diff --git a/backend/Dockerfile b/backend/Dockerfile index bc5f582..cc11ffa 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -2,6 +2,12 @@ FROM python:3.10-slim WORKDIR /app COPY requirements.txt /app +# Installing gcc and libc6-dev because docker removes them after building Python, +# so it's impossible to build C extensions afterwards, wcwidth==0.2.6 and cwcwidth==0.1.8 in this case +RUN apt-get update && apt-get install -y \ + gcc \ + libc6-dev \ + && rm -rf /var/lib/apt/lists/* RUN pip install -r requirements.txt COPY . /app diff --git a/backend/api/urls.py b/backend/api/urls.py index 157fdf2..d47884d 100644 --- a/backend/api/urls.py +++ b/backend/api/urls.py @@ -1,28 +1,24 @@ from django.urls import path, include from api import views - +from authentication.views import RefreshTokenView app_name = "api" urlpatterns = [ + # Removed uneceesury new lines and insuring consistancy and readability + path("", views.APIRootView.as_view(), name="api-root"), path("api-auth/", include("rest_framework.urls", namespace="rest_framework")), path("api/users/", views.CustomUserList.as_view(), name="users"), path("api/users//", views.CustomUserDetail.as_view(), name="user-detail"), path("api/profiles/", views.ProfileList.as_view(), name="profiles"), - path( - "api/profiles//", views.ProfileDetail.as_view(), name="profile-detail" - ), - path( - "api/follow//", views.FollowUserView.as_view(), name="follow-user" - ), - path( - "api/unfollow//", - views.UnFollowUserView.as_view(), - name="unfollow-user", - ), + path("api/profiles//", views.ProfileDetail.as_view(), name="profile-detail"), + path("api/follow//", views.FollowUserView.as_view(), name="follow-user"), + path("api/unfollow//", views.UnFollowUserView.as_view(), name="unfollow-user"), path("api/posts/", views.PostList.as_view(), name="posts-list"), path("api/posts/new/", views.PostCreate.as_view(), name="post-create"), path("api/posts//", views.PostDetail.as_view(), name="post-detail"), path("api/posts/delete//", views.PostDelete.as_view(), name="post-delete"), path("api/signup", views.SignUpView.as_view(), name="signup-view"), + path("api/v2/auth/", include("authentication.urls")), + path('api/token/refresh/', RefreshTokenView.as_view(), name='token_refresh'), ] diff --git a/backend/api/views.py b/backend/api/views.py index daceea6..b8f2f3b 100644 --- a/backend/api/views.py +++ b/backend/api/views.py @@ -2,7 +2,8 @@ from rest_framework import filters, generics, permissions, status from rest_framework.response import Response from rest_framework.views import APIView - +from rest_framework_simplejwt.tokens import RefreshToken +from rest_framework.permissions import AllowAny from accounts.models import CustomUser, Profile from core.models import Post @@ -194,3 +195,4 @@ def delete(self, request, *args, **kwargs): return self.destroy(request, *args, **kwargs) else: return Response(status=status.HTTP_403_FORBIDDEN) + diff --git a/backend/authentication/__init__.py b/backend/authentication/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/backend/authentication/admin.py b/backend/authentication/admin.py new file mode 100644 index 0000000..8c38f3f --- /dev/null +++ b/backend/authentication/admin.py @@ -0,0 +1,3 @@ +from django.contrib import admin + +# Register your models here. diff --git a/backend/authentication/apps.py b/backend/authentication/apps.py new file mode 100644 index 0000000..8bab8df --- /dev/null +++ b/backend/authentication/apps.py @@ -0,0 +1,6 @@ +from django.apps import AppConfig + + +class AuthenticationConfig(AppConfig): + default_auto_field = 'django.db.models.BigAutoField' + name = 'authentication' diff --git a/backend/authentication/authenticate.py b/backend/authentication/authenticate.py new file mode 100644 index 0000000..02d4fac --- /dev/null +++ b/backend/authentication/authenticate.py @@ -0,0 +1,39 @@ +from rest_framework_simplejwt.authentication import JWTAuthentication +from django.conf import settings + +from rest_framework.authentication import CSRFCheck +from rest_framework import exceptions + + +def enforce_csrf(request): + """ + Enforce CSRF validation. + """ + + def dummy_get_response(request): # pragma: no cover + return None + + check = CSRFCheck(dummy_get_response) + # populates request.META['CSRF_COOKIE'], which is used in process_view() + check.process_request(request) + reason = check.process_view(request, None, (), {}) + if reason: + # CSRF failed, bail with explicit error message + raise exceptions.PermissionDenied('CSRF Failed: %s' % reason) + + +class CustomAuthentication(JWTAuthentication): + + def authenticate(self, request): + header = self.get_header(request) + + if header is None: + raw_token = request.COOKIES.get(settings.SIMPLE_JWT['AUTH_COOKIE']) or None + else: + raw_token = self.get_raw_token(header) + if raw_token is None: + return None + + validated_token = self.get_validated_token(raw_token) + # enforce_csrf(request) + return self.get_user(validated_token), validated_token diff --git a/backend/authentication/migrations/__init__.py b/backend/authentication/migrations/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/backend/authentication/models.py b/backend/authentication/models.py new file mode 100644 index 0000000..71a8362 --- /dev/null +++ b/backend/authentication/models.py @@ -0,0 +1,3 @@ +from django.db import models + +# Create your models here. diff --git a/backend/authentication/serializers.py b/backend/authentication/serializers.py new file mode 100644 index 0000000..961bbed --- /dev/null +++ b/backend/authentication/serializers.py @@ -0,0 +1,12 @@ +from rest_framework import serializers + +from accounts.models import CustomUser + + +class AuthUserSerializer(serializers.ModelSerializer): + class Meta: + model = CustomUser + fields = ["username", "password"] + +class RefreshTokenSerializer(serializers.Serializer): + refresh = serializers.CharField(required=True) diff --git a/backend/authentication/tests.py b/backend/authentication/tests.py new file mode 100644 index 0000000..9c5879e --- /dev/null +++ b/backend/authentication/tests.py @@ -0,0 +1,41 @@ +from django.test import TestCase +from django.urls import reverse +from rest_framework import status +from rest_framework.test import APIClient +from accounts.models import CustomUser +from django.conf import settings + +class LoginViewTestCase(TestCase): + def setUp(self): + LOGIN_URL = 'api/v2/auth/login/' + self.client = APIClient() + self.active_user = CustomUser.objects.create_user(username="activeuser", password="password123") + self.active_user.is_active = True + self.active_user.save() + + self.inactive_user = CustomUser.objects.create_user(username="inactiveuser", password="password123") + self.inactive_user.is_active = False + self.inactive_user.save() + + self.url = LOGIN_URL + + def test_login_successful(self): + response = self.client.post(self.url, {"username": "activeuser", "password": "password123"}) + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertIn("access", response.data) + self.assertIn(settings.SIMPLE_JWT["AUTH_COOKIE"], response.cookies) + + def test_login_inactive_user(self): + response = self.client.post(self.url, {"username": "inactiveuser", "password": "password123"}) + self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST) + self.assertEqual(response.data, {"details": "This account is not active."}) + + def test_login_invalid_credentials(self): + response = self.client.post(self.url, {"username": "wronguser", "password": "wrongpassword"}) + self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST) + self.assertEqual(response.data, {"details": "Account with given credentials not found."}) + + def test_login_missing_fields(self): + response = self.client.post(self.url, {"username": "activeuser"}) + self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST) + self.assertEqual(response.data, {"details": "Account with given credentials not found."}) diff --git a/backend/authentication/urls.py b/backend/authentication/urls.py new file mode 100644 index 0000000..ef0c36f --- /dev/null +++ b/backend/authentication/urls.py @@ -0,0 +1,9 @@ +from django.urls import path +from . import views +from .views import RefreshTokenView + +urlpatterns = [ + path("login/", views.LoginView.as_view(), name='login'), + path("logout/", views.LogoutView.as_view(), name='logout'), + path('api/token/refresh/', RefreshTokenView.as_view(), name='token_refresh'), +] diff --git a/backend/authentication/views.py b/backend/authentication/views.py new file mode 100644 index 0000000..c0c1fed --- /dev/null +++ b/backend/authentication/views.py @@ -0,0 +1,100 @@ +from rest_framework_simplejwt.tokens import RefreshToken +from rest_framework.response import Response +from django.contrib.auth import authenticate +from rest_framework import status, generics +from django.conf import settings +from rest_framework.permissions import AllowAny +from authentication.serializers import AuthUserSerializer +from authentication.serializers import RefreshTokenSerializer + + +def get_tokens_for_user(user): + refresh = RefreshToken.for_user(user) + + return { + "refresh": str(refresh), + "access": str(refresh.access_token), + } + + +class LoginView(generics.GenericAPIView): + permission_classes = [] + authentication_classes = [] + serializer_class = AuthUserSerializer + + def post(self, request, format=None): + data = request.data + response = Response() + username = data.get("username", None) + password = data.get("password", None) + user = authenticate(username=username, password=password) + + if user is not None: + if user.is_active: + data = get_tokens_for_user(user) + response.set_cookie( + key=settings.SIMPLE_JWT["AUTH_COOKIE"], + value=data["access"], + secure=settings.SIMPLE_JWT["AUTH_COOKIE_SECURE"], + httponly=settings.SIMPLE_JWT["AUTH_COOKIE_HTTP_ONLY"], + samesite=settings.SIMPLE_JWT["AUTH_COOKIE_SAMESITE"], + max_age=823396, + # domain='example.com' + ) + response.data = data + response.status_code = status.HTTP_200_OK + return response + else: + return Response({"details": "This account is not active."}, status=status.HTTP_400_BAD_REQUEST) + else: + return Response({"details": "Account with given credentials not found."}, status=status.HTTP_400_BAD_REQUEST) + + +class LogoutView(generics.GenericAPIView): + permission_classes = [] + authentication_classes = [] + serializer_class = None + + def post(self, request): + response = Response() + response.set_cookie( + key=settings.SIMPLE_JWT["AUTH_COOKIE"], + max_age=0, + # domain='example.com', + secure=settings.SIMPLE_JWT["AUTH_COOKIE_SECURE"], + #expires="Thu, 01 Jan 1970 00:00:00 GMT", Setting max_age=0 is good enough + samesite=settings.SIMPLE_JWT["AUTH_COOKIE_SAMESITE"] + ) + response.data = {"detail": "Logout successful."} + return response + + + + +class RefreshTokenView(generics.GenericAPIView): + permission_classes = [AllowAny] # Public access for this endpoint + authentication_classes = [] + serializer_class = RefreshTokenSerializer # Assign the serializer to the view + + + + def post(self, request, *args, **kwargs): + # Extract the refresh token from the request + refresh_token = request.data.get("refresh", None) + + if not refresh_token: + return Response({"detail": "Refresh token is required."}, status=status.HTTP_400_BAD_REQUEST) + + try: + # Create a RefreshToken instance from the provided refresh token + token = RefreshToken(refresh_token) + # Generate a new access token using the refresh token + new_access_token = str(token.access_token) + + # Respond with the new tokens + return Response({ + "access": new_access_token, + }, status=status.HTTP_200_OK) + + except Exception as e: + return Response({"detail": "Invalid refresh token."}, status=status.HTTP_400_BAD_REQUEST) \ No newline at end of file diff --git a/backend/chitchat/settings.py b/backend/chitchat/settings.py index f51d466..d45fe86 100644 --- a/backend/chitchat/settings.py +++ b/backend/chitchat/settings.py @@ -11,6 +11,7 @@ """ from pathlib import Path +from datetime import timedelta # Build paths inside the project like this: BASE_DIR / 'subdir'. BASE_DIR = Path(__file__).resolve().parent.parent @@ -48,6 +49,7 @@ "api", "accounts", "core", + "authentication", # Dev tools "django_extensions", "drf_yasg", @@ -147,9 +149,23 @@ # "rest_framework.permissions.IsAuthenticated", ], "DEFAULT_FILTER_BACKENDS": ["django_filters.rest_framework.DjangoFilterBackend"], + "DEFAULT_AUTHENTICATION_CLASSES": ( + "authentication.authenticate.CustomAuthentication", + ), } CORS_ALLOWED_ORIGINS = [ "http://localhost:5173", ] + +SIMPLE_JWT = { + "AUTH_COOKIE": "access_token", # Cookie name. Enables cookies if value is set. + "AUTH_COOKIE_DOMAIN": None, # A string like "example.com", or None for standard domain cookie. + "AUTH_COOKIE_SECURE": True, # Whether the auth cookies should be secure (https:// only). + "AUTH_COOKIE_HTTP_ONLY": True, # Http only cookie flag.It's not fetch by javascript. + "AUTH_COOKIE_PATH": "/", # The path of the auth cookie. + "AUTH_COOKIE_SAMESITE": 'None', # Whether to set the flag restricting cookie leaks on cross-site requests. + "ACCESS_TOKEN_LIFETIME": timedelta(hours=1), # changed access token lifetime to 1 hour + "REFRESH_TOKEN_LIFETIME": timedelta(days=7), # Long expiration for refresh tokens +} diff --git a/backend/requirements.txt b/backend/requirements.txt index b6e2424..3887291 100644 Binary files a/backend/requirements.txt and b/backend/requirements.txt differ