[fix] Exempt REST API requests from password expiration middleware #511#538
Conversation
…enwisp#511 Password expiration was redirecting authenticatated API requests to an HTML password-change page instead of returning a proper API response, breaking API clients. The middleware now detects DRF API views via the resolver's view class (works regardless of where a host project mounts the API) and skips the redirect for them. Closes openwisp#511
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
📜 Recent review details⏰ Context from checks skipped due to timeout. (9)
🧰 Additional context used📓 Path-based instructions (1)**/*.py📄 CodeRabbit inference engine (Custom checks)
Files:
🔇 Additional comments (3)
📝 WalkthroughWalkthroughThe PasswordExpirationMiddleware was changed to use request.resolver_match instead of calling resolve(request.path), with a None guard for cases where no resolver match exists. The middleware now detects DRF APIView-based requests via the cls attribute set by APIView.as_view() and skips redirects for such API requests, while retaining the existing exempted_url_names check for non-API requests. A corresponding test was added to verify authenticated API requests with expired passwords return 200 rather than being redirected. Estimated code review effort: 2 (Simple) | ~15 minutes Sequence Diagram(s)sequenceDiagram
participant Client
participant PasswordExpirationMiddleware
participant DRFAPIView
Client->>PasswordExpirationMiddleware: Request with expired password
PasswordExpirationMiddleware->>PasswordExpirationMiddleware: Check request.resolver_match
PasswordExpirationMiddleware->>DRFAPIView: Check if view is APIView subclass
DRFAPIView-->>PasswordExpirationMiddleware: Is API request
PasswordExpirationMiddleware->>Client: Pass through response (no redirect)
Related issues: Suggested labels: bug, backend Suggested reviewers: none identified Poem: 🚥 Pre-merge checks | ✅ 6 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (6 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Password expiration was redirecting authenticatated API requests to an HTML password-change page instead of returning a proper API response, breaking API clients. The middleware now detects DRF API views via the resolver's view class (works regardless of where a host project mounts the API) and skips the redirect for them.
Checklist
Reference to Existing Issue
Closes #511
Description of Changes
PasswordExpirationMiddlewarenow checksrequest.resolver_match.func.clsagainstAPIView(prefix-independent, works regardless of where a host project mounts the API) and skips the redirect for API requests.test_api_request_not_redirectedexpired-password user hits a token-authenticated API endpoint, asserts 200 not 302.