURIValidator`, `WildcardSet` per #1345; `validate_logout_request` per #1274

oauth2_provider/admin.py

@@ -19,7 +19,7 @@
 
 
 class ApplicationAdmin(admin.ModelAdmin):
-    list_display = ("id", "name", "user", "client_type", "authorization_grant_type")
+    list_display = ("pk", "name", "user", "client_type", "authorization_grant_type")
     list_filter = ("client_type", "authorization_grant_type", "skip_authorization")
     radio_fields = {
         "client_type": admin.HORIZONTAL,

oauth2_provider/models.py

@@ -244,7 +244,7 @@ def clean(self):
                 raise ValidationError(_("You cannot use HS256 with public grants or clients"))
 
     def get_absolute_url(self):
-        return reverse("oauth2_provider:detail", args=[str(self.id)])
+        return reverse("oauth2_provider:detail", args=[str(self.pk)])
 
     def get_allowed_schemes(self):
         """
@@ -520,7 +520,7 @@ def revoke(self):
             self = list(token)[0]
 
             try:
-                access_token_model.objects.get(id=self.access_token_id).revoke()
+                access_token_model.objects.get(pk=self.access_token_id).revoke()
             except access_token_model.DoesNotExist:
                 pass
             self.access_token = None

oauth2_provider/oauth2_validators.py

@@ -622,7 +622,7 @@ def save_bearer_token(self, token, request, *args, **kwargs):
                     # from the db while acquiring a lock on it
                     # We also put it in the "request cache"
                     refresh_token_instance = RefreshToken.objects.select_for_update().get(
-                        id=refresh_token_instance.id
+                        pk=refresh_token_instance.pk
                     )
                     request.refresh_token_instance = refresh_token_instance
 
@@ -756,7 +756,7 @@ def get_original_scopes(self, refresh_token, request, *args, **kwargs):
         rt = request.refresh_token_instance
         if not rt.access_token_id:
             try:
-                return AccessToken.objects.get(source_refresh_token_id=rt.id).scope
+                return AccessToken.objects.get(source_refresh_token_id=rt.pk).scope
             except AccessToken.DoesNotExist:
                 return []
         return rt.access_token.scope
@@ -810,9 +810,9 @@ def get_jwt_bearer_token(self, token, token_handler, request):
 
     def get_claim_dict(self, request):
         if self._get_additional_claims_is_request_agnostic():
-            claims = {"sub": lambda r: str(r.user.id)}
+            claims = {"sub": lambda r: str(r.user.pk)}
         else:
-            claims = {"sub": str(request.user.id)}
+            claims = {"sub": str(request.user.pk)}
 
         # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
         if self._get_additional_claims_is_request_agnostic():

oauth2_provider/templates/oauth2_provider/application_detail.html

@@ -49,8 +49,8 @@ <h3 class="block-center-heading">{{ application.name }}</h3>
 
         <div class="btn-toolbar">
             <a class="btn" href="{% url "oauth2_provider:list" %}">{% trans "Go Back" %}</a>
-            <a class="btn btn-primary" href="{% url "oauth2_provider:update" application.id %}">{% trans "Edit" %}</a>
-            <a class="btn btn-danger" href="{% url "oauth2_provider:delete" application.id %}">{% trans "Delete" %}</a>
+            <a class="btn btn-primary" href="{% url "oauth2_provider:update" application.pk %}">{% trans "Edit" %}</a>
+            <a class="btn btn-danger" href="{% url "oauth2_provider:delete" application.pk %}">{% trans "Delete" %}</a>
         </div>
     </div>
 {% endblock content %}

oauth2_provider/templates/oauth2_provider/application_form.html

@@ -3,7 +3,7 @@
 {% load i18n %}
 {% block content %}
     <div class="block-center">
-        <form class="form-horizontal" method="post" action="{% block app-form-action-url %}{% url 'oauth2_provider:update' application.id %}{% endblock app-form-action-url %}">
+        <form class="form-horizontal" method="post" action="{% block app-form-action-url %}{% url 'oauth2_provider:update' application.pk %}{% endblock app-form-action-url %}">
             <h3 class="block-center-heading">
                 {% block app-form-title %}
                     {% trans "Edit application" %} {{ application.name }}
@@ -31,7 +31,7 @@ <h3 class="block-center-heading">
 
             <div class="control-group">
                 <div class="controls">
-                    <a class="btn" href="{% block app-form-back-url %}{% url "oauth2_provider:detail" application.id %}{% endblock app-form-back-url %}">
+                    <a class="btn" href="{% block app-form-back-url %}{% url "oauth2_provider:detail" application.pk %}{% endblock app-form-back-url %}">
                         {% trans "Go Back" %}
                     </a>
                     <button type="submit" class="btn btn-primary">{% trans "Save" %}</button>

oauth2_provider/templates/oauth2_provider/application_list.html

@@ -7,7 +7,7 @@ <h3 class="block-center-heading">{% trans "Your applications" %}</h3>
         {% if applications %}
             <ul>
                 {% for application in applications %}
-                    <li><a href="{{ application.get_absolute_url }}">{{ application.name }}</a></li>
+                    <li><a href="{% url "oauth2_provider:detail" application.pk %}">{{ application.name }}</a></li>
                 {% endfor %}
             </ul>
 

tests/test_token_revocation.py

@@ -53,7 +53,7 @@ def test_revoke_access_token(self):
         response = self.client.post(url, data=data)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.content, b"")
-        self.assertFalse(AccessToken.objects.filter(id=tok.id).exists())
+        self.assertFalse(AccessToken.objects.filter(pk=tok.pk).exists())
 
     def test_revoke_access_token_public(self):
         public_app = Application(
@@ -101,7 +101,7 @@ def test_revoke_access_token_with_hint(self):
         url = reverse("oauth2_provider:revoke-token")
         response = self.client.post(url, data=data)
         self.assertEqual(response.status_code, 200)
-        self.assertFalse(AccessToken.objects.filter(id=tok.id).exists())
+        self.assertFalse(AccessToken.objects.filter(pk=tok.pk).exists())
 
     def test_revoke_access_token_with_invalid_hint(self):
         tok = AccessToken.objects.create(
@@ -123,7 +123,7 @@ def test_revoke_access_token_with_invalid_hint(self):
         url = reverse("oauth2_provider:revoke-token")
         response = self.client.post(url, data=data)
         self.assertEqual(response.status_code, 200)
-        self.assertFalse(AccessToken.objects.filter(id=tok.id).exists())
+        self.assertFalse(AccessToken.objects.filter(pk=tok.pk).exists())
 
     def test_revoke_refresh_token(self):
         tok = AccessToken.objects.create(
@@ -146,9 +146,9 @@ def test_revoke_refresh_token(self):
         url = reverse("oauth2_provider:revoke-token")
         response = self.client.post(url, data=data)
         self.assertEqual(response.status_code, 200)
-        refresh_token = RefreshToken.objects.filter(id=rtok.id).first()
+        refresh_token = RefreshToken.objects.filter(pk=rtok.pk).first()
         self.assertIsNotNone(refresh_token.revoked)
-        self.assertFalse(AccessToken.objects.filter(id=rtok.access_token.id).exists())
+        self.assertFalse(AccessToken.objects.filter(pk=rtok.access_token.pk).exists())
 
     def test_revoke_refresh_token_with_revoked_access_token(self):
         tok = AccessToken.objects.create(
@@ -172,8 +172,8 @@ def test_revoke_refresh_token_with_revoked_access_token(self):
             response = self.client.post(url, data=data)
             self.assertEqual(response.status_code, 200)
 
-        self.assertFalse(AccessToken.objects.filter(id=tok.id).exists())
-        refresh_token = RefreshToken.objects.filter(id=rtok.id).first()
+        self.assertFalse(AccessToken.objects.filter(pk=tok.pk).exists())
+        refresh_token = RefreshToken.objects.filter(pk=rtok.pk).first()
         self.assertIsNotNone(refresh_token.revoked)
 
     def test_revoke_token_with_wrong_hint(self):
@@ -202,4 +202,4 @@ def test_revoke_token_with_wrong_hint(self):
         url = reverse("oauth2_provider:revoke-token")
         response = self.client.post(url, data=data)
         self.assertEqual(response.status_code, 200)
-        self.assertFalse(AccessToken.objects.filter(id=tok.id).exists())
+        self.assertFalse(AccessToken.objects.filter(pk=tok.pk).exists())