Merge pull request #33289 from raccoongang/rg/feat/FC0031/add_bearer_authorization_in_delete_user_api

feat: [FC-0031] Add Bearer Authentication to Delete Account view
2023-09-26 07:49:38 -04:00
parent c7c2d916de cd3abbfdb4
commit 437b7e6219
2 changed files with 22 additions and 1 deletions
--- a/openedx/core/djangoapps/user_api/accounts/tests/test_retirement_views.py
+++ b/openedx/core/djangoapps/user_api/accounts/tests/test_retirement_views.py
@@ -74,6 +74,7 @@ from common.djangoapps.student.tests.factories import (
 from openedx.core.djangolib.testing.utils import skip_unless_lms
 from xmodule.modulestore.tests.django_utils import ModuleStoreTestCase  # lint-amnesty, pylint: disable=wrong-import-order
 from xmodule.modulestore.tests.factories import CourseFactory  # lint-amnesty, pylint: disable=wrong-import-order
+from openedx.core.djangoapps.oauth_dispatch.tests.factories import ApplicationFactory, AccessTokenFactory

 from ...tests.factories import UserOrgTagFactory
 from ..views import USER_PROFILE_PII, AccountRetirementView
@@ -263,6 +264,22 @@ class TestDeactivateLogout(RetirementTestCase):
        response = self.client.post(self.url, self.build_post(self.test_password), **headers)
        assert response.status_code == status.HTTP_403_FORBIDDEN

+    def test_bearer_auth(self):
+        """
+        Test the account deactivation/logout endpoint using Bearer auth
+        """
+        # testing with broken token
+        headers = {'HTTP_AUTHORIZATION': 'Bearer broken_token'}
+        response = self.client.post(self.url, self.build_post(self.test_password), **headers)
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+        # testing with correct token
+        access_token = AccessTokenFactory(user=self.test_user,
+                                          application=ApplicationFactory(name="test_bearer",
+                                                                         user=self.test_user)).token
+        headers = {'HTTP_AUTHORIZATION': f'Bearer {access_token}'}
+        response = self.client.post(self.url, self.build_post(self.test_password), **headers)
+        assert response.status_code == status.HTTP_204_NO_CONTENT
+

@skip_unless_lms
 class TestPartnerReportingCleanup(ModuleStoreTestCase):
--- a/openedx/core/djangoapps/user_api/accounts/views.py
+++ b/openedx/core/djangoapps/user_api/accounts/views.py
@@ -21,6 +21,7 @@ from django.utils.translation import gettext as _
 from edx_ace import ace
 from edx_ace.recipient import Recipient
 from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
+from openedx.core.lib.api.authentication import BearerAuthentication
 from edx_rest_framework_extensions.auth.session.authentication import SessionAuthenticationAllowInactiveUser
 from enterprise.models import EnterpriseCourseEnrollment, EnterpriseCustomerUser, PendingEnterpriseCustomerUser
 from integrated_channels.degreed.models import DegreedLearnerDataTransmissionAudit
@@ -567,7 +568,10 @@ class DeactivateLogoutView(APIView):
    -  Log the user out
    - Create a row in the retirement table for that user
    """
-    authentication_classes = (JwtAuthentication, SessionAuthentication,)
+    # BearerAuthentication is added here to support account deletion
+    # from the mobile app until it moves to JWT Auth.
+    # See mobile roadmap issue https://github.com/openedx/edx-platform/issues/33307.
+    authentication_classes = (JwtAuthentication, SessionAuthentication, BearerAuthentication)
    permission_classes = (permissions.IsAuthenticated,)

    def post(self, request):