Update all edx-platform REST endpoints to support JWT Auth (openedx#34152)

salman2013 · web-flow · commit 57b480b04f52 · 2024-02-13T10:46:58.000-05:00
* chore: update API endpoints to support default JWT auth The default DRF Auth classes were recently updated to allow for both JWT and Session auth by default. Any endpoint that overrides the AUTHENTICATION_CLASSES but has just session, just JWT or just both of those should be updated to remove the override. Details in openedx#33662
diff --git a/cms/djangoapps/api/v1/views/course_runs.py b/cms/djangoapps/api/v1/views/course_runs.py
@@ -3,10 +3,8 @@
 
 from django.conf import settings
 from django.http import Http404
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from opaque_keys.edx.keys import CourseKey
 from rest_framework import parsers, permissions, status, viewsets
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.response import Response
 
@@ -21,7 +19,6 @@
 
 
 class CourseRunViewSet(viewsets.GenericViewSet):  # lint-amnesty, pylint: disable=missing-class-docstring
-    authentication_classes = (JwtAuthentication, SessionAuthentication,)
     lookup_value_regex = settings.COURSE_KEY_REGEX
     permission_classes = (permissions.IsAdminUser,)
     serializer_class = CourseRunSerializer
diff --git a/common/djangoapps/entitlements/rest_api/v1/views.py b/common/djangoapps/entitlements/rest_api/v1/views.py
@@ -14,7 +14,6 @@
 from opaque_keys import InvalidKeyError
 from opaque_keys.edx.keys import CourseKey
 from rest_framework import permissions, status, viewsets
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -328,7 +327,6 @@ class EntitlementEnrollmentViewSet(viewsets.GenericViewSet):
         - Unenroll
         - Switch Enrollment
     """
-    authentication_classes = (JwtAuthentication, SessionAuthentication,)
     # TODO: ARCH-91
     # This view is excluded from Swagger doc generation because it
     # does not specify a serializer class.
diff --git a/common/djangoapps/third_party_auth/api/tests/test_permissions.py b/common/djangoapps/third_party_auth/api/tests/test_permissions.py
@@ -4,9 +4,7 @@
 
 import ddt
 from django.test import RequestFactory, TestCase
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from edx_rest_framework_extensions.auth.jwt.tests.utils import generate_jwt
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -25,7 +23,6 @@ class ThirdPartyAuthPermissionTest(TestCase):
 
     class SomeTpaClassView(APIView):
         """view used to test TPA_permissions"""
-        authentication_classes = (JwtAuthentication, SessionAuthentication)
         permission_classes = (TPA_PERMISSIONS,)
         required_scopes = ['tpa:read']
 
diff --git a/common/djangoapps/third_party_auth/saml_configuration/views.py b/common/djangoapps/third_party_auth/saml_configuration/views.py
@@ -2,16 +2,13 @@
 Viewset for auth/saml/v0/saml_configuration
 """
 
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from rest_framework import permissions, viewsets
-from rest_framework.authentication import SessionAuthentication
 
 from ..models import SAMLConfiguration
 from .serializers import SAMLConfigurationSerializer
 
 
 class SAMLConfigurationMixin:
-    authentication_classes = (JwtAuthentication, SessionAuthentication,)
     permission_classes = (permissions.IsAuthenticated,)
     serializer_class = SAMLConfigurationSerializer
 
diff --git a/common/djangoapps/third_party_auth/samlproviderconfig/views.py b/common/djangoapps/third_party_auth/samlproviderconfig/views.py
@@ -5,10 +5,8 @@
 from django.shortcuts import get_list_or_404
 from django.db.utils import IntegrityError
 from edx_rbac.mixins import PermissionRequiredMixin
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from rest_framework import permissions, viewsets, status
 from rest_framework.response import Response
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.exceptions import ParseError, ValidationError
 
 from enterprise.models import EnterpriseCustomerIdentityProvider, EnterpriseCustomer
@@ -20,7 +18,6 @@
 
 
 class SAMLProviderMixin:
-    authentication_classes = [JwtAuthentication, SessionAuthentication]
     permission_classes = [permissions.IsAuthenticated]
     serializer_class = SAMLProviderConfigSerializer
 
diff --git a/common/djangoapps/third_party_auth/samlproviderdata/views.py b/common/djangoapps/third_party_auth/samlproviderdata/views.py
@@ -8,10 +8,8 @@
 from django.http import Http404
 from django.shortcuts import get_object_or_404
 from edx_rbac.mixins import PermissionRequiredMixin
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from enterprise.models import EnterpriseCustomerIdentityProvider
 from rest_framework import permissions, status, viewsets
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.exceptions import ParseError
 from rest_framework.response import Response
@@ -31,7 +29,6 @@
 
 
 class SAMLProviderDataMixin:
-    authentication_classes = [JwtAuthentication, SessionAuthentication]
     permission_classes = [permissions.IsAuthenticated]
     serializer_class = SAMLProviderDataSerializer
 
diff --git a/lms/djangoapps/bulk_user_retirement/views.py b/lms/djangoapps/bulk_user_retirement/views.py
@@ -3,7 +3,6 @@
 """
 import logging
 
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from django.contrib.auth import get_user_model
 from django.db import transaction
 from rest_framework import permissions, status
@@ -34,7 +33,6 @@ class BulkUsersRetirementView(APIView):
 
           * usernames: Comma separated strings of usernames that should be retired.
     """
-    authentication_classes = (JwtAuthentication, )
     permission_classes = (permissions.IsAuthenticated, CanRetireUser)
 
     def post(self, request, **kwargs):  # pylint: disable=unused-argument
diff --git a/lms/djangoapps/commerce/api/v1/views.py b/lms/djangoapps/commerce/api/v1/views.py
@@ -72,7 +72,6 @@ def pre_save(self, obj):
 class OrderView(APIView):
     """ Retrieve order details. """
 
-    authentication_classes = (JwtAuthentication, SessionAuthentication,)
     permission_classes = (IsAuthenticatedOrActivationOverridden,)
 
     def get(self, request, number):
diff --git a/lms/djangoapps/course_home_api/outline/views.py b/lms/djangoapps/course_home_api/outline/views.py
@@ -376,7 +376,6 @@ def finalize_response(self, request, response, *args, **kwargs):
 
 
 @api_view(['POST'])
-@authentication_classes((JwtAuthentication,))
 @permission_classes((IsAuthenticated,))
 def dismiss_welcome_message(request):  # pylint: disable=missing-function-docstring
     course_id = request.data.get('course_id', None)
diff --git a/lms/djangoapps/discussion/rest_api/tests/test_views.py b/lms/djangoapps/discussion/rest_api/tests/test_views.py
@@ -675,7 +675,7 @@ def test_auth(self):
 
         # Test unauthenticated
         response = self.client.post(self.url, data)
-        assert response.status_code == 401
+        assert response.status_code == 403
 
         # Test non-service worker
         random_user = UserFactory()
diff --git a/lms/djangoapps/discussion/rest_api/views.py b/lms/djangoapps/discussion/rest_api/views.py
@@ -1099,7 +1099,6 @@ class RetireUserView(APIView):
         Empty string
     """
 
-    authentication_classes = (JwtAuthentication,)
     permission_classes = (permissions.IsAuthenticated, CanRetireUser)
 
     def post(self, request):
@@ -1147,7 +1146,6 @@ class ReplaceUsernamesView(APIView):
 
     """
 
-    authentication_classes = (JwtAuthentication,)
     permission_classes = (permissions.IsAuthenticated, CanReplaceUsername)
 
     def post(self, request):
diff --git a/lms/djangoapps/edxnotes/views.py b/lms/djangoapps/edxnotes/views.py
@@ -11,7 +11,6 @@
 from django.http import Http404, HttpResponse
 from django.urls import reverse
 from django.views.decorators.http import require_GET
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from opaque_keys.edx.keys import CourseKey
 from rest_framework import permissions, status
 from rest_framework.response import Response
@@ -244,7 +243,6 @@ class RetireUserView(APIView):
           - EdxNotesServiceUnavailable is thrown: the edx-notes-api IDA is not available.
     """
 
-    authentication_classes = (JwtAuthentication,)
     permission_classes = (permissions.IsAuthenticated, CanRetireUser)
 
     def post(self, request):
diff --git a/lms/djangoapps/instructor_task/rest_api/v1/views.py b/lms/djangoapps/instructor_task/rest_api/v1/views.py
@@ -9,8 +9,6 @@
 import dateutil
 from celery.states import REVOKED
 from django.db import transaction
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.response import Response
 from rest_framework import generics, status
 
@@ -35,10 +33,6 @@ class ListScheduledBulkEmailInstructorTasks(generics.ListAPIView):
                data also includes information about the and course email instance associated with each task.
         * 403: User does not have the required role to view this data.
     """
-    authentication_classes = (
-        JwtAuthentication,
-        SessionAuthentication,
-    )
     permission_classes = (
         CanViewOrModifyScheduledBulkCourseEmailTasks,
     )
@@ -74,10 +68,6 @@ class ModifyScheduledBulkEmailInstructorTask(generics.DestroyAPIView, generics.U
         * 403: User does not have permission to modify the object specified.
         * 404: Requested schedule object could not be found and thus could not be modified or removed.
     """
-    authentication_classes = (
-        JwtAuthentication,
-        SessionAuthentication,
-    )
     permission_classes = (
         CanViewOrModifyScheduledBulkCourseEmailTasks,
     )
diff --git a/lms/djangoapps/learner_dashboard/api/v0/views.py b/lms/djangoapps/learner_dashboard/api/v0/views.py
@@ -1,9 +1,7 @@
 """ API v0 views. """
 import logging
 
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from enterprise.models import EnterpriseCourseEnrollment
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -81,8 +79,6 @@ class Programs(APIView):
         ]
     """
 
-    authentication_classes = (JwtAuthentication, SessionAuthentication,)
-
     permission_classes = (IsAuthenticated,)
 
     def get(self, request, enterprise_uuid):
@@ -298,11 +294,6 @@ class ProgramProgressDetailView(APIView):
             }
     """
 
-    authentication_classes = (
-        JwtAuthentication,
-        SessionAuthentication,
-    )
-
     permission_classes = (IsAuthenticated,)
 
     def get(self, request, program_uuid):
diff --git a/lms/djangoapps/support/views/feature_based_enrollments.py b/lms/djangoapps/support/views/feature_based_enrollments.py
@@ -2,10 +2,8 @@
 Support tool for viewing course duration information
 """
 
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from django.utils.decorators import method_decorator
 from django.views.generic import View
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.generics import GenericAPIView
 
@@ -43,9 +41,6 @@ class FeatureBasedEnrollmentSupportAPIView(GenericAPIView):
     Support-only API View for getting feature based enrollment configuration details
     for a course.
     """
-    authentication_classes = (
-        JwtAuthentication, SessionAuthentication
-    )
     permission_classes = (IsAuthenticated,)
 
     @method_decorator(require_support_permission)
diff --git a/lms/djangoapps/support/views/program_enrollments.py b/lms/djangoapps/support/views/program_enrollments.py
@@ -6,9 +6,7 @@
 from django.db.models import Q
 from django.utils.decorators import method_decorator
 from django.views.generic import View
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from rest_framework.views import APIView
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.response import Response
 from rest_framework.permissions import IsAuthenticated
 from social_django.models import UserSocialAuth
@@ -77,9 +75,6 @@ class LinkProgramEnrollmentSupportAPIView(APIView):
     """
     Support-only API View for linking learner enrollments by support staff.
     """
-    authentication_classes = (
-        JwtAuthentication, SessionAuthentication
-    )
     permission_classes = (
         IsAuthenticated,
     )
@@ -312,9 +307,6 @@ class ProgramEnrollmentsInspectorAPIView(ProgramEnrollmentInspector, APIView):
     information of a learner.
     """
 
-    authentication_classes = (
-        JwtAuthentication, SessionAuthentication
-    )
     permission_classes = (
         IsAuthenticated,
     )
diff --git a/lms/djangoapps/user_tours/v1/views.py b/lms/djangoapps/user_tours/v1/views.py
@@ -2,8 +2,6 @@
 from django.conf import settings
 from django.db import transaction, IntegrityError
 from django.shortcuts import get_object_or_404
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.generics import RetrieveUpdateAPIView
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
@@ -25,7 +23,6 @@ class UserTourView(RetrieveUpdateAPIView):
         GET /api/user_tours/v1/{username}
         PATCH /api/user_tours/v1/{username}
     """
-    authentication_classes = (JwtAuthentication,)
     permission_classes = (IsAuthenticated,)
     serializer_class = UserTourSerializer
 
@@ -111,7 +108,6 @@ class UserDiscussionsToursView(APIView):
     ]
     """
 
-    authentication_classes = (JwtAuthentication, SessionAuthentication)
     permission_classes = (IsAuthenticated,)
 
     def get(self, request, tour_id=None):
diff --git a/openedx/core/djangoapps/agreements/views.py b/openedx/core/djangoapps/agreements/views.py
@@ -3,11 +3,9 @@
 """
 
 from django.conf import settings
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from rest_framework import status
 from rest_framework.views import APIView
 from rest_framework.response import Response
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.permissions import IsAuthenticated
 from opaque_keys.edx.keys import CourseKey
 
@@ -34,7 +32,6 @@ class AuthenticatedAPIView(APIView):
     """
     Authenticated API View.
     """
-    authentication_classes = (SessionAuthentication, JwtAuthentication)
     permission_classes = (IsAuthenticated,)
 
 
diff --git a/openedx/core/djangoapps/demographics/rest_api/v1/views.py b/openedx/core/djangoapps/demographics/rest_api/v1/views.py
@@ -1,7 +1,5 @@
 # lint-amnesty, pylint: disable=missing-module-docstring
-from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from rest_framework import permissions, status
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -18,7 +16,6 @@ class DemographicsStatusView(APIView):
     The API will return whether or not to display the Demographics UI based on
     the User's status in the Platform
     """
-    authentication_classes = (JwtAuthentication, SessionAuthentication)
     permission_classes = (permissions.IsAuthenticated, )
 
     def _response_context(self, user, user_demographics=None):
diff --git a/openedx/core/djangoapps/enrollments/views.py b/openedx/core/djangoapps/enrollments/views.py
@@ -421,7 +421,6 @@ class UnenrollmentView(APIView):
             If the request is successful, an HTTP 200 "OK" response is
             returned along with a list of all courses from which the user was unenrolled.
         """
-    authentication_classes = (JwtAuthentication,)
     permission_classes = (permissions.IsAuthenticated, CanRetireUser,)
 
     def post(self, request):
@@ -1023,9 +1022,6 @@ class EnrollmentAllowedView(APIView):
     """
     A view that allows the retrieval and creation of enrollment allowed for a given user email and course id.
     """
-    authentication_classes = (
-        JwtAuthentication,
-    )
     permission_classes = (permissions.IsAdminUser,)
     throttle_classes = (EnrollmentUserThrottle,)
     serializer_class = CourseEnrollmentAllowedSerializer
diff --git a/openedx/core/djangoapps/user_api/accounts/views.py b/openedx/core/djangoapps/user_api/accounts/views.py
diff --git a/openedx/core/djangoapps/waffle_utils/views.py b/openedx/core/djangoapps/waffle_utils/views.py
