fix: Avoid DoesNotExist exception in TokenRefreshSerializer (#861)

yuekui · web-flow · commit 930cf85c8333 · 2025-08-18T00:47:28.000-04:00
* Check user before passing it to the rule
* Use `Optional` in the type annotation for the default user authentication rule since the user can be `None`
diff --git a/rest_framework_simplejwt/authentication.py b/rest_framework_simplejwt/authentication.py
@@ -171,7 +171,7 @@ def get_user(self, validated_token: Token) -> AuthUser:
 JWTTokenUserAuthentication = JWTStatelessUserAuthentication
 
 
-def default_user_authentication_rule(user: AuthUser) -> bool:
+def default_user_authentication_rule(user: Optional[AuthUser]) -> bool:
     # Prior to Django 1.10, inactive users could be authenticated with the
     # default `ModelBackend`.  As of Django 1.10, the `ModelBackend`
     # prevents inactive users from authenticating.  App designers can still
diff --git a/rest_framework_simplejwt/serializers.py b/rest_framework_simplejwt/serializers.py
@@ -112,12 +112,13 @@ def validate(self, attrs: dict[str, Any]) -> dict[str, str]:
         refresh = self.token_class(attrs["refresh"])
 
         user_id = refresh.payload.get(api_settings.USER_ID_CLAIM, None)
-        if user_id and (
-            user := get_user_model().objects.get(
-                **{api_settings.USER_ID_FIELD: user_id}
+        if user_id:
+            user = (
+                get_user_model()
+                .objects.filter(**{api_settings.USER_ID_FIELD: user_id})
+                .first()
             )
-        ):
-            if not api_settings.USER_AUTHENTICATION_RULE(user):
+            if not user or not api_settings.USER_AUTHENTICATION_RULE(user):
                 raise AuthenticationFailed(
                     self.error_messages["no_active_account"],
                     "no_active_account",
diff --git a/tests/test_serializers.py b/tests/test_serializers.py
@@ -4,7 +4,6 @@
 
 from django.conf import settings
 from django.contrib.auth import get_user_model
-from django.core import exceptions as django_exceptions
 from django.test import TestCase, override_settings
 from rest_framework import exceptions as drf_exceptions
 
@@ -286,10 +285,10 @@ def test_it_should_raise_error_for_deleted_users(self):
 
         s = TokenRefreshSerializer(data={"refresh": str(refresh)})
 
-        with self.assertRaises(django_exceptions.ObjectDoesNotExist) as e:
+        with self.assertRaises(drf_exceptions.AuthenticationFailed) as e:
             s.is_valid()
 
-        self.assertIn("does not exist", str(e.exception))
+        self.assertIn("No active account", str(e.exception))
 
     def test_it_should_raise_error_for_inactive_users(self):
         refresh = RefreshToken.for_user(self.user)
