fix username logging in uwsgi for requests with TokenAuthentication (#14322)

* fix username logging in uwsgi for requests with TokenAuthentication

* added unit test

* missed fixture versioning

Author: fopina

dojo/middleware.py

@@ -64,17 +64,19 @@ def __call__(self, request):
                     fullURL = f"{settings.LOGIN_URL}?next={quote(request.get_full_path())}"
                 return HttpResponseRedirect(fullURL)
 
+        if request.user.is_authenticated:
+            path = request.path_info.lstrip("/")
+            if Dojo_User.force_password_reset(request.user) and path != "change_password":
+                return HttpResponseRedirect(reverse("change_password"))
+
+        response = self.get_response(request)
         if request.user.is_authenticated:
             logger.debug("Authenticated user: %s", request.user)
             with suppress(ModuleNotFoundError):  # to avoid unittests to fail
                 uwsgi = __import__("uwsgi", globals(), locals(), ["set_logvar"], 0)
                 # this populates dd_user log var, so can appear in the uwsgi logs
                 uwsgi.set_logvar("dd_user", str(request.user))
-            path = request.path_info.lstrip("/")
-            if Dojo_User.force_password_reset(request.user) and path != "change_password":
-                return HttpResponseRedirect(reverse("change_password"))
-
-        return self.get_response(request)
+        return response
 
 
 class CustomSocialAuthExceptionMiddleware(SocialAuthExceptionMiddleware):

unittests/test_middleware_login_required.py

@@ -0,0 +1,65 @@
+from types import SimpleNamespace
+from unittest.mock import Mock, patch
+
+from django.contrib.auth.models import AnonymousUser
+from django.http import HttpResponse
+from django.test import RequestFactory
+from rest_framework.authentication import TokenAuthentication
+from rest_framework.authtoken.models import Token
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from dojo.middleware import LoginRequiredMiddleware
+from dojo.models import User
+
+from .dojo_test_case import DojoTestCase, versioned_fixtures
+
+
+class TokenAuthenticatedView(APIView):
+    authentication_classes = (TokenAuthentication,)
+    permission_classes = (IsAuthenticated,)
+
+    def get(self, request):
+        return Response({"username": request.user.username})
+
+
+@versioned_fixtures
+class TestLoginRequiredMiddlewareDdUser(DojoTestCase):
+    fixtures = ["dojo_testdata.json"]
+
+    def setUp(self):
+        super().setUp()
+        self.factory = RequestFactory()
+        self.admin = User.objects.get(username="admin")
+
+    def test_sets_dd_user_for_session_authenticated_request(self):
+        request = self.factory.get("/dashboard")
+        request.user = self.admin
+
+        middleware = LoginRequiredMiddleware(lambda _request: HttpResponse("OK"))
+        fake_uwsgi = SimpleNamespace(set_logvar=Mock())
+
+        with patch.dict("sys.modules", {"uwsgi": fake_uwsgi}):
+            response = middleware(request)
+
+        self.assertEqual(200, response.status_code)
+        fake_uwsgi.set_logvar.assert_called_once_with("dd_user", str(self.admin))
+
+    def test_sets_dd_user_for_drf_token_authenticated_request(self):
+        token, _ = Token.objects.get_or_create(user=self.admin)
+
+        request = self.factory.get(
+            "/api/v2/mock-endpoint/",
+            HTTP_AUTHORIZATION=f"Token {token.key}",
+        )
+        request.user = AnonymousUser()
+
+        middleware = LoginRequiredMiddleware(TokenAuthenticatedView.as_view())
+        fake_uwsgi = SimpleNamespace(set_logvar=Mock())
+
+        with patch.dict("sys.modules", {"uwsgi": fake_uwsgi}):
+            response = middleware(request)
+
+        self.assertEqual(200, response.status_code)
+        fake_uwsgi.set_logvar.assert_called_once_with("dd_user", str(self.admin))