Return 401 from login_refresh if the user is not authenticated.

2019-04-10 13:59:40 -04:00
parent 2430136fcd
commit c4a26571cc
4 changed files with 12 additions and 10 deletions
--- a/openedx/core/djangoapps/user_authn/cookies.py
+++ b/openedx/core/djangoapps/user_authn/cookies.py
@@ -158,9 +158,9 @@ def refresh_jwt_cookies(request, response, user):
    """
    Resets the JWT related cookies in the response for the given user.
    """
-    if user.is_authenticated and not user.is_anonymous:
-        cookie_settings = standard_cookie_settings(request)
-        _create_and_set_jwt_cookies(response, request, cookie_settings, user=user)
+    cookie_settings = standard_cookie_settings(request)
+    _create_and_set_jwt_cookies(response, request, cookie_settings, user=user)
+
    return response


--- a/openedx/core/djangoapps/user_authn/tests/test_cookies.py
+++ b/openedx/core/djangoapps/user_authn/tests/test_cookies.py
@@ -138,9 +138,3 @@ class CookieTests(TestCase):
        self._assert_cookies_present(response, cookies_api.JWT_COOKIE_NAMES)
        self._assert_consistent_expires(response, num_of_unique_expires=1)
        self._assert_recreate_jwt_from_cookies(response, can_recreate=True)
-
-    @patch.dict("django.conf.settings.FEATURES", {"DISABLE_SET_JWT_COOKIES_FOR_TESTS": False})
-    def test_refresh_jwt_cookies_anonymous_user(self):
-        anonymous_user = AnonymousUserFactory()
-        response = cookies_api.refresh_jwt_cookies(self.request, HttpResponse(), anonymous_user)
-        self._assert_cookies_present(response, [])
--- a/openedx/core/djangoapps/user_authn/views/login.py
+++ b/openedx/core/djangoapps/user_authn/views/login.py
@@ -367,9 +367,11 @@ def login_user(request):
 # to get a CSRF token before we need to refresh adds too much
 # complexity.
@csrf_exempt
-@login_required
@require_http_methods(['POST'])
 def login_refresh(request):
+    if not request.user.is_authenticated or request.user.is_anonymous:
+        return JsonResponse('Unauthorized', status=401)
+
    try:
        response = JsonResponse({'success': True})
        return refresh_jwt_cookies(request, response, request.user)
--- a/openedx/core/djangoapps/user_authn/views/tests/test_login.py
+++ b/openedx/core/djangoapps/user_authn/views/tests/test_login.py
@@ -302,6 +302,12 @@ class LoginTest(CacheIsolationTestCase):
        response = self.client.post(reverse('login_refresh'))
        _assert_jwt_cookie_present(response)

+    @patch.dict("django.conf.settings.FEATURES", {"DISABLE_SET_JWT_COOKIES_FOR_TESTS": False})
+    def test_login_refresh_anonymous_user(self):
+        response = self.client.post(reverse('login_refresh'))
+        self.assertEqual(response.status_code, 401)
+        self.assertNotIn(jwt_cookies.jwt_cookie_header_payload_name(), self.client.cookies)
+
    @patch.dict("django.conf.settings.FEATURES", {'PREVENT_CONCURRENT_LOGINS': True})
    def test_single_session(self):
        creds = {'email': 'test@edx.org', 'password': 'test_password'}