diff --git a/openedx/core/djangoapps/user_authn/cookies.py b/openedx/core/djangoapps/user_authn/cookies.py index d21cf6cf6c..8fec6cb633 100644 --- a/openedx/core/djangoapps/user_authn/cookies.py +++ b/openedx/core/djangoapps/user_authn/cookies.py @@ -158,9 +158,9 @@ def refresh_jwt_cookies(request, response, user): """ Resets the JWT related cookies in the response for the given user. """ - if user.is_authenticated and not user.is_anonymous: - cookie_settings = standard_cookie_settings(request) - _create_and_set_jwt_cookies(response, request, cookie_settings, user=user) + cookie_settings = standard_cookie_settings(request) + _create_and_set_jwt_cookies(response, request, cookie_settings, user=user) + return response diff --git a/openedx/core/djangoapps/user_authn/tests/test_cookies.py b/openedx/core/djangoapps/user_authn/tests/test_cookies.py index f6a18fc39e..359915a4b0 100644 --- a/openedx/core/djangoapps/user_authn/tests/test_cookies.py +++ b/openedx/core/djangoapps/user_authn/tests/test_cookies.py @@ -138,9 +138,3 @@ class CookieTests(TestCase): self._assert_cookies_present(response, cookies_api.JWT_COOKIE_NAMES) self._assert_consistent_expires(response, num_of_unique_expires=1) self._assert_recreate_jwt_from_cookies(response, can_recreate=True) - - @patch.dict("django.conf.settings.FEATURES", {"DISABLE_SET_JWT_COOKIES_FOR_TESTS": False}) - def test_refresh_jwt_cookies_anonymous_user(self): - anonymous_user = AnonymousUserFactory() - response = cookies_api.refresh_jwt_cookies(self.request, HttpResponse(), anonymous_user) - self._assert_cookies_present(response, []) diff --git a/openedx/core/djangoapps/user_authn/views/login.py b/openedx/core/djangoapps/user_authn/views/login.py index c5f61a1dd3..71d4180aa1 100644 --- a/openedx/core/djangoapps/user_authn/views/login.py +++ b/openedx/core/djangoapps/user_authn/views/login.py @@ -367,9 +367,11 @@ def login_user(request): # to get a CSRF token before we need to refresh adds too much # complexity. @csrf_exempt -@login_required @require_http_methods(['POST']) def login_refresh(request): + if not request.user.is_authenticated or request.user.is_anonymous: + return JsonResponse('Unauthorized', status=401) + try: response = JsonResponse({'success': True}) return refresh_jwt_cookies(request, response, request.user) diff --git a/openedx/core/djangoapps/user_authn/views/tests/test_login.py b/openedx/core/djangoapps/user_authn/views/tests/test_login.py index 29e10cc941..ff87762acc 100644 --- a/openedx/core/djangoapps/user_authn/views/tests/test_login.py +++ b/openedx/core/djangoapps/user_authn/views/tests/test_login.py @@ -302,6 +302,12 @@ class LoginTest(CacheIsolationTestCase): response = self.client.post(reverse('login_refresh')) _assert_jwt_cookie_present(response) + @patch.dict("django.conf.settings.FEATURES", {"DISABLE_SET_JWT_COOKIES_FOR_TESTS": False}) + def test_login_refresh_anonymous_user(self): + response = self.client.post(reverse('login_refresh')) + self.assertEqual(response.status_code, 401) + self.assertNotIn(jwt_cookies.jwt_cookie_header_payload_name(), self.client.cookies) + @patch.dict("django.conf.settings.FEATURES", {'PREVENT_CONCURRENT_LOGINS': True}) def test_single_session(self): creds = {'email': 'test@edx.org', 'password': 'test_password'}