Ignore JWT expiration when refreshing the Token: Refresh limit should…

… be checked, not the JWT expiration. See jpadilla#92
tleguijt · Mar 15, 2016 · 59e6c82 · 59e6c82
1 parent 625d45d
commit 59e6c82
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 5 deletions.
diff --git a/rest_framework_jwt/serializers.py b/rest_framework_jwt/serializers.py
@@ -81,11 +81,11 @@ def validate(self, attrs):
         msg = 'Please define a validate method.'
         raise NotImplementedError(msg)
 
-    def _check_payload(self, token):
+    def _check_payload(self, token, force_ignore_verify=False):
         # Check payload valid (based off of JSONWebTokenAuthentication,
         # may want to refactor)
         try:
-            payload = jwt_decode_handler(token)
+            payload = jwt_decode_handler(token, force_ignore_verify)
         except jwt.ExpiredSignature:
             msg = _('Signature has expired.')
             raise serializers.ValidationError(msg)
@@ -141,7 +141,7 @@ class RefreshJSONWebTokenSerializer(VerificationBaseSerializer):
     def validate(self, attrs):
         token = attrs['token']
 
-        payload = self._check_payload(token=token)
+        payload = self._check_payload(token=token, force_ignore_verify=True)
         user = self._check_user(payload=payload)
         # Get and check 'orig_iat'
         orig_iat = payload.get('orig_iat')

diff --git a/rest_framework_jwt/utils.py b/rest_framework_jwt/utils.py
@@ -70,9 +70,9 @@ def jwt_encode_handler(payload):
     ).decode('utf-8')
 
 
-def jwt_decode_handler(token):
+def jwt_decode_handler(token, force_ignore_verify=False):
     options = {
-        'verify_exp': api_settings.JWT_VERIFY_EXPIRATION,
+        'verify_exp': api_settings.JWT_VERIFY_EXPIRATION if not force_ignore_verify else False,
     }
 
     return jwt.decode(

diff --git a/tests/test_views.py b/tests/test_views.py
@@ -356,6 +356,23 @@ def test_refresh_jwt_after_refresh_expiration(self):
         self.assertEqual(response.data['non_field_errors'][0],
                          'Refresh has expired.')
 
+    def test_refresh_jwt_after_jwt_expiration(self):
+        """
+        Test that token can be refreshed after token expiratoin but before token refresh limit
+        """
+        client = APIClient(enforce_csrf_checks=True)
+
+        orig_iat = (datetime.utcnow() + api_settings.JWT_REFRESH_EXPIRATION_DELTA)
+        token = self.create_token(
+            self.user,
+            exp=datetime.utcnow() - timedelta(hours=1),
+            orig_iat=orig_iat
+        )
+
+        response = client.post('/auth-token-refresh/', {'token': token},
+                               format='json')
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
     def tearDown(self):
         # Restore original settings
         api_settings.JWT_ALLOW_REFRESH = DEFAULTS['JWT_ALLOW_REFRESH']