Misc fixes

README.md

@@ -34,10 +34,11 @@ AUTHENTICATION_BACKENDS = (
 )
 ```
 
-Add the new accounts middleware to `MIDDLEWARE`
+Add the new accounts middleware to `MIDDLEWARE`. Note the middleware does not need to be at the top of the list, but should be placed above the default Django middleware.
 
 ```python
 MIDDLEWARE = [
+    ...
     'accounts.middleware.OAuth2TokenMiddleware',
     ...
 ]

accounts/ipc.py

@@ -19,14 +19,16 @@ def authenticated_request(user, method, url,
 
     # Access token is expired. Try to refresh access token
     if user.accesstoken.expires_at < timezone.now():
-        if not refresh_access_token(user):
+        if not _refresh_access_token(user):
             return None  # Couldn't update access token
 
     # Update Headers
     headers = headers or {}
     headers['Authorization'] = f'Bearer {user.accesstoken.token}'
 
-    # Make request
+    # Make the request
+    # We're only using a session to provide an easy wrapper to define the http method
+    # GET, POST, etc in the method call.
     s = requests.Session()
     return s.request(
         method=method,
@@ -48,7 +50,7 @@ def authenticated_request(user, method, url,
     )
 
 
-def refresh_access_token(user):
+def _refresh_access_token(user):
     """
     Helper method to update a user's access token. Should be used when a user's
     access token has expired, but still has a valid refresh token.

accounts/middleware.py

@@ -38,6 +38,9 @@ def __call__(self, request):
                     else:  # Access token is invalid
                         return HttpResponseForbidden()
                 except requests.exceptions.RequestException:  # Can't connect to platform
+                    # Throw a 403 because we can't verify the incoming access token so we
+                    # treat it as invalid. Ideally platform will never go down, so this
+                    # should never happen.
                     return HttpResponseForbidden()
 
         response = self.get_response(request)

tests/test_ipc.py

@@ -6,7 +6,7 @@
 from django.test import Client, TestCase
 from django.utils import timezone
 
-from accounts.ipc import authenticated_request, refresh_access_token
+from accounts.ipc import _refresh_access_token, authenticated_request
 from accounts.models import AccessToken, RefreshToken
 
 
@@ -18,7 +18,7 @@ def setUp(self):
         AccessToken.objects.create(user=self.user, expires_at=self.now, token=self.token)
         RefreshToken.objects.create(user=self.user)
 
-    @patch('accounts.ipc.refresh_access_token')
+    @patch('accounts.ipc._refresh_access_token')
     def test_update_refresh_token_fail(self, mock_refresh):
         mock_refresh.return_value = False
         self.assertFalse(authenticated_request(self.user, None, None))
@@ -49,7 +49,7 @@ def setUp(self):
     def test_valid_refresh_token(self, mock_post):
         mock_post.return_value.status_code = 200
         mock_post.return_value.json.return_value = self.valid_response
-        value = refresh_access_token(self.user)
+        value = _refresh_access_token(self.user)
         diff = self.now + timedelta(seconds=self.valid_response['expires_in'])
         self.assertTrue(value)
         self.assertTrue(diff < self.user.accesstoken.expires_at)
@@ -58,7 +58,7 @@ def test_valid_refresh_token(self, mock_post):
 
     def test_exception_occurred(self, mock_post):
         mock_post.side_effect = requests.exceptions.RequestException
-        value = refresh_access_token(self.user)
+        value = _refresh_access_token(self.user)
         self.assertFalse(value)
         self.assertNotEqual(self.valid_response['access_token'], self.user.accesstoken.token)
         self.assertNotEqual(self.valid_response['refresh_token'], self.user.refreshtoken.token)