fix: JwtAuthentication with Django request (#406)

Fixed bug where JwtAuthentication called with a Django request
instead of a DRF request would fail. Also added custom attribute
jwt_auth_request_user_not_found to track down these unexpected
cases.

CHANGELOG.rst

@@ -12,6 +12,13 @@ Change Log
 Unreleased
 ----------
 
+[8.13.1] - 2023-11-15
+---------------------
+
+Fixed
+~~~~~
+* Fixed bug where JwtAuthentication called with a Django request instead of a DRF request would fail. Also added custom attribute jwt_auth_request_user_not_found to track down these unexpected cases.
+
 [8.13.0] - 2023-10-30
 ---------------------
 

edx_rest_framework_extensions/__init__.py

@@ -1,3 +1,3 @@
 """ edx Django REST Framework extensions. """
 
-__version__ = '8.13.0'  # pragma: no cover
+__version__ = '8.13.1'  # pragma: no cover

edx_rest_framework_extensions/auth/jwt/authentication.py

@@ -330,9 +330,18 @@ def _is_jwt_cookie_and_session_user_mismatch(self, request, jwt_user_id):
             set_custom_attribute('skip_jwt_vs_session_check', True)
             return False
 
+        wsgi_request = getattr(request, '_request', request)
+        if wsgi_request == request:
+            # .. custom_attribute_name: jwt_auth_with_django_request
+            # .. custom_attribute_description: There exists custom authentication code in the platform that is
+            #      calling JwtAuthentication with a Django request, rather than the expected DRF request. This
+            #      custom attribute could be used to track down those usages and find ways to elimitate custom
+            #      authentication code that lives outside of this library.
+            set_custom_attribute('jwt_auth_with_django_request', True)
+
         # Get the session-based user from the underlying HttpRequest object.
         # This line taken from DRF SessionAuthentication.
-        user = getattr(request._request, 'user', None)  # pylint: disable=protected-access
+        user = getattr(wsgi_request, 'user', None)
         if not user:  # pragma: no cover
             # .. custom_attribute_name: jwt_auth_request_user_not_found
             # .. custom_attribute_description: This custom attribute shows when a

edx_rest_framework_extensions/auth/jwt/tests/test_authentication.py

@@ -230,6 +230,33 @@ def test_authenticate_with_correct_jwt_cookie(self, mock_set_custom_attribute, m
         is_forgiving_jwt_cookies_enabled = get_setting(ENABLE_FORGIVING_JWT_COOKIES)
         mock_set_custom_attribute.assert_any_call('is_forgiving_jwt_cookies_enabled', is_forgiving_jwt_cookies_enabled)
         mock_set_custom_attribute.assert_any_call('jwt_auth_result', 'success-cookie')
+        set_custom_attribute_keys = [call.args[0] for call in mock_set_custom_attribute.call_args_list]
+        assert 'jwt_auth_with_django_request' not in set_custom_attribute_keys
+
+    @mock.patch.object(JwtAuthentication, 'enforce_csrf')
+    @mock.patch('edx_rest_framework_extensions.auth.jwt.authentication.set_custom_attribute')
+    def test_authenticate_with_correct_jwt_cookie_and_django_request(
+        self, mock_set_custom_attribute, mock_enforce_csrf
+    ):
+        """
+        Verify authenticate succeeds with a valid JWT cookie and a Django request.
+
+        Note that JwtAuthentication is a DRF class, so a DRF request is expected. However,
+        there is custom authentication code that passes in a Django request, so this test
+        ensures backward compatibility. A custom attribute has been added to track down this
+        custom authentication code.
+        """
+        request = RequestFactory().post('/')
+        request.META[USE_JWT_COOKIE_HEADER] = 'true'
+        request.COOKIES[jwt_cookie_name()] = self._get_test_jwt_token()
+
+        assert JwtAuthentication().authenticate(request)
+        mock_enforce_csrf.assert_called_with(request)
+        is_forgiving_jwt_cookies_enabled = get_setting(ENABLE_FORGIVING_JWT_COOKIES)
+        mock_set_custom_attribute.assert_any_call('is_forgiving_jwt_cookies_enabled', is_forgiving_jwt_cookies_enabled)
+        if is_forgiving_jwt_cookies_enabled:
+            mock_set_custom_attribute.assert_any_call('jwt_auth_with_django_request', True)
+        mock_set_custom_attribute.assert_any_call('jwt_auth_result', 'success-cookie')
 
     @mock.patch('edx_rest_framework_extensions.auth.jwt.authentication.set_custom_attribute')
     def test_authenticate_csrf_protected(self, mock_set_custom_attribute):