了解JWT并确认simplejwt在testcase中过期

2024-04-19 16:10:35 发布

您现在位置:Python中文网/ 问答频道 /正文
3053 3

我只是想理解djangorestframework-simplejwt过期,想知道当令牌过期时返回什么

为了探索这一点,我在django项目中编写了一个简单的测试用例,但我似乎无法让expire发生

视图.py

import json
from http import HTTPStatus

from django.http import JsonResponse
from rest_framework.decorators import api_view

from .models import Visitor


@api_view(["POST"])
def visitor_post(request):
    body_unicode = request.body.decode("utf-8")
    if not body_unicode.strip():
        return JsonResponse({"status": HTTPStatus.BAD_REQUEST}, status=HTTPStatus.BAD_REQUEST)

    body = json.loads(body_unicode)
    submitted_datetime = body["submitted_datetime"]

    visitor = Visitor(
        representative_name=body["representative_name"],
        visitor_type=body["visitor_type"],
        visitor_count=body["visitor_count"],
        submitted_datetime=submitted_datetime,
    )
    visitor.save()
    return JsonResponse({"status": HTTPStatus.CREATED}, status=HTTPStatus.CREATED)

目前我的测试用例如下:

测试.py

import datetime
import json
from time import sleep
from http import HTTPStatus
from typing import Optional, Tuple

from accounts.models import CustomUser
from django.urls import reverse
from django.utils import timezone
from django.test import override_settings
from rest_framework.test import APIClient, APITestCase


EXPIRE_WAIT_SECONDS = 5
SIMPLE_JWT_EXPIRE_TEST_SETTINGS = {
    "ACCESS_TOKEN_LIFETIME": datetime.timedelta(seconds=EXPIRE_WAIT_SECONDS),
    "REFRESH_TOKEN_LIFETIME": datetime.timedelta(days=14),
    "ROTATE_REFRESH_TOKENS": True,
    "BLACKLIST_AFTER_ROTATION": False,
    "ALGORITHM": "HS256",
    "SIGNING_KEY": 'kkdkasjf;a',
    "VERIFYING_KEY": None,
    "AUTH_HEADER_TYPES": ("JWT",),
    "USER_ID_FIELD": "id",
    "USER_ID_CLAIM": "user_id",
    "AUTH_TOKEN_CLASSES": ("rest_framework_simplejwt.tokens.AccessToken",),
    "TOKEN_TYPE_CLAIM": "token_type",
}


class ViewsTestCase(APITestCase):
    def setUp(self):
        self.valid_user = CustomUser(last_name="user", first_name="valid", username="validuser", email="validuser@email.com")
        self.valid_user_password = "mysecretpassword"
        self.valid_user.set_password(self.valid_user_password)
        self.valid_user.save()
        self.apiclient = APIClient()

    def _get_jwt_token(self, username: Optional[str] = None, password: Optional[str] = None) -> Tuple[str, str]:
        if not username:
            username = self.valid_user.username
        if not password:
            password = self.valid_user_password
        body = {"username": username, "password": password}
        url = reverse("token_obtain_pair")
        response = self.apiclient.post(url, data=body, format="json")
        self.assertEqual(response.status_code, 200)
        token_data = json.loads(response.content)
        return token_data["access"], token_data["refresh"]

    @override_settings(SIMPLE_JWT=SIMPLE_JWT_EXPIRE_TEST_SETTINGS)
    def test_visitor_post_token_expire(self):
        access_token, _ = self._get_jwt_token()

        now = timezone.now()
        data = {
            "representative_name": "Somename",
            "visitor_count": 1,
            "submitted_datetime": now.isoformat(),
        }
        sleep(EXPIRE_WAIT_SECONDS + 1)
        self.apiclient.credentials(HTTP_AUTHORIZATION=f"JWT {access_token}")
        url = "/visitors/"
        response = self.apiclient.post(url, data=data, format="json")
        self.assertEqual(response.status_code, HTTPStatus.UNAUTHORIZED)

我希望这会导致某种授权错误,比如401之类的错误,但它似乎仍然会创建受保护的视图

self.assertEqual(response.status_code, HTTPStatus.UNAUTHORIZED)AssertionError: 201 != HTTPStatus.UNAUTHORIZED: 401

为什么代币没有过期?或者,如何使令牌过期

也许我没有正确理解这一点

我的理解是,当ACCESS_TOKEN_LIFETIME过期时,您不能再使用access_token,需要使用refresh令牌获取新令牌。对吗


Tags: fromimportselftokenjsondatadatetimestatus
1条回答
网友
1楼 · 发布于 2024-04-19 16:10:35

插件必须在启动时进行设置并实例化其对象。在运行时,它不会再次读取设置,因此覆盖它们是无用的

正如您所做的,测试此功能的正确方法是使用separate设置模块进行测试,并将插件配置放在那里

相关问题 更多 >

    编程相关推荐