Change authorization Bearer prefix for JWT

jpadilla · jpadilla · commit 0bc4a9393173 · 2014-01-22T15:47:02.000-04:00
This changes the prefix for the HTTP Authorization
header from Bearer to JWT to avoid conflicts with
django-oauth2-provider.
diff --git a/rest_framework_jwt/authentication.py b/rest_framework_jwt/authentication.py
@@ -21,9 +21,9 @@ class JSONWebTokenAuthentication(BaseAuthentication):
     Token based authentication using the JSON Web Token standard.
 
     Clients should authenticate by passing the token key in the "Authorization"
-    HTTP header, prepended with the string "Bearer ".  For example:
+    HTTP header, prepended with the string "JWT ".  For example:
 
-        Authorization: Bearer eyJhbGciOiAiSFMyNTYiLCAidHlwIj
+        Authorization: JWT eyJhbGciOiAiSFMyNTYiLCAidHlwIj
     """
     www_authenticate_realm = 'api'
 
@@ -34,14 +34,14 @@ def authenticate(self, request):
         """
         auth = get_authorization_header(request).split()
 
-        if not auth or auth[0].lower() != b'bearer':
+        if not auth or auth[0].lower() != b'jwt':
             return None
 
         if len(auth) == 1:
-            msg = 'Invalid bearer header. No credentials provided.'
+            msg = 'Invalid JWT header. No credentials provided.'
             raise exceptions.AuthenticationFailed(msg)
         elif len(auth) > 2:
-            msg = ('Invalid bearer header. Credentials string '
+            msg = ('Invalid JWT header. Credentials string '
                    'should not contain spaces.')
             raise exceptions.AuthenticationFailed(msg)
 
@@ -78,4 +78,4 @@ def authenticate_header(self, request):
         header in a `401 Unauthenticated` response, or `None` if the
         authentication scheme should return `403 Permission Denied` responses.
         """
-        return 'Bearer realm="{0}"'.format(self.www_authenticate_realm)
+        return 'JWT realm="{0}"'.format(self.www_authenticate_realm)
diff --git a/rest_framework_jwt/tests/test_authentication.py b/rest_framework_jwt/tests/test_authentication.py
@@ -14,6 +14,8 @@
 from rest_framework_jwt.authentication import JSONWebTokenAuthentication
 
 
+DJANGO_OAUTH2_PROVIDER_NOT_INSTALLED = 'django-oauth2-provider not installed'
+
 factory = APIRequestFactory()
 
 
@@ -31,10 +33,14 @@ def post(self, request):
     '',
     (r'^jwt/$', MockView.as_view(
      authentication_classes=[JSONWebTokenAuthentication])),
+
     (r'^jwt-oauth2/$', MockView.as_view(
-     authentication_classes=[JSONWebTokenAuthentication, OAuth2Authentication])),
+        authentication_classes=[
+            JSONWebTokenAuthentication, OAuth2Authentication])),
+
     (r'^oauth2-jwt/$', MockView.as_view(
-     authentication_classes=[OAuth2Authentication, JSONWebTokenAuthentication])),
+        authentication_classes=[
+            OAuth2Authentication, JSONWebTokenAuthentication])),
 )
 
 
@@ -56,7 +62,7 @@ def test_post_form_passing_jwt_auth(self):
         payload = utils.jwt_payload_handler(self.user)
         token = utils.jwt_encode_handler(payload)
 
-        auth = 'Bearer {0}'.format(token)
+        auth = 'JWT {0}'.format(token)
         response = self.csrf_client.post(
             '/jwt/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
 
@@ -70,7 +76,7 @@ def test_post_json_passing_jwt_auth(self):
         payload = utils.jwt_payload_handler(self.user)
         token = utils.jwt_encode_handler(payload)
 
-        auth = 'Bearer {0}'.format(token)
+        auth = 'JWT {0}'.format(token)
         response = self.csrf_client.post(
             '/jwt/', {'example': 'example'},
             HTTP_AUTHORIZATION=auth, format='json')
@@ -91,38 +97,38 @@ def test_post_json_failing_jwt_auth(self):
         response = self.csrf_client.post('/jwt/', {'example': 'example'},
                                          format='json')
         self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-        self.assertEqual(response['WWW-Authenticate'], 'Bearer realm="api"')
+        self.assertEqual(response['WWW-Authenticate'], 'JWT realm="api"')
 
-    def test_post_no_bearer_failing_jwt_auth(self):
+    def test_post_no_jwt_header_failing_jwt_auth(self):
         """
         Ensure POSTing over JWT auth without credentials fails
         """
-        auth = 'Bearer'
+        auth = 'JWT'
         response = self.csrf_client.post(
             '/jwt/', {'example': 'example'},
             HTTP_AUTHORIZATION=auth, format='json')
 
-        msg = 'Invalid bearer header. No credentials provided.'
+        msg = 'Invalid JWT header. No credentials provided.'
 
         self.assertEqual(response.data['detail'], msg)
         self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-        self.assertEqual(response['WWW-Authenticate'], 'Bearer realm="api"')
+        self.assertEqual(response['WWW-Authenticate'], 'JWT realm="api"')
 
-    def test_post_invalid_bearer_failing_jwt_auth(self):
+    def test_post_invalid_jwt_header_failing_jwt_auth(self):
         """
         Ensure POSTing over JWT auth without correct credentials fails
         """
-        auth = 'Bearer abc abc'
+        auth = 'JWT abc abc'
         response = self.csrf_client.post(
             '/jwt/', {'example': 'example'},
             HTTP_AUTHORIZATION=auth, format='json')
 
-        msg = ('Invalid bearer header. Credentials string '
+        msg = ('Invalid JWT header. Credentials string '
                'should not contain spaces.')
 
         self.assertEqual(response.data['detail'], msg)
         self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-        self.assertEqual(response['WWW-Authenticate'], 'Bearer realm="api"')
+        self.assertEqual(response['WWW-Authenticate'], 'JWT realm="api"')
 
     def test_post_expired_token_failing_jwt_auth(self):
         """
@@ -132,7 +138,7 @@ def test_post_expired_token_failing_jwt_auth(self):
         payload['exp'] = 1
         token = utils.jwt_encode_handler(payload)
 
-        auth = 'Bearer {0}'.format(token)
+        auth = 'JWT {0}'.format(token)
         response = self.csrf_client.post(
             '/jwt/', {'example': 'example'},
             HTTP_AUTHORIZATION=auth, format='json')
@@ -141,13 +147,13 @@ def test_post_expired_token_failing_jwt_auth(self):
 
         self.assertEqual(response.data['detail'], msg)
         self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-        self.assertEqual(response['WWW-Authenticate'], 'Bearer realm="api"')
+        self.assertEqual(response['WWW-Authenticate'], 'JWT realm="api"')
 
     def test_post_invalid_token_failing_jwt_auth(self):
         """
         Ensure POSTing over JWT auth with invalid token fails
         """
-        auth = 'Bearer abc123'
+        auth = 'JWT abc123'
         response = self.csrf_client.post(
             '/jwt/', {'example': 'example'},
             HTTP_AUTHORIZATION=auth, format='json')
@@ -156,9 +162,9 @@ def test_post_invalid_token_failing_jwt_auth(self):
 
         self.assertEqual(response.data['detail'], msg)
         self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-        self.assertEqual(response['WWW-Authenticate'], 'Bearer realm="api"')
+        self.assertEqual(response['WWW-Authenticate'], 'JWT realm="api"')
 
-    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    @unittest.skipUnless(oauth2_provider, DJANGO_OAUTH2_PROVIDER_NOT_INSTALLED)
     def test_post_passing_jwt_auth_with_oauth2_priority(self):
         """
         Ensure POSTing over JWT auth with correct credentials
@@ -168,14 +174,14 @@ def test_post_passing_jwt_auth_with_oauth2_priority(self):
         payload = utils.jwt_payload_handler(self.user)
         token = utils.jwt_encode_handler(payload)
 
-        auth = 'Bearer {0}'.format(token)
+        auth = 'JWT {0}'.format(token)
         response = self.csrf_client.post(
             '/oauth2-jwt/', {'example': 'example'},
             HTTP_AUTHORIZATION=auth, format='json')
 
         self.assertEqual(response.status_code, status.HTTP_200_OK, response)
 
-    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    @unittest.skipUnless(oauth2_provider, DJANGO_OAUTH2_PROVIDER_NOT_INSTALLED)
     def test_post_passing_oauth2_with_jwt_auth_priority(self):
         """
         Ensure POSTing over OAuth2 with correct credentials
