Add authentication when using JWT with oauth2

Dockerfile.dev

@@ -2,4 +2,4 @@ FROM python:3.6
 
 WORKDIR /code
 RUN pip install tox
-ADD . /code
+ADD . /code

README.md

@@ -155,6 +155,16 @@ hTZAZmJhid2o/+ya/28muuoQgknEoJz32bKeWuYZrFkRKUrGFnlxHwIDAQAB
 """
 ```
 
+By default authentication will be enabled, use `JWT_AUTH_DISABLED` setting variable to disable that feature:
+
+```
+#settings.py
+
+# Default JWT_AUTH_DISABLED=False
+JWT_AUTH_DISABLED=True
+
+```
+
 
 Local development
 =================

docker-compose-dev.yml

@@ -8,4 +8,4 @@ services:
     container_name: dot_jwt
     image: dot_jwt
     volumes:
-      - .:/code
+      - .:/code

oauth2_provider_jwt/authentication.py

@@ -1,5 +1,6 @@
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
+from django.contrib.auth import get_user_model
 from django.utils.encoding import smart_text
 import jwt
 from rest_framework import exceptions
@@ -43,7 +44,35 @@ def authenticate(self, request):
             raise exceptions.AuthenticationFailed()
 
         self._add_session_details(request, payload)
-        return AnonymousUser(), payload
+
+        user = self.authenticate_credentials(payload)
+        return user, payload
+
+    def authenticate_credentials(self, payload):
+        """
+        Returns an active user that matches the payload's user id and email.
+        """
+        if getattr(settings, 'JWT_AUTH_DISABLED', False):
+            return AnonymousUser()
+
+        User = get_user_model()
+        username = payload.get('username')
+
+        if not username:
+            msg = 'Invalid payload.'
+            raise exceptions.AuthenticationFailed(msg)
+
+        try:
+            user = User.objects.get_by_natural_key(username)
+        except User.DoesNotExist:
+            msg = 'Invalid signature.'
+            raise exceptions.AuthenticationFailed(msg)
+
+        if not user.is_active:
+            msg = 'User account is disabled.'
+            raise exceptions.AuthenticationFailed(msg)
+
+        return user
 
     def _get_jwt_value(self, request):
         auth = get_authorization_header(request).split()

oauth2_provider_jwt/views.py

@@ -19,6 +19,7 @@ def _get_access_token_jwt(self, request, expires_in):
         if payload_enricher:
             fn = import_string(payload_enricher)
             extra_data = fn(request)
+            extra_data['username'] = request.POST.get('username')
         payload = generate_payload(issuer, expires_in, **extra_data)
         token = encode_jwt(payload)
         return token

tests/test_authentication.py

@@ -2,6 +2,7 @@
 import json
 
 from django.test import TestCase
+from django.contrib.auth import get_user_model
 from rest_framework.test import APIClient
 
 from oauth2_provider_jwt import utils
@@ -10,6 +11,9 @@
 class JWTAuthenticationTests(TestCase):
     def setUp(self):
         self.client = APIClient(enforce_csrf_checks=True)
+        User = get_user_model()
+        User.objects.create_user(
+            'temporary', '[email protected]', 'temporary')
 
     def test_get_no_jwt_header(self):
         """
@@ -66,3 +70,21 @@ def test_post_valid_jwt_header(self):
             if k not in ('exp', 'iat'):
                 sessionkeys_expected['jwt_{}'.format(k)] = v
         self.assertEqual(json.loads(response.content), sessionkeys_expected)
+
+    def test_post_valid_jwt_with_auth(self):
+        now = datetime.utcnow()
+        payload = {
+            'iss': 'issuer',
+            'exp': now + timedelta(seconds=100),
+            'iat': now,
+            'username': 'temporary',
+        }
+        jwt_value = utils.encode_jwt(payload)
+
+        response = self.client.post(
+            '/jwt_auth/', {'example': 'example'},
+            HTTP_AUTHORIZATION='JWT {}'.format(jwt_value),
+            content_type='application/json')
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(
+            json.loads(response.content), {'username': 'temporary'})

tests/urls.py

@@ -20,10 +20,22 @@ def post(self, request):
         return HttpResponse(response)
 
 
+class MockForAuthView(APIView):
+    permission_classes = (permissions.IsAuthenticated,)
+
+    def get(self, _request):
+        return HttpResponse('mockforauthview-get')
+
+    def post(self, request):
+        response = json.dumps({"username": request.user.username})
+        return HttpResponse(response)
+
+
 urlpatterns = [
     url(r"^o/", include("oauth2_provider_jwt.urls",
                         namespace="oauth2_provider_jwt")),
     url(r'^jwt/$', MockView.as_view()),
+    url(r'^jwt_auth/$', MockForAuthView.as_view()),
 ]