Skip to main content

edX extensions of Django REST Framework

Project description

edX Django REST Framework Extensions CI Codecov

This library includes various cross-cutting concerns related to APIs. API functionality added to this library must be required for multiple Open edX applications or multiple repositories.

Some of these concerns include extensions of Django REST Framework (DRF), which is how the repository initially got its name.

Publishing a Release

After a PR merges, a new version of the package will automatically be released by Travis when the commit is tagged. Use:

git tag -a X.Y.Z -m "Releasing version X.Y.Z"
git push origin X.Y.Z

Do not create a Github Release, or ensure its message points to the CHANGELOG.rst and ADR 0001-use-changelog.rst.

JWT Authentication and REST API Endpoints

JWT Authentication is the preferred method of authentication for Open edX API endpoints. See JWT Authentication README for more details.

CSRF API

One feature of this library is a csrf app containing an API endpoint for retrieving CSRF tokens from the Django service in which it is installed. This is useful for frontend apps attempting to make POST, PUT, and DELETE requests to a Django service with Django’s CSRF middleware enabled.

To make use of this API endpoint:

  1. Install edx-drf-extensions in your Django project.

  2. Add csrf.apps.CsrfAppConfig to INSTALLED_APPS.

  3. Add 'edx_rest_framework_extensions.auth.jwt.middleware.JwtAuthCookieMiddleware' to MIDDLEWARE.

  4. Add csrf.urls to urls.py.

License

The code in this repository is licensed under Apache 2.0 unless otherwise noted.

Please see LICENSE.txt for details.

How To Contribute

Contributions are very welcome.

Please read How To Contribute for details.

Reporting Security Issues

Please do not report security issues in public. Please email security@edx.org.

Change Log

Unreleased

[8.9.2] - 2023-08-31

Fixed

  • Fixes exceptional case where JwtAuthentication should not CSRF protect a request that has both a JWT token in the authorization header and a JWT cookie, since the cookie should be ignored.

Changed

  • Updated one of the values of the custom attribute jwt_auth_result from ‘skipped’ to ‘n/a’.

[8.9.1] - 2023-08-22

Fixed

  • Fixed Django 40 middleware deprecation warning

[8.9.0] - 2023-08-14

Added

  • Added capability to forgive JWT cookie authentication failures as a replacement for the now deprecated USE-JWT-COOKIE header. See DEPR https://github.com/openedx/edx-drf-extensions/issues/371. * For now, this capability must be enabled using the ENABLE_FORGIVING_JWT_COOKIES toggle. * Added temporary custom attributes is_forgiving_jwt_cookies_enabled and use_jwt_cookie_requested to help with this deprecation.

  • Added custom attributes has_jwt_cookie and jwt_auth_result for JWT authentication observability.

Changed

  • Two features that were gated on the presence of the USE-JWT-COOKIE header will now be gated on the presence of a JWT cookie instead, regardless of the state of the new ENABLE_FORGIVING_JWT_COOKIES toggle. The new behavior should be nearly equivalent in most cases, and should cause no issues in the exceptional cases. The two features include CSRF protection for JWT cookies, and the setting of the request user when ENABLE_SET_REQUEST_USER_FOR_JWT_COOKIE is enabled.

[8.8.0] - 2023-05-16

Removed

  • Removed dependency on pyjwkest. Uses existing PyJWT dependency instead.

Warning: This change causes edx-drf-extensions to become a bit more strict about how it handles unexpected whitespace inside of Base64-encoded keys. For example, the following JSON is hard-wrapped inside a YAML single-quoted string, and edx-drf-extensions will start failing to load this in version 8.8.0:

JWT_PUBLIC_SIGNING_JWK_SET: '{
  "keys": [
    {
      "e": "AQAB",
      "kid": "prod-key-001",
      "kty": "RSA",
      "n": "VGhpcyBpcyBqdXN0IHNvbWUgZGVtb25zdHJhd
         GlvbiB0ZXh0IHJhdGhlciB0aGFuIGFjdHVhbCBrZ
         XkgbWF0ZXJpYWwuICAK"
      }
    ]
  }'

Newlines are ignored within Base64, but are illegal inside JSON strings. However, the YAML parser actually replaces the newlines with single spaces due to the single-quoting, so the JSON will actually contain a modulus (n) value with two spaces breaking up the Base64. Spaces are in turn not allowed in Base64. Due to interactions between various Base64 parsers, URL-safe encoding, and how padding is handled by the Python base64 standard library, this will be read as intended by pyjwkest but not by PyJWT. This is not a bug, just a difference in how malformed inputs are handled.

The safe way to encode this JSON is without hard wrapping:

JWT_PUBLIC_SIGNING_JWK_SET: |
  {
    "keys": [
      {
        "e": "AQAB",
        "kid": "prod-key-001",
        "kty": "RSA",
        "n": "VGhpcyBpcyBqdXN0IHNvbWUgZGVtb25zdHJhdGlvbiB0ZXh0IHJhdGhlciB0aGFuIGFjdHVhbCBrZXkgbWF0ZXJpYWwuICAK"
      }
    ]
  }

Before upgrading to version 8.8.0, ensure your keys are properly encoded with no whitespace of any sort inside of runs of Base64.

[8.7.0] - 2023-04-14

Added

  • Add edx_drf_extensions_version to help with rollout of changes in this library across services.

Removed

  • Removed exception case for InvalidTokenError that was never invoked.

[8.6.0] - 2023-04-12

Added

  • Added jwt_auth_check_symmetric_key, jwt_auth_asymmetric_verified, jwt_auth_symmetric_verified, and jwt_auth_verification_failed custom attributes to aid in deprecation and removal of symmetric keys.

  • Added jwt_auth_issuer and jwt_auth_issuer_verification custom attributes.

Changed

  • Changed jwt_auth_verify_keys_count custom attribute to aid in key rotations, to instead be jwt_auth_verify_asymmetric_keys_count and jwt_auth_verify_all_keys_count. The latter count is only used in the case that the token can’t be verified with the asymmetric keys alone.

[8.5.3] - 2023-04-11

Fixed

  • (Hopefully) fixed the ability to publish edx-drf-extensions, by adding a long_description to setup.py. There was no real 8.5.1 or 8.5.2.

[8.5.0] - 2023-04-05

Added

  • Added jwt_auth_verify_keys_count custom attribute to aid in key rotations

[8.4.1] - 2022-12-18

Added

  • Additional logging in authenticate_credentials within the JWT authentication middleware for debugging purposes.

[8.4.0] - 2022-12-16

Added

  • Added custom attribute enduser.id, following OpenTelemetry convention. This works with some New Relic automatic tooling around users. The old custom attribute request_user_id should be considered deprecated.

[8.3.1] - 2022-09-09

Fixed

  • Fixed disabled user error by reverting change to JwtAuthentication.

[8.3.0] - 2022-09-07

Changed

  • JwtAuthentication will fail for disabled users (with unusable password).

[8.2.0] - 2022-08-24

Added

  • Added only asymmetric jwt decoding functionality in decoder

Changed

  • Rename toggle_warnings to toggle_warning for consistency with setting_warning.

[8.1.0] - 2022-01-28

Dropped

  • Dropped Support for Django22, 30, 31

[8.0.1] - 2021-11-01

Changed

  • Resolve RemovedInDjango4.0 warnings.

[8.0.0] - 2021-09-30

Changed

  • BREAKING CHANGE: Updated EnsureJWTAuthSettingsMiddleware to understand and work with permissions combined using DRF’s in-built support. This allows switching away from rest_condition. Any view that still uses rest_condition will cause the middleware to throw an error.

[7.0.1] - 2021-08-10

Fixed

[7.0.0] - 2021-08-03

Changed

  • BREAKING CHANGE: generate_jwt_token: Now returns string (instead of bytes), and no longer requires decoding. This was to keep consistent with change to jwt.encode in pyjwt upgrade (see below).

  • BREAKING CHANGE: Upgraded dependency pyjwt[crypto] to 2.1.0, which introduces its own breaking changes that may affect consumers of this library. Pay careful attention to the 2.0.0 breaking changes documented in https://pyjwt.readthedocs.io/en/stable/changelog.html#v2-0-0.

[6.6.0] - 2021-07-13

Added

  • Added support for django3.1 and 3.2

[6.5.0] - 2021-02-12

Added

  • Added a new custom attribute jwt_auth_failed to both monitor failures, and to help prepare for future refactors.

[6.4.0] - 2021-01-19

Added

  • Added a new custom attribute request_is_staff_or_superuser

[6.3.0] - 2021-01-12

Removed

  • Drop support for Python 3.5

[6.2.0] - 2020-08-24

Updated

  • Renamed “custom metric” to “custom attribute” throughout the repo. This was based on a decision (ADR) captured in edx-django-utils.

    • Deprecated RequestMetricsMiddleware due to rename. Use RequestCustomAttributesMiddleware instead.

[6.1.2] - 2020-07-19

Fixed

  • _get_user_from_jwt no longer throws an UnsupportedMediaType error for failing to parse “new user” requests.

[6.1.1] - 2020-07-19

Fixed

  • Latest drf-jwt is throwing error in case of any other Authorization Header. Fixing that issue in JwtAuthentication class.

[6.1.0] - 2020-06-26

Changed

  • Update drf-jwt to pull in new allow-list(they called it blacklist) feature.

Added

Fixed

[6.0.0] - 2020-05-05

Changed

  • BREAKING CHANGE: Renamed ‘request_auth_type’ to ‘request_auth_type_guess’. This makes it more clear that this metric could report the wrong value in certain cases. This could break dashboards or alerts that relied on this metric.

  • BREAKING CHANGE: Renamed value session-or-unknown to session-or-other. This name makes it more clear that it is the method of authentication that is in question, not whether or not the user is authenticated. This could break dashboards or alerts that relied on this metric.

Added

  • Added ‘jwt-cookie’ as new value for ‘request_auth_type_guess’.

  • Added new ‘request_authenticated_user_found_in_middleware’ metric. Helps identify for what middleware step the request user was set, if it was set. Example values: ‘process_request’, ‘process_view’, ‘process_response’, or ‘process_exception’.

Fixed

  • Fixed/Added setting of authentication metrics for exceptions as well.

  • Fixed ‘request_auth_type_guess’ to be more accurate when recording values of ‘unauthenticated’ and ‘no-user’.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

edx-drf-extensions-8.9.2.tar.gz (60.6 kB view details)

Uploaded Source

Built Distribution

edx_drf_extensions-8.9.2-py2.py3-none-any.whl (67.8 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file edx-drf-extensions-8.9.2.tar.gz.

File metadata

  • Download URL: edx-drf-extensions-8.9.2.tar.gz
  • Upload date:
  • Size: 60.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.5

File hashes

Hashes for edx-drf-extensions-8.9.2.tar.gz
Algorithm Hash digest
SHA256 81e48b2e6a0843a69c5bc4a6964cbea5b9c7f9629fceec23fcbdb908a95e51b3
MD5 c4bc7a75b686a3027c4d2fc589189fe5
BLAKE2b-256 1f1ad550961eca03df3f04a6dfce669242333677be454c2c6546a49d62e24c6f

See more details on using hashes here.

File details

Details for the file edx_drf_extensions-8.9.2-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for edx_drf_extensions-8.9.2-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 74c96dcb0be4a461c538b63af499431bb6f78d78ea2cdd2e8df145151c3ad103
MD5 d266081142cd79683bd4d4e704bc7a71
BLAKE2b-256 ce5085ac0ae7c5eccc106ce37cf30ce843765669168fefafc48d1ef3958aaac9

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page