Merge 59da092 into 1602300

.gitignore

@@ -0,0 +1,93 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Sublime Text
+*.sublime*
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*,cover
+.hypothesis/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+manage.py
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# IPython Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# dotenv
+.env
+
+# virtualenv
+venv/
+ENV/
+
+# Spyder project settings
+.spyderproject
+
+# Rope project settings
+.ropeproject

.travis.yml

@@ -0,0 +1,67 @@
+language: python
+
+cache: pip
+sudo: false
+
+env:
+  - TOX_ENV=py27-flake8
+
+  - TOX_ENV=py27-django1.8-drf3.1
+  - TOX_ENV=py27-django1.8-drf3.2
+  - TOX_ENV=py27-django1.8-drf3.3
+  - TOX_ENV=py27-django1.8-drf3.4
+  - TOX_ENV=py27-django1.8-drf3.5
+
+  - TOX_ENV=py27-django1.9-drf3.1
+  - TOX_ENV=py27-django1.9-drf3.2
+  - TOX_ENV=py27-django1.9-drf3.3
+  - TOX_ENV=py27-django1.9-drf3.4
+  - TOX_ENV=py27-django1.9-drf3.5
+
+  - TOX_ENV=py27-django1.10-drf3.4
+  - TOX_ENV=py27-django1.10-drf3.5
+
+  - TOX_ENV=py27-django1.11-drf3.4
+  - TOX_ENV=py27-django1.11-drf3.5
+
+  - TOX_ENV=py34-django1.8-drf3.1
+  - TOX_ENV=py34-django1.8-drf3.2
+  - TOX_ENV=py34-django1.8-drf3.3
+  - TOX_ENV=py34-django1.8-drf3.4
+  - TOX_ENV=py34-django1.8-drf3.5
+
+  - TOX_ENV=py34-django1.9-drf3.1
+  - TOX_ENV=py34-django1.9-drf3.2
+  - TOX_ENV=py34-django1.9-drf3.3
+  - TOX_ENV=py34-django1.9-drf3.4
+  - TOX_ENV=py34-django1.9-drf3.5
+
+  - TOX_ENV=py34-django1.10-drf3.4
+  - TOX_ENV=py34-django1.10-drf3.5
+
+  - TOX_ENV=py34-django1.11-drf3.4
+  - TOX_ENV=py34-django1.11-drf3.5
+
+  - TOX_ENV=py35-django1.10-drf3.4
+  - TOX_ENV=py35-django1.10-drf3.5
+
+  - TOX_ENV=py35-django1.11-drf3.4
+  - TOX_ENV=py35-django1.11-drf3.5
+
+matrix:
+  fast_finish: true
+
+install:
+  - pip install tox coverage coveralls
+
+script:
+  - tox -e $TOX_ENV
+
+after_success:
+  - coverage report -m
+  - coveralls
+
+notifications:
+  email:
+    recipients:
+      - team@arabel.la

CHANGELOG.txt

@@ -0,0 +1,2 @@
+# Change Log
+All notable changes to this project will be documented in this file.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Arabella
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

MANIFEST.in

@@ -0,0 +1,5 @@
+include README.rst
+include LICENSE
+include requirements/*
+recursive-exclude * __pycache__
+recursive-exclude * *.py[co]

README.rst

@@ -0,0 +1,113 @@
+===============
+drf-jwt-devices
+===============
+|travis|_ |pypi|_ |coveralls|_ |requiresio|_
+
+Permanent token feature for `Django Rest Framework JWT <https://github.com/GetBlimp/django-rest-framework-jwt>`_
+
+By default JWT tokens have short lifetime because of security reasons, but sometimes you may want to keep user logged
+in, without the need to refresh the auth token each 5 minutes. For this case, you should consider using the permanent
+token authentication.
+
+Installation
+============
+To use, add ``jwt_devices`` to your ``INSTALLED_APPS``, and then migrate the project.
+
+Configuration
+-------------
+
+To enable permanent token authentication, update rest framework's default authentication classes list:
+::
+
+    REST_FRAMEWORK={
+        "DEFAULT_AUTHENTICATION_CLASSES": [
+            "jwt_devices.authentication.PermanentTokenAuthentication"
+        ]
+    }
+
+Another step is to add a few urls to your url patterns, and register the ``DeviceViewSet``:
+::
+
+  from jwt_devices import views
+  from rest_framework.routers import DefaultRouter
+
+  router = DefaultRouter()
+  router.register(r'devices', views.DeviceViewSet)
+  
+  urlpatterns = [
+      # ...
+      url(r'^device-refresh-token/$', views.device_refresh_token),
+      url(r'^device-logout/$', views.device_logout)
+  ] + router.urls
+
+
+Using the API views
+-------------------
+
+**Login & logout view**
+
+When using the regular JWT login or the device logout view, use the ``X-Device-Model`` header to pass device model
+(otherwise, user agent will used instead as the name). After a successful login, the permanent token and id of the
+created device will be returned, for example:
+::
+
+  {
+      "token": "ads344fdgfd5454yJ0eAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VynRlYW1AYXJhYmVsLmxh",
+      "permanent_token": "gfd5454yJ0eAiOiJKV1QiLCJhbGciOiJ",
+      "device_id": 1
+  }
+
+The ``device_id`` is used to logout the device, so it should be saved on the front-end side (in local storage, for
+example).
+
+To logout a device, make a **DELETE** request to the ``rest_framework_jwt.views.device_logout`` view, passing device's
+id in the ``Device-Id`` header to identify the device.
+
+**Refresh JWT token using permanent token**
+
+To refresh JWT token, you have to pass the ``Permanent-Token`` header along with the request to identify the device.
+On success, response will return new JWT token (the same as it does after login).
+
+In case the permanent token has expired, the device will be logged out, and it will require login in again to obtain a
+new permanent token. To customize the expiration time and expiration accuracy, set the following settings in your
+``REST_FRAMEWORK`` configuration in **settings.py**
+
+
+**PermitHeaders middleware**
+
+As you may know, the content of a permanent token is a very fragile information, which should be sent along with a
+request only when it is needed. To avoid situations in which a front-end developer has incorrectly implemented the
+permanent token authentication on the front-end side and the permanent token value is sent with all requests
+(just like the JWT token), the ``jwt_devices.middleware.PermitHeadersMiddleware`` comes in handy. The middleware looks
+for ``Permanent-Token`` in the headers, and checks if the view is not the
+``jwt_devices.views.DeviceRefreshJSONWebToken`` in which the ``Permanent-Token`` header is obligatory, otherwise it
+returns a **400 Bad Request** error.
+
+To use the ``PermitHeadersMiddleware`` in your application, add ``jwt_devices.middleware.PermitHeadersMiddleware``
+to your ``MIDDLEWARES`` or ``MIDDLEWARE_CLASSES`` (in Django <1.10) in Django settings.
+
+**Settings**
+
+* ``JWT_PERMANENT_TOKEN_AUTH`` - option to enable/disable the permanent token authentication (default: ``True``)
+* ``JWT_PERMANENT_TOKEN_EXPIRATION_DELTA`` - describes how long can the permanent token live
+  (default: ``datetime.timedelta(days=7)``)
+* ``JWT_PERMANENT_TOKEN_EXPIRATION_ACCURACY`` - the accuracy of updating permanent token last request time to decrease
+  the number of database queries (default: ``datetime.timedelta(minutes=30)``)
+
+Support
+=======
+* Django 1.8 - 1.11
+* Django Rest Framework 3.1 - 3.5
+* Python 2.7, 3.4, 3.5, 3.6
+
+.. |travis| image:: https://secure.travis-ci.org/ArabellaTech/drf-jwt-devices.svg?branch=master
+.. _travis: http://travis-ci.org/ArabellaTech/drf-jwt-devices
+
+.. |pypi| image:: https://img.shields.io/pypi/v/drf-jwt-devices.svg
+.. _pypi: https://pypi.python.org/pypi/drf-jwt-devices
+
+.. |coveralls| image:: https://coveralls.io/repos/github/ArabellaTech/drf-jwt-devices/badge.svg?branch=master
+.. _coveralls: https://coveralls.io/github/ArabellaTech/drf-jwt-devices
+
+.. |requiresio| image:: https://requires.io/github/ArabellaTech/drf-jwt-devices/requirements.svg?branch=master
+.. _requiresio: https://requires.io/github/ArabellaTech/drf-jwt-devices/requirements/

jwt_devices/__init__.py

@@ -0,0 +1,9 @@
+# -*- coding: utf-8 -*-
+__title__ = "Django Rest Framework JWT Devices"
+__version__ = "0.1"
+__author__ = "Michal Proszek"
+__license__ = "MIT"
+__copyright__ = "Copyright 2017 Arabella"
+
+# Version synonym
+VERSION = __version__

jwt_devices/authentication.py

@@ -0,0 +1,35 @@
+import jwt
+from django.utils.translation import ugettext as _
+from rest_framework import exceptions
+from rest_framework_jwt.authentication import JSONWebTokenAuthentication
+from rest_framework_jwt.settings import api_settings as rfj_settings
+
+from jwt_devices.settings import api_settings
+
+jwt_decode_handler = rfj_settings.JWT_DECODE_HANDLER
+jwt_devices_decode_handler = api_settings.JWT_DEVICES_DECODE_HANDLER
+
+
+class PermanentTokenAuthentication(JSONWebTokenAuthentication):
+    def authenticate(self, request):
+        jwt_value = self.get_jwt_value(request)
+        if jwt_value is None:
+            return None
+
+        try:
+            if api_settings.JWT_PERMANENT_TOKEN_AUTH:
+                payload = jwt_devices_decode_handler(jwt_value)
+            else:
+                payload = jwt_decode_handler(jwt_value)
+        except jwt.ExpiredSignature:
+            msg = _("Signature has expired.")
+            raise exceptions.AuthenticationFailed(msg)
+        except jwt.DecodeError:
+            msg = _("Error decoding signature.")
+            raise exceptions.AuthenticationFailed(msg)
+        except jwt.InvalidTokenError:
+            raise exceptions.AuthenticationFailed()
+
+        user = self.authenticate_credentials(payload)
+
+        return user, jwt_value

jwt_devices/middleware.py

@@ -0,0 +1,30 @@
+from django.http.response import JsonResponse
+from django.utils.translation import ugettext_lazy as _
+from rest_framework import status
+
+from jwt_devices import views
+from jwt_devices.settings import api_settings
+
+
+class PermitHeadersMiddleware(object):
+    """
+    Middleware used to disallow sending the permanent_token header in other requests than during permanent token
+    refresh to make sure naive FE developers do not send the fragile permanent token with each request.
+    """
+
+    def __init__(self, get_response=None):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        if self.get_response:
+            return self.get_response(request)
+
+    def process_view(self, request, view_func, view_args, view_kwargs):
+        view_cls = getattr(view_func, "cls", None)
+        if (view_cls and api_settings.JWT_PERMANENT_TOKEN_AUTH and request.META.get("HTTP_PERMANENT_TOKEN") and
+                view_cls != views.DeviceRefreshJSONWebToken):
+            return JsonResponse({
+                "HTTP_PERMANENT_TOKEN": {
+                    "details": _("Using the Permanent-Token header is disallowed for {}").format(type(view_cls))
+                }
+            }, status=status.HTTP_400_BAD_REQUEST)