CODEWITHSUNDEEP
djangodjango-rest-frameworkdjango-authentication
user13492541
user13492541

Reputation:

Django RestFramework JWT Token: Get User DoesNotExist error

After a user is deleted, the tokens on the client side are still valid until the time has expired. The issue is django restframwework does not handle a request from a deleted user and causes a 500. How can I prevent this?

aceback (most recent call last):
  File "/lib/python3.6/site-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/lib/python3.6/site-packages/django/core/handlers/base.py", line 179, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/lib/python3.6/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/lib/python3.6/site-packages/django/views/generic/base.py", line 70, in view
    return self.dispatch(request, *args, **kwargs)
  File "/lib/python3.6/site-packages/rest_framework/views.py", line 505, in dispatch
    response = self.handle_exception(exc)
  File "/lib/python3.6/site-packages/rest_framework/views.py", line 465, in handle_exception
    self.raise_uncaught_exception(exc)
  File "/lib/python3.6/site-packages/rest_framework/views.py", line 476, in raise_uncaught_exception
    raise exc
  File "/lib/python3.6/site-packages/rest_framework/views.py", line 493, in dispatch
    self.initial(request, *args, **kwargs)
  File "/lib/python3.6/site-packages/rest_framework/views.py", line 410, in initial
    self.perform_authentication(request)
  File "/lib/python3.6/site-packages/rest_framework/views.py", line 324, in perform_authentication
    request.user
  File "/lib/python3.6/site-packages/rest_framework/request.py", line 220, in user
    self._authenticate()
  File "/lib/python3.6/site-packages/rest_framework/request.py", line 373, in _authenticate
    user_auth_tuple = authenticator.authenticate(self)
  File "/lib/python3.6/site-packages/rest_framework_jwt/authentication.py", line 33, in authenticate
    payload = jwt_decode_handler(jwt_value)
  File "/lib/python3.6/site-packages/rest_framework_jwt/utils.py", line 105, in jwt_decode_handler
    secret_key = jwt_get_secret_key(unverified_payload)
  File "/lib/python3.6/site-packages/rest_framework_jwt/utils.py", line 26, in jwt_get_secret_key
    user = User.objects.get(pk=payload.get('user_id'))
  File "/lib/python3.6/site-packages/django/db/models/manager.py", line 85, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
  File "/lib/python3.6/site-packages/django/db/models/query.py", line 431, in get
    self.model._meta.object_name

Upvotes: 0

Views: 501

Answers (2)

user13492541
user13492541

Reputation:

The suggestion by Druhn Bala works but would return a 404 error which isn't ideal for my use case. Instead I came up with one that returns a custom response. ValidationError from rest_framework.exceptions allows you to send a 400 error with a custom response.

def jwt_decode_handler(token):
    options = {
        'verify_exp': api_settings.JWT_VERIFY_EXPIRATION,
    }
    # get user from token, BEFORE verification, to get user secret key
    try:
        unverified_user = jwt.decode(token, None, False)
    except User.DoesNotExist:
        raise ValidationError({"errors": ['Oops! Something went wrong, please logout and login back in!']})

        secret_key = unverified_user.securitysettings.jwt_secret #my custom way of storing a unique jwt uuid per user. 
    return jwt.decode(
        token,
        api_settings.JWT_PUBLIC_KEY or secret_key,
        api_settings.JWT_VERIFY,
        options=options,
        leeway=api_settings.JWT_LEEWAY,
        audience=api_settings.JWT_AUDIENCE,
        issuer=api_settings.JWT_ISSUER,
        algorithms=[api_settings.JWT_ALGORITHM]
    )

Lastly we set the custom decode handler as the default in settings.py.

JWT_AUTH = {
    'JWT_DECODE_HANDLER':
    'registration.decoder.jwt_decode_handler',
    ...
}

Upvotes: 0

Druhin Bala
Druhin Bala

Reputation: 832

From the JWT token, you are decoding it to get the user_id - payload['user_id']. The error is happening because of User.objects.get(pk=payload.get('user_id')).

Instead of doing a get, you could use a get_object_or_404. Use it like so:

from django.shortcuts import get_object_or_404

payload = jwt_decode_handler(jwt_value)
user = get_object_or_404 (User, pk=payload.get('user_id'))

This raises a 404 error when a user will not be found; and that will be bubbled up through your view and handlers to return a 404 statuscode.

Upvotes: 0

Related Questions