From 4c50ad0a435dfc4598d8b41965782393042a4672 Mon Sep 17 00:00:00 2001 From: Kyrylo Kireiev Date: Fri, 8 Sep 2023 12:15:24 +0000 Subject: [PATCH 1/2] feat: [AXIM-44] Adapt Delete Account to Bearer Authorization --- .../accounts/tests/test_retirement_views.py | 17 +++++++++++++++++ .../core/djangoapps/user_api/accounts/views.py | 3 ++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/openedx/core/djangoapps/user_api/accounts/tests/test_retirement_views.py b/openedx/core/djangoapps/user_api/accounts/tests/test_retirement_views.py index 8f34d4ba42..6ec6e3694f 100644 --- a/openedx/core/djangoapps/user_api/accounts/tests/test_retirement_views.py +++ b/openedx/core/djangoapps/user_api/accounts/tests/test_retirement_views.py @@ -74,6 +74,7 @@ from common.djangoapps.student.tests.factories import ( from openedx.core.djangolib.testing.utils import skip_unless_lms from xmodule.modulestore.tests.django_utils import ModuleStoreTestCase # lint-amnesty, pylint: disable=wrong-import-order from xmodule.modulestore.tests.factories import CourseFactory # lint-amnesty, pylint: disable=wrong-import-order +from openedx.core.djangoapps.oauth_dispatch.tests.factories import ApplicationFactory, AccessTokenFactory from ...tests.factories import UserOrgTagFactory from ..views import USER_PROFILE_PII, AccountRetirementView @@ -263,6 +264,22 @@ class TestDeactivateLogout(RetirementTestCase): response = self.client.post(self.url, self.build_post(self.test_password), **headers) assert response.status_code == status.HTTP_403_FORBIDDEN + def test_bearer_auth(self): + """ + Test the account deactivation/logout endpoint using Bearer auth + """ + # testing with broken token + headers = {'HTTP_AUTHORIZATION': 'Bearer broken_token'} + response = self.client.post(self.url, self.build_post(self.test_password), **headers) + assert response.status_code == status.HTTP_401_UNAUTHORIZED + # testing with correct token + access_token = AccessTokenFactory(user=self.test_user, + application=ApplicationFactory(name="test_bearer", + user=self.test_user)).token + headers = {'HTTP_AUTHORIZATION': f'Bearer {access_token}'} + response = self.client.post(self.url, self.build_post(self.test_password), **headers) + assert response.status_code == status.HTTP_204_NO_CONTENT + @skip_unless_lms class TestPartnerReportingCleanup(ModuleStoreTestCase): diff --git a/openedx/core/djangoapps/user_api/accounts/views.py b/openedx/core/djangoapps/user_api/accounts/views.py index a2598013f6..ab178d07eb 100644 --- a/openedx/core/djangoapps/user_api/accounts/views.py +++ b/openedx/core/djangoapps/user_api/accounts/views.py @@ -21,6 +21,7 @@ from django.utils.translation import gettext as _ from edx_ace import ace from edx_ace.recipient import Recipient from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication +from openedx.core.lib.api.authentication import BearerAuthentication from edx_rest_framework_extensions.auth.session.authentication import SessionAuthenticationAllowInactiveUser from enterprise.models import EnterpriseCourseEnrollment, EnterpriseCustomerUser, PendingEnterpriseCustomerUser from integrated_channels.degreed.models import DegreedLearnerDataTransmissionAudit @@ -567,7 +568,7 @@ class DeactivateLogoutView(APIView): - Log the user out - Create a row in the retirement table for that user """ - authentication_classes = (JwtAuthentication, SessionAuthentication,) + authentication_classes = (JwtAuthentication, SessionAuthentication, BearerAuthentication) permission_classes = (permissions.IsAuthenticated,) def post(self, request): From 6a1f126be917c69aaa6d0992b754701d701c09ff Mon Sep 17 00:00:00 2001 From: KyryloKireiev Date: Mon, 25 Sep 2023 14:12:17 +0300 Subject: [PATCH 2/2] fix: (review) Add comment to Delete Account view --- openedx/core/djangoapps/user_api/accounts/views.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openedx/core/djangoapps/user_api/accounts/views.py b/openedx/core/djangoapps/user_api/accounts/views.py index ab178d07eb..83bdde4f44 100644 --- a/openedx/core/djangoapps/user_api/accounts/views.py +++ b/openedx/core/djangoapps/user_api/accounts/views.py @@ -568,6 +568,9 @@ class DeactivateLogoutView(APIView): - Log the user out - Create a row in the retirement table for that user """ + # BearerAuthentication is added here to support account deletion + # from the mobile app until it moves to JWT Auth. + # See mobile roadmap issue https://github.com/openedx/edx-platform/issues/33307. authentication_classes = (JwtAuthentication, SessionAuthentication, BearerAuthentication) permission_classes = (permissions.IsAuthenticated,)