Skip to content

Commit

Permalink
Stop deleting blacklist on user delete (#516)
Browse files Browse the repository at this point in the history 
* OutstandingToken user on_delete should be null

* Add test to verify that deleting a User doesn't remove tokens from the blacklist

This is a rather unexpected default behavior. Deleting a User means that
their blacklisted tokens become live again.

* Add migration for cascading User deletion to SET_NULL instead of DELETE

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

Co-authored-by: Andrew Chen Wang <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
  • Loading branch information
@vainu-arto @Andrew-Chen-Wang @pre-commit-ci
3 people authored Jan 25, 2022
1 parent 3071865 commit 9014f14
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 1 deletion.
26 changes: 26 additions & 0 deletions rest_framework_simplejwt/token_blacklist/migrations/0012_alter_outstandingtoken_user.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Generated by Django 3.2.10 on 2022-01-24 06:42

import django.db.models.deletion
from django.conf import settings
from django.db import migrations, models


class Migration(migrations.Migration):

dependencies = [
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
("token_blacklist", "0011_linearizes_history"),
]

operations = [
migrations.AlterField(
model_name="outstandingtoken",
name="user",
field=models.ForeignKey(
blank=True,
null=True,
on_delete=django.db.models.deletion.SET_NULL,
to=settings.AUTH_USER_MODEL,
),
),
]
2 changes: 1 addition & 1 deletion rest_framework_simplejwt/token_blacklist/models.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
class OutstandingToken(models.Model):
id = models.BigAutoField(primary_key=True, serialize=False)
user = models.ForeignKey(
settings.AUTH_USER_MODEL, on_delete=models.CASCADE, null=True, blank=True
settings.AUTH_USER_MODEL, on_delete=models.SET_NULL, null=True, blank=True
)

jti = models.CharField(unique=True, max_length=255)
Expand Down
23 changes: 23 additions & 0 deletions tests/test_token_blacklist.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,29 @@ def test_it_should_delete_any_expired_tokens(self):
[not_expired_2["jti"], not_expired_3["jti"]],
)

def test_token_blacklist_will_not_be_removed_on_User_delete(self):
token = RefreshToken.for_user(self.user)
outstanding_token = OutstandingToken.objects.first()

# Should raise no exception
RefreshToken(str(token))

# Add token to blacklist
BlacklistedToken.objects.create(token=outstanding_token)

with self.assertRaises(TokenError) as e:
# Should raise exception
RefreshToken(str(token))
self.assertIn("blacklisted", e.exception.args[0])

# Delete the User and try again
self.user.delete()

with self.assertRaises(TokenError) as e:
# Should raise exception
RefreshToken(str(token))
self.assertIn("blacklisted", e.exception.args[0])


class TestPopulateJtiHexMigration(MigrationTestCase):
migrate_from = ("token_blacklist", "0002_outstandingtoken_jti_hex")
Expand Down

0 comments on commit 9014f14

Please sign in to comment.