chore(backend): force token expire (#969)

* chore(token): token always expires

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

* chore(migrations): alter bearer token expires at

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

* chore(changelog): update changelog

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

* chore(backend/users/migrations): alter bearertoken expires only if null

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

* fix(users/migrations): chain AlterField migration operation

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

* tests(views/test_views_token): add expiring date and test case

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

* chore(users/migrations): field to models.DateTimeField()

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

* chore(users/models/token): blank=False instead of default value

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

* tests(test_views_token): add test cases

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

---------

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

backend/api/tests/views/test_views_token.py

@@ -2,17 +2,27 @@
 
 import pytest
 from django.contrib.auth.models import User
+from django.db.utils import IntegrityError
 from django.utils import timezone
 from rest_framework import status
 
 from users.models.token import BearerToken
 
 
+@pytest.mark.django_db
+def test_cannot_create_non_expiring_token(authenticated_client):
+    authenticated_client.create_user()
+    user = authenticated_client.user
+    # create a token without expiration date
+    with pytest.raises(IntegrityError):
+        BearerToken.objects.create(user=user)
+
+
 @pytest.mark.django_db
 def test_delete_token(authenticated_client):
     authenticated_client.create_user()
     user = authenticated_client.user
-    token = BearerToken.objects.create(user=user)
+    token = BearerToken.objects.create(user=user, expires_at=timezone.now() + timedelta(days=1))
 
     tokens_count = BearerToken.objects.count()
     assert tokens_count == 1
@@ -29,8 +39,8 @@ def test_delete_token(authenticated_client):
 def test_multiple_token(authenticated_client, api_client):
     authenticated_client.create_user()
     user = authenticated_client.user
-    token_1 = BearerToken.objects.create(user=user)
-    token_2 = BearerToken.objects.create(user=user)
+    token_1 = BearerToken.objects.create(user=user, expires_at=timezone.now() + timedelta(days=1))
+    token_2 = BearerToken.objects.create(user=user, expires_at=timezone.now() + timedelta(days=2))
 
     tokens_count = BearerToken.objects.count()
     assert tokens_count == 2
@@ -60,7 +70,7 @@ def test_multiple_token(authenticated_client, api_client):
 
 
 @pytest.mark.django_db
-def test_expiring_token(authenticated_client, api_client):
+def test_expired_token(authenticated_client, api_client):
     authenticated_client.create_user()
     user = authenticated_client.user
     # create a token that expired a day ago
@@ -88,7 +98,7 @@ def test_delete_token_other_user(authenticated_client):
     other_user = User.objects.create(username="user-2")
     other_user.set_password("p@sswr0d44")
     other_user.save()
-    token = BearerToken.objects.create(user=other_user)
+    token = BearerToken.objects.create(user=other_user, expires_at=timezone.now() + timedelta(days=1))
 
     tokens_count = BearerToken.objects.count()
     assert tokens_count == 1
@@ -111,3 +121,17 @@ def test_token_creation_post(authenticated_client):
 
     tokens_count = BearerToken.objects.count()
     assert tokens_count == 1
+
+
+@pytest.mark.django_db
+def test_cannot_post_token_wo_expires_at(authenticated_client):
+    authenticated_client.create_user()
+    payload = {}
+    url = "/api-token/"
+    response = authenticated_client.post(url, payload)
+
+    assert response.json() == {"expires_at": ["This field is required."]}
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+
+    tokens_count = BearerToken.objects.count()
+    assert tokens_count == 0

backend/users/migrations/0008_alter_bearertoken_expires_at.py

@@ -0,0 +1,25 @@
+# Generated by Django 4.2.5 on 2024-08-14 15:28
+
+import django.utils.timezone
+from django.db import migrations
+from django.db import models
+
+
+def set_default_expires_at(apps, schema_editor):
+    BearerToken = apps.get_model("users", "BearerToken")  # noqa
+    BearerToken.objects.filter(expires_at__isnull=True).update(expires_at=django.utils.timezone.now())
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("users", "0007_implicitbearertoken_id_and_more"),
+    ]
+
+    operations = [
+        migrations.RunPython(set_default_expires_at),
+        migrations.AlterField(
+            model_name="bearertoken",
+            name="expires_at",
+            field=models.DateTimeField(),
+        ),
+    ]

backend/users/models/token.py

@@ -10,7 +10,7 @@
 
 class BearerToken(Token):
     note = models.TextField(null=True)
-    expires_at = models.DateTimeField(null=True)
+    expires_at = models.DateTimeField(null=False, blank=False)
     user = models.ForeignKey(settings.AUTH_USER_MODEL, related_name="bearer_tokens", on_delete=models.CASCADE)
     id = models.UUIDField(default=uuid.uuid4, editable=False)
 

backend/users/serializers/token.py

@@ -7,7 +7,7 @@
 
 
 class BearerTokenSerializer(serializers.ModelSerializer):
-    expires_at = serializers.DateTimeField(default_timezone=timezone.utc, allow_null=True)
+    expires_at = serializers.DateTimeField(default_timezone=timezone.utc, allow_null=False)
     created_at = serializers.DateTimeField(default_timezone=timezone.utc, source="created", read_only=True)
     token = serializers.CharField(source="key", read_only=True)
 

changes/969.changed

@@ -0,0 +1 @@
+Disable never expiring users `BearerToken`