Merge pull request #259 from johngian/pr-252

Do not attempt to refresh the token if a non OIDC backend is used.
mozilla · Jul 26, 2018 · 3c12f23 · 3c12f23
2 parents db47d39 + dcf3dd8
commit 3c12f23
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/mozilla_django_oidc/middleware.py b/mozilla_django_oidc/middleware.py
@@ -12,10 +12,13 @@
 except ImportError:
     # Django < 2.0.0
     from django.core.urlresolvers import reverse
+from django.contrib.auth import BACKEND_SESSION_KEY
 from django.http import HttpResponseRedirect, JsonResponse
 from django.utils.crypto import get_random_string
 from django.utils.functional import cached_property
+from django.utils.module_loading import import_string
 
+from mozilla_django_oidc.auth import OIDCAuthenticationBackend
 from mozilla_django_oidc.utils import (
     absolutify,
     import_from_settings,
@@ -74,9 +77,17 @@ def is_refreshable_url(self, request):
         :returns: boolean
 
         """
+        # Do not attempt to refresh the session if the OIDC backend is not used
+        backend_session = request.session.get(BACKEND_SESSION_KEY)
+        is_oidc_enabled = True
+        if backend_session:
+            auth_backend = import_string(backend_session)
+            is_oidc_enabled = issubclass(auth_backend, OIDCAuthenticationBackend)
+
         return (
             request.method == 'GET' and
             is_authenticated(request.user) and
+            is_oidc_enabled and
             request.path not in self.exempt_urls
         )
 

diff --git a/tests/test_middleware.py b/tests/test_middleware.py
@@ -38,19 +38,22 @@ def setUp(self):
 
     def test_anonymous(self):
         request = self.factory.get('/foo')
+        request.session = {}
         request.user = AnonymousUser()
         response = self.middleware.process_request(request)
         self.assertTrue(not response)
 
     def test_is_oidc_path(self):
         request = self.factory.get('/oidc/callback/')
         request.user = AnonymousUser()
+        request.session = {}
         response = self.middleware.process_request(request)
         self.assertTrue(not response)
 
     def test_is_POST(self):
         request = self.factory.post('/foo')
         request.user = AnonymousUser()
+        request.session = {}
         response = self.middleware.process_request(request)
         self.assertTrue(not response)
 
@@ -268,6 +271,7 @@ def test_expired_token_redirects_to_sso(self, mock_random_string):
         # Set expiration to some time in the past
         session = client.session
         session['oidc_id_token_expiration'] = time.time() - 100
+        session['_auth_user_backend'] = 'mozilla_django_oidc.auth.OIDCAuthenticationBackend'
         session.save()
 
         resp = client.get('/mdo_fake_view/')
@@ -316,6 +320,7 @@ def logged_out(sender, user=None, **kwargs):
         # Set expiration to some time in the past
         session = client.session
         session['oidc_id_token_expiration'] = time.time() - 100
+        session['_auth_user_backend'] = 'mozilla_django_oidc.auth.OIDCAuthenticationBackend'
         session.save()
 
         # Confirm that now you're forced to authenticate again.