Skip to content

Commit e0b0ed5

Browse files
committed
Move checking for blocked tokens to after other checks for validity.
When the blacklist was a straightforward - and presumably cheap - literal lookup by token value, I can see the merit for checking it first. If we care about using the contents of the token, then it's preferable to know that we can reliably decode the token. Note that this would change the response for invalid tokens. Assuming that only valid tokens are added to the blacklist, then the only visible sign of this would be for tokens that were added to the blacklist and then later expire. An external observer would now see the expiration error first, instead of the blacklist message. If an installation is clearing expired tokens, this is essentially the same behaviour that you would get in the old code, after the token expires and is purged from the blacklist.
1 parent a043949 commit e0b0ed5

File tree

2 files changed

+12
-12
lines changed

2 files changed

+12
-12
lines changed

src/rest_framework_jwt/authentication.py

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -68,12 +68,6 @@ def authenticate(self, request):
6868
except MissingToken:
6969
return None
7070

71-
if apps.is_installed('rest_framework_jwt.blacklist'):
72-
from rest_framework_jwt.blacklist.models import BlacklistedToken
73-
if BlacklistedToken.is_blocked(token):
74-
msg = _('Token is blacklisted.')
75-
raise exceptions.PermissionDenied(msg)
76-
7771
try:
7872
payload = self.jwt_decode_token(token)
7973
except jwt.ExpiredSignature:
@@ -86,6 +80,12 @@ def authenticate(self, request):
8680
msg = _('Invalid token.')
8781
raise exceptions.AuthenticationFailed(msg)
8882

83+
if apps.is_installed('rest_framework_jwt.blacklist'):
84+
from rest_framework_jwt.blacklist.models import BlacklistedToken
85+
if BlacklistedToken.is_blocked(token):
86+
msg = _('Token is blacklisted.')
87+
raise exceptions.PermissionDenied(msg)
88+
8989
user = self.authenticate_credentials(payload)
9090

9191
return user, token

src/rest_framework_jwt/utils.py

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -203,12 +203,6 @@ def jwt_create_response_payload(
203203
def check_payload(token):
204204
from rest_framework_jwt.authentication import JSONWebTokenAuthentication
205205

206-
if apps.is_installed('rest_framework_jwt.blacklist'):
207-
from rest_framework_jwt.blacklist.models import BlacklistedToken
208-
if BlacklistedToken.is_blocked(token):
209-
msg = _('Token is blacklisted.')
210-
raise serializers.ValidationError(msg)
211-
212206
try:
213207
payload = JSONWebTokenAuthentication.jwt_decode_token(token)
214208
except jwt.ExpiredSignature:
@@ -221,6 +215,12 @@ def check_payload(token):
221215
msg = _('Invalid token.')
222216
raise serializers.ValidationError(msg)
223217

218+
if apps.is_installed('rest_framework_jwt.blacklist'):
219+
from rest_framework_jwt.blacklist.models import BlacklistedToken
220+
if BlacklistedToken.is_blocked(token):
221+
msg = _('Token is blacklisted.')
222+
raise serializers.ValidationError(msg)
223+
224224
return payload
225225

226226

0 commit comments

Comments
 (0)