Compare commits

...

2 Commits

Author SHA1 Message Date
charles c0ecf53fbf fixup! 🚨(backend) fix search without refresh token
Signed-off-by: charles <charles.englebert@protonmail.com>
2026-03-20 11:57:10 +01:00
charles b4eb54305a 🚨(backend) fix search without refresh token
i remove the decorator on the search function
and refresh the token in the function so
i can try catch it.

Signed-off-by: charles <charles.englebert@protonmail.com>
2026-03-19 19:21:23 +01:00
7 changed files with 187 additions and 45 deletions
+1
View File
@@ -36,6 +36,7 @@ and this project adheres to
- ♿️(frontend) fix waffle aria-label spacing for new-window links #2030
- 🐛(backend) stop using add_sibling method to create sandbox document #2084
- 🐛(backend) duplicate a document as last-sibling #2084
- 🐛(backend) fix search without refresh token #2090
### Removed
+31
View File
@@ -8,6 +8,9 @@ from django.core.cache import cache
from django.core.files.storage import default_storage
import botocore
import requests
from lasuite.oidc_login.backends import get_oidc_refresh_token, store_tokens
from rest_framework.exceptions import AuthenticationFailed
from rest_framework.throttling import BaseThrottle
@@ -179,3 +182,31 @@ class AIUserRateThrottle(AIBaseRateThrottle):
if x_forwarded_for
else request.META.get("REMOTE_ADDR")
)
def refresh_access_token(session):
"""Refresh the OIDC access token using the refresh token."""
refresh_token = get_oidc_refresh_token(session)
if not refresh_token:
raise AuthenticationFailed({"error": "Refresh token is missing from session"})
response = requests.post(
settings.OIDC_OP_TOKEN_ENDPOINT,
data={
"grant_type": "refresh_token",
"client_id": settings.OIDC_RP_CLIENT_ID,
"client_secret": settings.OIDC_RP_CLIENT_SECRET,
"refresh_token": refresh_token,
},
timeout=settings.OIDC_TIMEOUT,
)
response.raise_for_status()
token_info = response.json()
store_tokens(
session,
access_token=token_info.get("access_token"),
id_token=None,
refresh_token=token_info.get("refresh_token"),
)
return session
+8 -5
View File
@@ -25,7 +25,6 @@ from django.db.models.functions import Greatest, Left, Length
from django.http import Http404, StreamingHttpResponse
from django.urls import reverse
from django.utils import timezone
from django.utils.decorators import method_decorator
from django.utils.functional import cached_property
from django.utils.http import content_disposition_header
from django.utils.text import capfirst, slugify
@@ -38,11 +37,11 @@ from botocore.exceptions import ClientError
from csp.constants import NONE
from csp.decorators import csp_update
from lasuite.malware_detection import malware_detection
from lasuite.oidc_login.decorators import refresh_oidc_access_token
from lasuite.tools.email import get_domain_from_email
from pydantic import ValidationError as PydanticValidationError
from rest_framework import filters, status, viewsets
from rest_framework import response as drf_response
from rest_framework.exceptions import AuthenticationFailed
from rest_framework.permissions import AllowAny
from rest_framework.views import APIView
@@ -84,6 +83,7 @@ from .throttling import (
UserListThrottleBurst,
UserListThrottleSustained,
)
from .utils import refresh_access_token
logger = logging.getLogger(__name__)
@@ -1415,7 +1415,6 @@ class DocumentViewSet(
return duplicated_document
@drf.decorators.action(detail=False, methods=["get"], url_path="search")
@method_decorator(refresh_oidc_access_token)
def search(self, request, *args, **kwargs):
"""
Returns an ordered list of documents best matching the search query parameter 'q'.
@@ -1439,8 +1438,11 @@ class DocumentViewSet(
return self._search_with_indexer(
indexer, request, params=params, search_type=search_type
)
except requests.exceptions.RequestException as e:
logger.error("Error while searching documents with indexer: %s", e)
except (requests.exceptions.RequestException, AuthenticationFailed) as e:
logger.error(
"Error while searching documents with indexer \n%s \nfall back on title search",
e,
)
# fallback on title search if the indexer is not reached
return self._title_search(request, params.validated_data, *args, **kwargs)
@@ -1462,6 +1464,7 @@ class DocumentViewSet(
"""
Returns a list of documents matching the query (q) according to the configured indexer.
"""
request.session = refresh_access_token(request.session)
queryset = models.Document.objects.all()
results = indexer.search(
+27
View File
@@ -7,6 +7,8 @@ from django.core.cache import cache
import pytest
import responses
from cryptography.fernet import Fernet
from lasuite.oidc_login.backends import get_cipher_suite
from core import factories
from core.tests.utils.urls import reload_urls
@@ -143,3 +145,28 @@ def user_token():
A fixture to create a user token for testing.
"""
return build_authorization_bearer("some_token")
@pytest.fixture
def oidc_settings(settings):
"""Fixture to configure OIDC settings for the tests."""
settings.OIDC_OP_TOKEN_ENDPOINT = "https://auth.example.com/token"
settings.OIDC_OP_AUTHORIZATION_ENDPOINT = "https://auth.example.com/authorize"
settings.OIDC_RP_CLIENT_ID = "client_id"
settings.OIDC_RP_CLIENT_SECRET = "client_secret"
settings.OIDC_AUTHENTICATION_CALLBACK_URL = "oidc_authentication_callback"
settings.OIDC_RP_SCOPES = "openid email"
settings.OIDC_USE_NONCE = True
settings.OIDC_STATE_SIZE = 32
settings.OIDC_NONCE_SIZE = 32
settings.OIDC_VERIFY_SSL = True
settings.OIDC_TOKEN_USE_BASIC_AUTH = False
settings.OIDC_STORE_ACCESS_TOKEN = True
settings.OIDC_STORE_REFRESH_TOKEN = True
settings.OIDC_STORE_REFRESH_TOKEN_KEY = Fernet.generate_key()
get_cipher_suite.cache_clear()
yield settings
get_cipher_suite.cache_clear()
@@ -3,6 +3,7 @@ Tests for Documents API endpoint in impress's core app: search
"""
from unittest import mock
from unittest.mock import patch
import pytest
import responses
@@ -12,7 +13,7 @@ from rest_framework.test import APIClient
from waffle.testutils import override_flag
from core import factories
from core.enums import FeatureFlag, SearchType
from core.enums import FeatureFlag
from core.services.search_indexers import get_document_indexer
fake = Faker()
@@ -26,47 +27,29 @@ def enable_flag_find_hybrid_search():
yield
@mock.patch("core.services.search_indexers.FindDocumentIndexer.search_query")
@mock.patch("core.api.viewsets.DocumentViewSet.list")
@responses.activate
def test_api_documents_search_anonymous(search_query, indexer_settings):
def test_api_documents_search_anonymous(mock_list, indexer_settings):
"""
Anonymous users should be allowed to search documents with Find.
Anonymous users should not be allowed to search documents with Find.
they should fall back on title search.
"""
indexer_settings.SEARCH_URL = "http://find/api/v1.0/search"
# mock Find response
responses.add(
responses.POST,
"http://find/api/v1.0/search",
json=[],
status=200,
)
mocked_response = {
"count": 0,
"next": None,
"previous": None,
"results": [{"title": "mocked list result"}],
}
mock_list.return_value = drf_response.Response(mocked_response)
q = "alpha"
response = APIClient().get("/api/v1.0/documents/search/", data={"q": q})
assert search_query.call_count == 1
assert search_query.call_args[1] == {
"data": {
"q": q,
"visited": [],
"services": ["docs"],
"nb_results": 50,
"order_by": "updated_at",
"order_direction": "desc",
"path": None,
"search_type": SearchType.HYBRID,
},
"token": None,
}
assert response.status_code == 200
assert response.json() == {
"count": 0,
"next": None,
"previous": None,
"results": [],
}
assert mock_list.call_count == 1
assert mock_list.call_args[0][0].GET.get("q") == q
assert response.json() == mocked_response
@mock.patch("core.api.viewsets.DocumentViewSet.list")
@@ -194,8 +177,13 @@ def test_api_documents_search_invalid_params(indexer_settings):
@responses.activate
def test_api_documents_search_success(indexer_settings):
@patch("core.api.viewsets.refresh_access_token")
def test_api_documents_search_success(
mocked_refresh_access_token, indexer_settings, oidc_settings, settings
): # pylint: disable=unused-argument
"""Validate the format of documents as returned by the search view."""
mocked_refresh_access_token.side_effect = lambda session: session
indexer_settings.SEARCH_URL = "http://find/api/v1.0/search"
assert get_document_indexer() is not None
@@ -204,7 +192,7 @@ def test_api_documents_search_success(indexer_settings):
# Find response
responses.add(
responses.POST,
"http://find/api/v1.0/search",
indexer_settings.SEARCH_URL,
json=[
{
"_id": str(document["id"]),
@@ -213,7 +201,11 @@ def test_api_documents_search_success(indexer_settings):
],
status=200,
)
response = APIClient().get("/api/v1.0/documents/search/", data={"q": "alpha"})
user = factories.UserFactory()
client = APIClient()
client.force_login(user)
response = client.get("/api/v1.0/documents/search/", data={"q": "alpha"})
assert response.status_code == 200
content = response.json()
@@ -11,6 +11,7 @@ import responses
from rest_framework.test import APIClient
from waffle.testutils import override_flag
from core import factories
from core.enums import FeatureFlag, SearchType
from core.services.search_indexers import get_document_indexer
@@ -18,6 +19,7 @@ pytestmark = pytest.mark.django_db
@responses.activate
@mock.patch("core.api.viewsets.refresh_access_token")
@mock.patch("core.api.viewsets.DocumentViewSet._title_search")
@mock.patch("core.api.viewsets.DocumentViewSet._search_with_indexer")
@pytest.mark.parametrize(
@@ -44,12 +46,14 @@ pytestmark = pytest.mark.django_db
def test_api_documents_search_success( # noqa : PLR0913
mock_search_with_indexer,
mock_title_search,
mocked_refresh_access_token,
activated_flags,
expected_search_type,
expected_search_with_indexer_called,
expected_title_search_called,
indexer_settings,
):
oidc_settings,
): # pylint: disable=unused-argument
"""
Test that the API endpoint for searching documents returns a successful response
with the expected search type according to the activated feature flags,
@@ -59,7 +63,11 @@ def test_api_documents_search_success( # noqa : PLR0913
mock_search_with_indexer.return_value = HttpResponse()
mock_title_search.return_value = HttpResponse()
mocked_refresh_access_token.side_effect = lambda session: session
user = factories.UserFactory()
client = APIClient()
client.force_login(user)
with override_flag(
FeatureFlag.FLAG_FIND_HYBRID_SEARCH,
active=FeatureFlag.FLAG_FIND_HYBRID_SEARCH in activated_flags,
@@ -68,9 +76,7 @@ def test_api_documents_search_success( # noqa : PLR0913
FeatureFlag.FLAG_FIND_FULL_TEXT_SEARCH,
active=FeatureFlag.FLAG_FIND_FULL_TEXT_SEARCH in activated_flags,
):
response = APIClient().get(
"/api/v1.0/documents/search/", data={"q": "alpha"}
)
response = client.get("/api/v1.0/documents/search/", data={"q": "alpha"})
assert response.status_code == 200
@@ -0,0 +1,82 @@
"""Unit tests for the refresh_access_token utility function."""
import pytest
import responses
from cryptography.fernet import Fernet
from lasuite.oidc_login.backends import get_oidc_refresh_token, store_tokens
from requests import HTTPError
from rest_framework.exceptions import AuthenticationFailed
from core.api.utils import refresh_access_token
pytestmark = pytest.mark.django_db
@pytest.fixture(name="mock_oidc_settings")
def mock_oidc_settings_fixture(settings):
"""Fixture to mock OIDC settings."""
settings.OIDC_OP_TOKEN_ENDPOINT = "https://example.com/token"
settings.OIDC_RP_CLIENT_ID = "test-client-id"
settings.OIDC_RP_CLIENT_SECRET = "test-client-secret"
settings.OIDC_STORE_REFRESH_TOKEN = True
settings.OIDC_STORE_REFRESH_TOKEN_KEY = Fernet.generate_key()
yield settings
@responses.activate
def test_refresh_access_token_success(mock_oidc_settings): # pylint: disable=unused-argument
"""Test successful token refresh."""
session = {}
store_tokens(
session,
access_token="old-access-token",
id_token=None,
refresh_token="valid-refresh-token",
)
responses.add(
responses.POST,
"https://example.com/token",
json={
"access_token": "new-access-token",
"refresh_token": "new-refresh-token",
},
status=200,
)
result = refresh_access_token(session)
assert result == session
assert get_oidc_refresh_token(session) == "new-refresh-token"
def test_refresh_access_token_missing_refresh_token(mock_oidc_settings): # pylint: disable=unused-argument
"""Test that AuthenticationFailed is raised when refresh token is missing."""
session = {}
with pytest.raises(AuthenticationFailed) as exc_info:
refresh_access_token(session)
assert exc_info.value.detail == {"error": "Refresh token is missing from session"}
@responses.activate
def test_refresh_access_token_http_error(mock_oidc_settings): # pylint: disable=unused-argument
"""Test that HTTP errors are propagated when token endpoint fails."""
session = {}
store_tokens(
session,
access_token="old-access-token",
id_token=None,
refresh_token="valid-refresh-token",
)
responses.add(
responses.POST,
"https://example.com/token",
json={"error": "invalid_grant"},
status=401,
)
with pytest.raises(HTTPError):
refresh_access_token(session)