Verify Serializer Should Honour Blacklist

rest_framework_simplejwt/serializers.py

@@ -1,11 +1,15 @@
 from django.contrib.auth import authenticate
 from django.utils.translation import gettext_lazy as _
 from rest_framework import exceptions, serializers
+from rest_framework.exceptions import ValidationError
 
+from .exceptions import TokenError
 from .settings import api_settings
 from .state import User
 from .tokens import RefreshToken, SlidingToken, UntypedToken
 
+if api_settings.BLACKLIST_AFTER_ROTATION:
+    from .token_blacklist.models import BlacklistedToken
 
 class PasswordField(serializers.CharField):
     def __init__(self, *args, **kwargs):
@@ -139,6 +143,11 @@ class TokenVerifySerializer(serializers.Serializer):
     token = serializers.CharField()
 
     def validate(self, attrs):
-        UntypedToken(attrs['token'])
+        token = UntypedToken(attrs['token'])
+
+        if api_settings.BLACKLIST_AFTER_ROTATION:
+            jti = token.get(api_settings.JTI_CLAIM)
+            if BlacklistedToken.objects.filter(token__jti=jti).exists():
+                raise ValidationError("Token is blacklisted")
 
         return {}

tests/test_token_blacklist.py

@@ -5,6 +5,7 @@
 from django.test import TestCase
 
 from rest_framework_simplejwt.exceptions import TokenError
+from rest_framework_simplejwt.serializers import TokenVerifySerializer
 from rest_framework_simplejwt.settings import api_settings
 from rest_framework_simplejwt.token_blacklist.models import (
     BlacklistedToken, OutstandingToken,
@@ -14,7 +15,7 @@
 )
 from rest_framework_simplejwt.utils import aware_utcnow, datetime_from_epoch
 
-from .utils import MigrationTestCase
+from .utils import MigrationTestCase, override_api_settings
 
 
 class TestTokenBlacklist(TestCase):
@@ -190,3 +191,32 @@ def test_jti_field_should_contain_uuid_hex_strings(self):
         actual_hexes = [i.jti_hex for i in OutstandingToken.objects.all()]
 
         self.assertEqual(actual_hexes, self.expected_hexes)
+
+
+class TokenVerifySerializerShouldHonourBlacklist(MigrationTestCase):
+    migrate_from = ('token_blacklist', '0002_outstandingtoken_jti_hex')
+    migrate_to = ('token_blacklist', '0003_auto_20171017_2007')
+
+    def setUp(self):
+        self.user = User.objects.create(
+            username='test_user',
+            password='test_password',
+        )
+
+        super().setUp()
+
+    def test_token_verify_serializer_should_honour_blacklist_if_blacklisting_enabled(self):
+        with override_api_settings(BLACKLIST_AFTER_ROTATION=True):
+            refresh_token = RefreshToken.for_user(self.user)
+            refresh_token.blacklist()
+
+            serializer = TokenVerifySerializer(data={"token": str(refresh_token)})
+            self.assertFalse(serializer.is_valid())
+
+    def test_token_verify_serializer_should_not_honour_blacklist_if_blacklisting_not_enabled(self):
+        with override_api_settings(BLACKLIST_AFTER_ROTATION=False):
+            refresh_token = RefreshToken.for_user(self.user)
+            refresh_token.blacklist()
+
+            serializer = TokenVerifySerializer(data={"token": str(refresh_token)})
+            self.assertTrue(serializer.is_valid())