Skip to content

WIP: fix: allow JWT auth for views used in Authoring MFE #37093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

WIP: fix: allow JWT auth for views used in Authoring MFE #37093

wants to merge 1 commit into from

Conversation

samuelallan72
Copy link

@samuelallan72 samuelallan72 commented Jul 31, 2025
edited
Loading

Description

Avoid authentication errors from MFEs (specifically the Authoring MFE here) in the case where the LMS is logged in, but Studio is not yet authenticated.

Fixes: #1080

TODO:

  • check for backwards incompatibilities
  • check for security issues (are the permissions the same, is it fine opening these endpoints up to jwt authentication?)
  • check for other endpoints that are used by the Authoring MFE that could be updated
  • add/update tests

Supporting information

Private-ref: https://tasks.opencraft.com/browse/BB-9549

Testing instructions

  1. Log in to the LMS as an admin.
  2. Navigate to a course, and open the course in Studio, and navigate to the course outline page. Ensure you're on this Authoring MFE, not the Studio views.
  3. Copy or bookmark the direct url to the course outline in Authoring.
  4. Log out of the LMS.
  5. Log back in to the LMS. Do not visit Studio / CMS. (This results in you being logged in to the LMS, but not directly logged into the CMS; this CMS login only happens on first visit to a CMS web page where you are redirected through the lms oauth process)
  6. Directly navigate to the Authoring url from step 3. You may notice the page redirect briefly; this is expected, as it's logging you in to the CMS.
  7. Try to perform one of the following actions: click the "New unit" button, click the "New subsection" button, click the "New section" button.
  8. Verify the action succeeds.
  9. Reload the page.
  10. Verify the page loads successfully.
  11. Try to perform one of the actions (New unit/subsection/section) again.
  12. Verify the action succeeds.

Other information

See also openedx/frontend-app-authoring#1080 (comment) and openedx/frontend-app-authoring#2335 . There may be alternate or better methods of implementing this.

@openedx-webhooks openedx-webhooks added the open-source-contribution PR author is not from Axim or 2U label Jul 31, 2025
@openedx-webhooks
Copy link

Thanks for the pull request, @samuelallan72!

This repository is currently maintained by @openedx/wg-maintenance-edx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

🔘 Update the status of your PR

Your PR is currently marked as a draft. After completing the steps above, update its status by clicking "Ready for Review", or removing "WIP" from the title, as appropriate.

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

@github-project-automation github-project-automation bot moved this to Needs Triage in Contributions Jul 31, 2025
@samuelallan72 samuelallan72 mentioned this pull request Jul 31, 2025
Open
samuelallan72
samuelallan72 commented Jul 31, 2025
View reviewed changes
cms/djangoapps/contentstore/views/block.py
@require_http_methods(("DELETE", "GET", "PUT", "POST", "PATCH"))
@login_required
# @require_http_methods(("DELETE", "GET", "PUT", "POST", "PATCH"))
@view_auth_classes()
@expect_json
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like we can drop the expect_json decorator here, as django_rest_framework should handle json gracefully. Not sure if we can/should force json-only - I think django_rest_framework will also accept and parse form encoded data too.

samuelallan72
samuelallan72 commented Jul 31, 2025
View reviewed changes
cms/djangoapps/contentstore/views/block.py
@expect_json
@api_view(http_method_names=["DELETE", "GET", "PUT", "POST", "PATCH"])
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure yet if the api_view decorator makes any changes that would subtly break any assumptions of normal django request handlers (eg. with error handling). Also not sure if we should use the function based decorator here, or go for a class based API view - similar to https://github.com/samuelallan72/edx-platform/blob/efc77256a832e464f6aba3e3a7bef9de1702a539/openedx/core/djangoapps/content_libraries/rest_api/blocks.py#L430-L440 (this code was written in #35765 as part of an API conversion to fix a similar issue)

samuelallan72
samuelallan72 commented Jul 31, 2025
View reviewed changes
cms/djangoapps/contentstore/views/block.py
Comment on lines 88 to 91
@transaction.non_atomic_requests
@require_http_methods(("DELETE", "GET", "PUT", "POST", "PATCH"))
@login_required
# @require_http_methods(("DELETE", "GET", "PUT", "POST", "PATCH"))
@view_auth_classes()
@expect_json
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the existing decorators, I'm not sure yet if they are fully compatible with the DRF api_view, or if any particular order is required. For example, I discovered that here expect_json must be before api_view, otherwise the request crashes with an error about reading the request body more than once.

@mphilbrick211 mphilbrick211 moved this from Needs Triage to Waiting on Author in Contributions Aug 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
open-source-contribution PR author is not from Axim or 2U
Projects
Contributions
Status: Waiting on Author
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CORS errors when entering directly MFE host through the browser and not by redirections
2 participants
@samuelallan72 @openedx-webhooks