Full test infrastructure, code audit fixes, and real E2E integration tests

Test infrastructure: - Django standalone test runner (pytest-django, test settings, EmailUser model) - React unit tests via Vitest with jsdom, jest compat layer, path aliases - Playwright E2E tests using generated hooks in a real Chromium browser - Docker Compose test backend (Django + Redis) for integration testing - Desktop integration test app (PyWebView + Django + uvicorn) - Makefile with test/test-django/test-react/test-integration targets Library bugs found and fixed: - hasJWT truthiness: undefined !== null was true, skipping session init - process.env crash: CSR client referenced process.env in non-Node browsers - baseUrl not forwarded: DjareaProvider didn't pass baseUrl to CSR client - Relative URL handling: new URL() failed with relative base paths - call() race condition: HTTP requests fired before CSRF cookie was set - Session init await: added sessionRef promise so call() waits for session - path_prefix on schema export: both export commands failed with URL reverse - NullBooleanField removed: referenced field doesn't exist in Django 5.0+ - lru_cache on JWT settings: get_settings() now cached as intended - Channel message routing: broadcasts now include channel name and params - httpFunctionCall: fixed URL and request body format Generator fixes: - Removed 1,100 lines of REST/OpenAPI client generation (not part of Djarea) - Generator now works for djarea-only projects without django-ninja REST APIs - Generated DjangoContext now includes ChannelProvider when channels exist - Fixed env var passthrough for schema export commands - Deduplicated fetch logic into single runDjangoCommand helper Test quality: - Fixed 33 tautological Django tests with real assertions - Found hidden bug: benchmark functions were never registered - Found hidden bug: unicode lookalike test used plain ASCII - Deleted worthless React unit tests (duplicates, shape checks, Zod-tests-Zod) - Replaced jsdom integration tests with Playwright browser tests Example apps: - example/: Integration test backend with 33 server functions, 5 forms, 4 channels covering auth variations, contexts, class-based ServerFunction, error codes, DjareaFormMixin, formsets, and JWT - desktop/: PyWebView desktop app with file system access, SQLite CRUD, system introspection, and 39 real HTTP integration tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 01:17:48 -04:00
commit 4451ec24a1
179 changed files with 27699 additions and 0 deletions
--- a/django/src/djarea/jwt/security.py
+++ b/django/src/djarea/jwt/security.py
@@ -0,0 +1,64 @@
+"""
+Django Ninja Security Classes for JWT Authentication
+
+Provides authentication classes that can be used with Django Ninja's
+auth parameter to protect API endpoints.
+"""
+
+from django.http import HttpRequest
+from ninja.security import HttpBearer
+
+from .tokens import decode_token, JWTUser
+
+
+class JWTAuth(HttpBearer):
+    """
+    JWT Bearer token authentication for Django Ninja.
+
+    Usage:
+        from ninja_jwt_session import jwt_auth
+
+        @api.get("/protected/", auth=jwt_auth)
+        def protected_endpoint(request):
+            return {"user_id": request.user.id}
+
+    Or globally:
+        api = NinjaExtraAPI(auth=[django_auth, jwt_auth])
+
+    The token must be passed in the Authorization header:
+        Authorization: Bearer <access_token>
+
+    IMPORTANT: This is stateless - no database query is made.
+    request.user is a JWTUser object with id, is_staff, is_superuser.
+    If you need the full User object, query it explicitly:
+        user = User.objects.get(pk=request.user.id)
+    """
+
+    def authenticate(self, request: HttpRequest, token: str):
+        """
+        Validate the JWT and return a JWTUser if valid.
+
+        Returns None (authentication failed) if:
+        - Token is invalid or expired
+        - Token is not an access token
+
+        Note: No database query is made. The JWTUser is created from
+        token claims. This is truly stateless authentication.
+        """
+        # Decode and validate the token
+        payload = decode_token(token, expected_type="access")
+
+        if payload is None:
+            return None
+
+        # Create JWTUser from token claims - NO DATABASE QUERY
+        jwt_user = JWTUser(payload)
+
+        # Set request.user for compatibility with code expecting it
+        request.user = jwt_user
+
+        return jwt_user
+
+
+# Singleton instance for convenience
+jwt_auth = JWTAuth()