Merge pull request #302 from eadwinCode/ninja_145_upgrade

fix: Refactored CSRF And Upgraded To Ninja v1.4.5

Author: eadwinCode

ninja_extra/__init__.py

@@ -1,6 +1,6 @@
 """Django Ninja Extra - Class Based Utility and more for Django Ninja(Fast Django REST framework)"""
 
-__version__ = "0.30.1"
+__version__ = "0.30.2"
 
 import django
 

ninja_extra/controllers/__init__.py

@@ -12,7 +12,6 @@
     ModelService,
     ModelServiceBase,
 )
-from .response import Detail, Id, Ok
 from .route import (
     Route,
     RouteInvalidParameterException,
@@ -40,9 +39,6 @@
     "AsyncRouteFunction",
     "RouteFunction",
     "Route",
-    "Ok",
-    "Id",
-    "Detail",
     "ModelControllerBase",
     "ModelConfig",
     "ModelService",

ninja_extra/controllers/base.py

@@ -39,7 +39,7 @@
 
 from ninja_extra.constants import ROUTE_FUNCTION, THROTTLED_FUNCTION, THROTTLED_OBJECTS
 from ninja_extra.context import RouteContext
-from ninja_extra.exceptions import APIException, NotFound, PermissionDenied, bad_request
+from ninja_extra.exceptions import APIException, NotFound, PermissionDenied
 from ninja_extra.helper import get_function_name
 from ninja_extra.operation import Operation, PathView
 from ninja_extra.permissions import (
@@ -58,7 +58,6 @@
 
 from .model import ModelConfig, ModelControllerBuilder, ModelService
 from .registry import ControllerRegistry
-from .response import Detail, Id, Ok
 from .route.route_functions import AsyncRouteFunction, RouteFunction
 
 if TYPE_CHECKING:  # pragma: no cover
@@ -151,11 +150,6 @@ def some_method_name(self):
     throttling_classes: List[Type["BaseThrottle"]] = []
     throttling_init_kwargs: Optional[Dict[Any, Any]] = None
 
-    Ok = Ok  # TODO: remove soonest
-    Id = Id  # TODO: remove soonest
-    Detail = Detail  # TODO: remove soonest
-    bad_request = bad_request  # TODO: remove soonest
-
     @classmethod
     def get_api_controller(cls) -> "APIController":
         if not cls._api_controller:
@@ -520,8 +514,6 @@ def __call__(self, cls: ControllerClassType) -> ControllerClassType:
                         DeprecationWarning,
                         stacklevel=2,
                     )
-                # if not hasattr(cls, "service"):
-                #     cls.service = ModelService(cls.model_config.model)
 
         compute_api_route_function(cls, self)
 

ninja_extra/controllers/response.py

@@ -1,3 +1,4 @@
+import warnings
 from importlib import import_module
 from typing import (
     Any,
@@ -56,14 +57,25 @@ def __init__(
         app_name: str = "ninja",
         **kwargs: Any,
     ) -> None:
+        # add a warning if there csrf is True
+        if csrf:
+            (
+                warnings.warn(
+                    (
+                        "CSRF is deprecated and will be removed in a future version"
+                        "see https://django-ninja.dev/reference/csrf for more details."
+                    ),
+                    DeprecationWarning,
+                    stacklevel=2,
+                ),
+            )
         super(NinjaExtraAPI, self).__init__(
             title=title,
             version=version,
             description=description,
             openapi_url=openapi_url,
             docs_url=docs_url,
             urls_namespace=urls_namespace,
-            csrf=csrf,
             auth=auth,
             renderer=renderer,
             parser=parser,

ninja_extra/main.py

@@ -20,7 +20,6 @@
 from django.http.response import HttpResponse, HttpResponseBase
 from django.utils.encoding import force_str
 from ninja.constants import NOT_SET, NOT_SET_TYPE
-from ninja.errors import AuthenticationError
 from ninja.operation import (
     AsyncOperation as NinjaAsyncOperation,
 )
@@ -33,7 +32,6 @@
 from ninja.signature import is_async
 from ninja.throttling import BaseThrottle
 from ninja.types import TCallable
-from ninja.utils import check_csrf
 
 from ninja_extra.compatible import asynccontextmanager
 from ninja_extra.constants import ROUTE_CONTEXT_VAR
@@ -255,45 +253,6 @@ def __init__(self, *args: Any, **kwargs: Any) -> None:
             sync_to_async(super()._result_to_response),
         )
 
-    async def _run_checks(self, request: HttpRequest) -> Optional[HttpResponse]:  # type: ignore
-        """Runs security checks for each operation"""
-        # csrf:
-        if self.api.csrf:
-            error = check_csrf(request, self.view_func)
-            if error:
-                return error
-
-        # auth:
-        if self.auth_callbacks:
-            error = await self._run_authentication(request)  # type: ignore[assignment]
-            if error:
-                return error
-
-        # Throttling:
-        if self.throttle_objects:
-            error = self._check_throttles(request)  # type: ignore
-            if error:
-                return error
-
-        return None
-
-    async def _run_authentication(self, request: HttpRequest) -> Optional[HttpResponse]:  # type: ignore
-        for callback in self.auth_callbacks:
-            try:
-                is_coroutine = getattr(callback, "is_coroutine", False)
-                if is_coroutine:
-                    result = await callback(request)
-                else:
-                    result = callback(request)
-            except Exception as exc:
-                return self.api.on_exception(request, exc)
-
-            if result:
-                request.auth = result  # type: ignore
-                return None
-
-        return self.api.on_exception(request, AuthenticationError())
-
     @asynccontextmanager
     async def _prep_run(  # type:ignore
         self, request: HttpRequest, **kw: Any

ninja_extra/operation.py

@@ -42,7 +42,7 @@ classifiers = [
 
 requires = [
     "Django >= 2.2",
-    "django-ninja == 1.4.3",
+    "django-ninja == 1.4.5",
     "injector >= 0.19.0",
     "asgiref",
     "contextlib2"

pyproject.toml

@@ -82,72 +82,29 @@ def _build_request(self, *args, **kwargs):
             return request
 
     csrf_OFF = NinjaExtraAPI(urls_namespace="csrf_OFF")
-    csrf_ON = NinjaExtraAPI(urls_namespace="csrf_ON", csrf=True)
 
     @csrf_OFF.post("/post")
     async def post_off(request):
         return {"success": True}
 
-    @csrf_ON.post("/post")
-    async def post_on(request):
-        return {"success": True}
-
-    @csrf_ON.post("/post-async-sync-auth", auth=SyncKeyCookie())
-    async def auth_with_sync_auth(request):
-        return {"success": True}
-
     TOKEN = "1bcdefghij2bcdefghij3bcdefghij4bcdefghij5bcdefghij6bcdefghijABCD"
     COOKIES = {settings.CSRF_COOKIE_NAME: TOKEN}
 
-    @pytest.mark.asyncio
-    async def test_auth_with_sync_auth_fails():
-        async_client = TestAsyncClient(csrf_ON)
-        res = await async_client.post("/post-async-sync-auth")
-        assert res.status_code == 401
-        assert res.json() == {"detail": "Authentication credentials were not provided."}
-
-    @pytest.mark.asyncio
-    async def test_auth_with_sync_auth_works():
-        async_client = TestAsyncClient(csrf_ON)
-        res = await async_client.post(
-            "/post-async-sync-auth", COOKIES={"key": "keycookiersecret"}
-        )
-        assert res.status_code == 200
-        assert res.json() == {"success": True}
-
     @pytest.mark.asyncio
     async def test_csrf_off():
         async_client = TestAsyncCSRFClient(csrf_OFF)
         res = await async_client.post("/post", COOKIES=COOKIES)
         assert res.status_code == 200
 
-    @pytest.mark.asyncio
-    async def test_csrf_on():
-        async_client = TestAsyncCSRFClient(csrf_ON)
-        res = await async_client.post("/post", COOKIES=COOKIES)
-        assert res.status_code == 403
-
-        # check with token in formdata
-        response = await async_client.post(
-            "/post", {"csrfmiddlewaretoken": TOKEN}, COOKIES=COOKIES
-        )
-        assert response.status_code == 200
-
-        # check with headers
-        response = await async_client.post(
-            "/post", COOKIES=COOKIES, headers={"X-CSRFTOKEN": TOKEN}
-        )
-        assert response.status_code == 200
-
 
 if not django.VERSION < (3, 1):
-    api = NinjaExtraAPI(csrf=True, urls_namespace="async_auth")
+    api = NinjaExtraAPI(urls_namespace="async_auth")
 
     for path, auth in [
         ("callable", callable_auth),
         ("apikeyquery", KeyQuery()),
         ("apikeyheader", KeyHeader()),
-        ("apikeycookie", KeyCookie()),
+        ("apikeycookie", KeyCookie(csrf=True)),
         ("basic", BasicAuth()),
         ("bearer", BearerAuth()),
     ]: