RefreshToken Endpoint

backend/Dockerfile

@@ -2,6 +2,12 @@ FROM python:3.10-slim
 
 WORKDIR /app
 COPY requirements.txt /app
+# Installing gcc and libc6-dev because docker removes them after building Python,
+# so it's impossible to build C extensions afterwards, wcwidth==0.2.6 and cwcwidth==0.1.8 in this case
+RUN apt-get update && apt-get install -y \
+    gcc \
+    libc6-dev \
+    && rm -rf /var/lib/apt/lists/*
 RUN pip install -r requirements.txt
 COPY . /app
 

backend/api/urls.py

@@ -1,28 +1,24 @@
 from django.urls import path, include
 from api import views
-
+from authentication.views import RefreshTokenView
 
 app_name = "api"
 urlpatterns = [
+    # Removed uneceesury new lines and insuring consistancy and readability
+
     path("", views.APIRootView.as_view(), name="api-root"),
     path("api-auth/", include("rest_framework.urls", namespace="rest_framework")),
     path("api/users/", views.CustomUserList.as_view(), name="users"),
     path("api/users/<int:pk>/", views.CustomUserDetail.as_view(), name="user-detail"),
     path("api/profiles/", views.ProfileList.as_view(), name="profiles"),
-    path(
-        "api/profiles/<int:pk>/", views.ProfileDetail.as_view(), name="profile-detail"
-    ),
-    path(
-        "api/follow/<str:username>/", views.FollowUserView.as_view(), name="follow-user"
-    ),
-    path(
-        "api/unfollow/<str:username>/",
-        views.UnFollowUserView.as_view(),
-        name="unfollow-user",
-    ),
+    path("api/profiles/<int:pk>/", views.ProfileDetail.as_view(), name="profile-detail"),
+    path("api/follow/<str:username>/", views.FollowUserView.as_view(), name="follow-user"),
+    path("api/unfollow/<str:username>/", views.UnFollowUserView.as_view(), name="unfollow-user"),
     path("api/posts/", views.PostList.as_view(), name="posts-list"),
     path("api/posts/new/", views.PostCreate.as_view(), name="post-create"),
     path("api/posts/<int:pk>/", views.PostDetail.as_view(), name="post-detail"),
     path("api/posts/delete/<int:pk>/", views.PostDelete.as_view(), name="post-delete"),
     path("api/signup", views.SignUpView.as_view(), name="signup-view"),
+    path("api/v2/auth/", include("authentication.urls")),
+    path('api/token/refresh/', RefreshTokenView.as_view(), name='token_refresh'),
 ]

backend/api/views.py

@@ -2,7 +2,8 @@
 from rest_framework import filters, generics, permissions, status
 from rest_framework.response import Response
 from rest_framework.views import APIView
-
+from rest_framework_simplejwt.tokens import RefreshToken
+from rest_framework.permissions import AllowAny
 from accounts.models import CustomUser, Profile
 from core.models import Post
 
@@ -194,3 +195,4 @@ def delete(self, request, *args, **kwargs):
             return self.destroy(request, *args, **kwargs)
         else:
             return Response(status=status.HTTP_403_FORBIDDEN)
+

backend/authentication/admin.py

@@ -0,0 +1,3 @@
+from django.contrib import admin
+
+# Register your models here.

backend/authentication/apps.py

@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class AuthenticationConfig(AppConfig):
+    default_auto_field = 'django.db.models.BigAutoField'
+    name = 'authentication'

backend/authentication/authenticate.py

@@ -0,0 +1,39 @@
+from rest_framework_simplejwt.authentication import JWTAuthentication
+from django.conf import settings
+
+from rest_framework.authentication import CSRFCheck
+from rest_framework import exceptions
+
+
+def enforce_csrf(request):
+    """
+    Enforce CSRF validation.
+    """
+
+    def dummy_get_response(request):  # pragma: no cover
+        return None
+
+    check = CSRFCheck(dummy_get_response)
+    # populates request.META['CSRF_COOKIE'], which is used in process_view()
+    check.process_request(request)
+    reason = check.process_view(request, None, (), {})
+    if reason:
+        # CSRF failed, bail with explicit error message
+        raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
+
+
+class CustomAuthentication(JWTAuthentication):
+
+    def authenticate(self, request):
+        header = self.get_header(request)
+
+        if header is None:
+            raw_token = request.COOKIES.get(settings.SIMPLE_JWT['AUTH_COOKIE']) or None
+        else:
+            raw_token = self.get_raw_token(header)
+        if raw_token is None:
+            return None
+
+        validated_token = self.get_validated_token(raw_token)
+        # enforce_csrf(request)
+        return self.get_user(validated_token), validated_token

backend/authentication/models.py

@@ -0,0 +1,3 @@
+from django.db import models
+
+# Create your models here.

backend/authentication/serializers.py

@@ -0,0 +1,12 @@
+from rest_framework import serializers
+
+from accounts.models import CustomUser
+
+
+class AuthUserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = CustomUser
+        fields = ["username", "password"]
+
+class RefreshTokenSerializer(serializers.Serializer):
+    refresh = serializers.CharField(required=True)

backend/authentication/tests.py

@@ -0,0 +1,41 @@
+from django.test import TestCase
+from django.urls import reverse
+from rest_framework import status
+from rest_framework.test import APIClient
+from accounts.models import CustomUser
+from django.conf import settings
+
+class LoginViewTestCase(TestCase):
+    def setUp(self):
+        LOGIN_URL = 'api/v2/auth/login/'
+        self.client = APIClient()
+        self.active_user = CustomUser.objects.create_user(username="activeuser", password="password123")
+        self.active_user.is_active = True
+        self.active_user.save()
+
+        self.inactive_user = CustomUser.objects.create_user(username="inactiveuser", password="password123")
+        self.inactive_user.is_active = False
+        self.inactive_user.save()
+
+        self.url = LOGIN_URL
+
+    def test_login_successful(self):
+        response = self.client.post(self.url, {"username": "activeuser", "password": "password123"})
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertIn("access", response.data)
+        self.assertIn(settings.SIMPLE_JWT["AUTH_COOKIE"], response.cookies)
+
+    def test_login_inactive_user(self):
+        response = self.client.post(self.url, {"username": "inactiveuser", "password": "password123"})
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(response.data, {"details": "This account is not active."})
+
+    def test_login_invalid_credentials(self):
+        response = self.client.post(self.url, {"username": "wronguser", "password": "wrongpassword"})
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(response.data, {"details": "Account with given credentials not found."})
+
+    def test_login_missing_fields(self):
+        response = self.client.post(self.url, {"username": "activeuser"})
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(response.data, {"details": "Account with given credentials not found."})

backend/authentication/urls.py

@@ -0,0 +1,9 @@
+from django.urls import path
+from . import views
+from .views import RefreshTokenView
+
+urlpatterns = [
+    path("login/", views.LoginView.as_view(), name='login'),
+    path("logout/", views.LogoutView.as_view(), name='logout'),
+    path('api/token/refresh/', RefreshTokenView.as_view(), name='token_refresh'),
+]

backend/authentication/views.py

@@ -0,0 +1,100 @@
+from rest_framework_simplejwt.tokens import RefreshToken
+from rest_framework.response import Response
+from django.contrib.auth import authenticate
+from rest_framework import status, generics
+from django.conf import settings
+from rest_framework.permissions import AllowAny
+from authentication.serializers import AuthUserSerializer
+from authentication.serializers import RefreshTokenSerializer
+
+
+def get_tokens_for_user(user):
+    refresh = RefreshToken.for_user(user)
+
+    return {
+        "refresh": str(refresh),
+        "access": str(refresh.access_token),
+    }
+
+
+class LoginView(generics.GenericAPIView):
+    permission_classes = []
+    authentication_classes = []
+    serializer_class = AuthUserSerializer
+
+    def post(self, request, format=None):
+        data = request.data
+        response = Response()
+        username = data.get("username", None)
+        password = data.get("password", None)
+        user = authenticate(username=username, password=password)
+
+        if user is not None:
+            if user.is_active:
+                data = get_tokens_for_user(user)
+                response.set_cookie(
+                    key=settings.SIMPLE_JWT["AUTH_COOKIE"],
+                    value=data["access"],
+                    secure=settings.SIMPLE_JWT["AUTH_COOKIE_SECURE"],
+                    httponly=settings.SIMPLE_JWT["AUTH_COOKIE_HTTP_ONLY"],
+                    samesite=settings.SIMPLE_JWT["AUTH_COOKIE_SAMESITE"],
+                    max_age=823396,
+                    # domain='example.com'
+                )
+                response.data = data
+                response.status_code = status.HTTP_200_OK
+                return response
+            else:
+                return Response({"details": "This account is not active."}, status=status.HTTP_400_BAD_REQUEST)
+        else:
+            return Response({"details": "Account with given credentials not found."}, status=status.HTTP_400_BAD_REQUEST)
+
+
+class LogoutView(generics.GenericAPIView):
+    permission_classes = []
+    authentication_classes = []
+    serializer_class = None
+
+    def post(self, request):
+        response = Response()
+        response.set_cookie(
+            key=settings.SIMPLE_JWT["AUTH_COOKIE"],
+            max_age=0,
+            # domain='example.com',
+            secure=settings.SIMPLE_JWT["AUTH_COOKIE_SECURE"],
+            #expires="Thu, 01 Jan 1970 00:00:00 GMT", Setting max_age=0 is good enough 
+            samesite=settings.SIMPLE_JWT["AUTH_COOKIE_SAMESITE"]
+        )
+        response.data = {"detail": "Logout successful."}
+        return response
+
+
+
+
+class RefreshTokenView(generics.GenericAPIView):
+    permission_classes = [AllowAny]  # Public access for this endpoint
+    authentication_classes = []
+    serializer_class = RefreshTokenSerializer  # Assign the serializer to the view
+
+
+
+    def post(self, request, *args, **kwargs):
+        # Extract the refresh token from the request
+        refresh_token = request.data.get("refresh", None)
+
+        if not refresh_token:
+            return Response({"detail": "Refresh token is required."}, status=status.HTTP_400_BAD_REQUEST)
+
+        try:
+            # Create a RefreshToken instance from the provided refresh token
+            token = RefreshToken(refresh_token)
+            # Generate a new access token using the refresh token
+            new_access_token = str(token.access_token)
+
+            # Respond with the new tokens
+            return Response({
+                "access": new_access_token,
+            }, status=status.HTTP_200_OK)
+
+        except Exception as e:
+            return Response({"detail": "Invalid refresh token."}, status=status.HTTP_400_BAD_REQUEST)

backend/chitchat/settings.py

@@ -11,6 +11,7 @@
 """
 
 from pathlib import Path
+from datetime import timedelta
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -48,6 +49,7 @@
     "api",
     "accounts",
     "core",
+    "authentication",
     # Dev tools
     "django_extensions",
     "drf_yasg",
@@ -147,9 +149,23 @@
         # "rest_framework.permissions.IsAuthenticated",
     ],
     "DEFAULT_FILTER_BACKENDS": ["django_filters.rest_framework.DjangoFilterBackend"],
+    "DEFAULT_AUTHENTICATION_CLASSES": (
+        "authentication.authenticate.CustomAuthentication",
+    ),
 }
 
 
 CORS_ALLOWED_ORIGINS = [
     "http://localhost:5173",
 ]
+
+SIMPLE_JWT = {
+    "AUTH_COOKIE": "access_token",  # Cookie name. Enables cookies if value is set.
+    "AUTH_COOKIE_DOMAIN": None,  # A string like "example.com", or None for standard domain cookie.
+    "AUTH_COOKIE_SECURE": True,  # Whether the auth cookies should be secure (https:// only).
+    "AUTH_COOKIE_HTTP_ONLY": True,  # Http only cookie flag.It's not fetch by javascript.
+    "AUTH_COOKIE_PATH": "/",  # The path of the auth cookie.
+    "AUTH_COOKIE_SAMESITE": 'None',  # Whether to set the flag restricting cookie leaks on cross-site requests.
+    "ACCESS_TOKEN_LIFETIME": timedelta(hours=1), # changed access token lifetime to 1 hour
+    "REFRESH_TOKEN_LIFETIME": timedelta(days=7),  # Long expiration for refresh tokens
+}