Changelogs » Edx-drf-extensions







With `drf-jwt>=1.15.0` unit tests running against SQLite failed to catch: the migrations of the new `blacklist` app in `drf-jwt 1.15.0` and above fail in MySQL. So downgraded the version of `drf-jwt==1.14.0`.


5.0.0 is the same release as 4.0.4. It is being released as its own major version, because 4.0.1 had **BREAKING CHANGES** and should have been its own release. This 5.0.0 version is simply being used to call additional attention to the **BREAKING CHANGES** in 4.0.1.

NOTE: At this time, we do not plan on going through the effort of releasing 4.0.5 to revert back to 4.0.0, especially because this may add confusion to those that don't expect this revert.


**WARNING**: **BREAKING CHANGES** were introduced separately in both 4.0.0 and 4.0.1.

This adds the fixes introduced in 3.0.1 to 4.x.x.


**WARNING**: **BREAKING CHANGES** were introduced separately in both 4.0.0 and 4.0.1.

-Remove constraint from drf-jwt
-Added support for latest version of drf-jwt


**WARNING**: **BREAKING CHANGES** were introduced separately in both 4.0.0 and 4.0.1.

Removed upper limit constraint for DRF in requirements.


* All django 2.2 tests were fixed and now edx-drf-extensions properly supports django>=1.11,<=2.2.
* djangorestframework-jwt library was replaced with drf-jwt to support django2.2.

* To preserve compatibility with existing clients, the `JWT_AUTH_HEADER_PREFIX` Django setting must be set to "JWT".  This was the default in djangorestframework-jwt, but it changed to "Bearer" in drf-jwt 1.12.8.
* You may also need to add `rest_framework_jwt` and `rest_framework_jwt.blacklist` to the `INSTALLED_APPS` list.


ENABLE_ANONYMOUS_ACCESS_ROLLOUT flag was a temporarily used to facilitate rollout
of CSFR protection for MFEs. With that effort finished, the flag is no longer necessary
and is now being removed.

This removes flag and replaces it with
logic equivalent to setting ENABLE_ANONYMOUS_ACCESS_ROLLOUT to True.


In 3.0.0, the switch `oauth2.enforce_jwt_scopes` was removed, which
starts checking is_restricted in JWTs. This works fine for JWTs created
with the LMS, but uncovered a pre-existing bug that will only show
itself in the Ecommerce Service for certain JWTs which were meant to be
decoded with a custom jwt_decode_handler. In the Ecommerce Service only,
this custom jwt_decode_handler is set using the JWT_DECODE_HANDLER

This fix updates the JWT code to respect the JWT_DECODE_HANDLER setting
of JWT_AUTH, and uses the configured handler rather than assuming the
edx-drf-extensions version will always be used.

Additionally, the fix accounts for JWTs that are missing certain
claims in the payload (e.g 'is_restricted' and 'filters'), by using
appropriate defaults.



The oauth2.enforce_jwt_scopes waffle switch was added temporarily for
the rollout of JWT scopes. This removes the toggle and replaces it with
logic equivalent to setting `oauth2.enforce_jwt_scopes` to True.


This removes a toggle that may or may not have been set in any
particular environment, and was defaulted to False.

*Before taking this upgrade:*
* Make sure your IDA includes `EnsureJWTAuthSettingsMiddleware` in its
* Although you could first check and/or set the
`oauth2.enforce_jwt_scopes` waffle switch to True in all environments
for your IDA, this upgrade is unlikely to cause an issue. If you want to
play it safe, setting the switch first is how you do it, but then you
need remove the switch.

*After taking this upgrade:*
* Once the upgrade has been deployed and is stable, delete the
`oauth2.enforce_jwt_scopes` waffle switch from all environments for the
IDA with the upgrade.


Adding django 2.2 support
Adding some new relic custom metrics
Clean up












Middleware enables the DRF JwtAuthentication authentication class for
endpoints using the LoginRedirectIfUnauthenticated permission class.

Enables a DRF view to redirect the user to login when they are
unauthenticated. It automatically enables JWT-cookie-based
authentication by setting the `USE_JWT_COOKIE_HEADER` for endpoints
using the LoginRedirectIfUnauthenticated permission.

This can be used to convert a plain Django view using login_required
into a DRF APIView, which is useful to enable our DRF JwtAuthentication

NOTE: This includes a breaking change that is unlikely to affect anyone
unless they subclassed JwtAuthCookieMiddleware, which switched from
using `process_request` to `process_view` so it would not run before
this new middleware.







Version 2.3.2 was released without bumping its version number. This fixes that.


See for details. This release will remove many `RemovedInDjango20Warning`s for clients of this library.


Fix call to is_jwt_authenticated when the request has no successful_authenticator attribute


This release adds a helper method in `edx_rest_framework_extensions/auth/jwt/` to get decoded hwt token from `request.auth`


Revert 'Update cookies.get_decoded_jwt logic to also query jwt cookiefrom request.auth'


This release updates the logic of `edx_rest_framework_extensions.auth.jwt.cookies.get_decoded_jwt` so that jwt cookie is queried in `request.auth` if not found in `request.COOKIES`.




This release bumps the version of `default_latest_supported` value to 1.2.0

It should be noted that there was a user_id jwt claim added to edx-platform while at version 1.1.0, however the version of the jwt was not bumped at that time.


Several auth classes and methods were refactored and the
backward incompatible imports have been removed.

Important: SessionAuthenticationAllowInactiveUser was moved as
part of this release, so this release also adds a backward
incompatible change from any earlier version as well.