Move checking for blocked tokens to after other checks for validity.

ashokdelphia · ashokdelphia · commit e0b0ed588341 · 2021-01-27T16:45:29.000-05:00
When the blacklist was a straightforward - and presumably cheap - literal lookup by token value, I can see the merit for checking it first. If we care about using the contents of the token, then it's preferable to know that we can reliably decode the token.

Note that this would change the response for invalid tokens. Assuming that only valid tokens are added to the blacklist, then the only visible sign of this would be for tokens that were added to the blacklist and then later expire. An external observer would now see the expiration error first, instead of the blacklist message. If an installation is clearing expired tokens, this is essentially the same behaviour that you would get in the old code, after the token expires and is purged from the blacklist.
diff --git a/src/rest_framework_jwt/authentication.py b/src/rest_framework_jwt/authentication.py
@@ -68,12 +68,6 @@ def authenticate(self, request):
         except MissingToken:
             return None
 
-        if apps.is_installed('rest_framework_jwt.blacklist'):
-            from rest_framework_jwt.blacklist.models import BlacklistedToken
-            if BlacklistedToken.is_blocked(token):
-                msg = _('Token is blacklisted.')
-                raise exceptions.PermissionDenied(msg)
-
         try:
             payload = self.jwt_decode_token(token)
         except jwt.ExpiredSignature:
@@ -86,6 +80,12 @@ def authenticate(self, request):
             msg = _('Invalid token.')
             raise exceptions.AuthenticationFailed(msg)
 
+        if apps.is_installed('rest_framework_jwt.blacklist'):
+            from rest_framework_jwt.blacklist.models import BlacklistedToken
+            if BlacklistedToken.is_blocked(token):
+                msg = _('Token is blacklisted.')
+                raise exceptions.PermissionDenied(msg)
+
         user = self.authenticate_credentials(payload)
 
         return user, token
diff --git a/src/rest_framework_jwt/utils.py b/src/rest_framework_jwt/utils.py
@@ -203,12 +203,6 @@ def jwt_create_response_payload(
 def check_payload(token):
     from rest_framework_jwt.authentication import JSONWebTokenAuthentication
 
-    if apps.is_installed('rest_framework_jwt.blacklist'):
-        from rest_framework_jwt.blacklist.models import BlacklistedToken
-        if BlacklistedToken.is_blocked(token):
-            msg = _('Token is blacklisted.')
-            raise serializers.ValidationError(msg)
-
     try:
         payload = JSONWebTokenAuthentication.jwt_decode_token(token)
     except jwt.ExpiredSignature:
@@ -221,6 +215,12 @@ def check_payload(token):
         msg = _('Invalid token.')
         raise serializers.ValidationError(msg)
 
+    if apps.is_installed('rest_framework_jwt.blacklist'):
+        from rest_framework_jwt.blacklist.models import BlacklistedToken
+        if BlacklistedToken.is_blocked(token):
+            msg = _('Token is blacklisted.')
+            raise serializers.ValidationError(msg)
+
     return payload
 
 
