Protecting Views

jwt_login_required

djwto offers the decorator jwt_loging_required for guaranteeing a view to only be processed if the required and valid JWT token was sent in the request. Here’s an example. Suppose again a regular Django project with the usual testapp with a view defined as:

import djwto.authentication as auth # type: ignore
from django.views import View
from django.utils.decorators import method_decorator
from django.http.response import HttpResponse


class ProtectedView(View):
    def dispatch(self, request, *args, **kwargs):
        return super().dispatch(request, *args, **kwargs)

    @method_decorator(auth.jwt_login_required)
    def get(self, request, *args, **kwargs):
        refresh_claims = request.payload
        print(refresh_claims)
        return HttpResponse('worked!')

Notice the decorator auth.jwt_login_required protecting the view. Now let’s see what happens if we send a request without the JWT available:

r = sess.get('https://localhost:8001/testapp/protect/')

r.content
b'{"error": "Cookie \\"jwt_access_token\\" cannot be empty."}'

If we properly login:

r.content
b'worked!'

jwt_perm_required

djwto also offers the possibility of protecting views with permissions that should be available in the JWT token. Here’s an example: decorate a view with the jwt_perm_required function like so:

class PermsProtectedView(View):
    def dispatch(self, request, *args, **kwargs):
        return super().dispatch(request, *args, **kwargs)

    @method_decorator(auth.jwt_login_required)
    @method_decorator(auth.jwt_perm_required(['perm1']))
    def get(self, request, *args, **kwargs):
        refresh_claims = request.payload
        print(refresh_claims)
        return HttpResponse('perms also worked!')

The function receives a list of permissions as input and only if the input JWT token contains those permissions is that the view will be processed.

Now, sending the request with a regular JWT token returns:

r = sess.get('https://localhost:8001/testapp/perms_protect/')

r.content
b'{"error": "Invalid permissions for jwt token."}'

Suppose now that Alice has the permission perm1 stored in the database. Here’s the result then:

r.content
b'perms also worked!'

If you run these examples with settings DJWTO_MODE=TWO-COOKIES, you’ll be able to see what’s inside the returned cookie, like so:

base64.b64decode(sess.cookies['jwt_access_payload'])
b'{"aud": "aud", "exp": 1624269024, "iat": 1624239024, "iss": "iss", "jti": "0e9bfcdc-d684-47b5-9677-0cb5e5e88893", "refresh_iat": 1624239024, "sub": "sub", "type": "access", "user": {"email": "alice@djwto.com", "id": 1, "perms": ["perm1"], "username": "alice"}}'