JSONWebTokenSerializer.validate no longer fails if the user is not active #98
Description
Hi, I am currently upgrading a project to use this fork from the original jpadilla version. So far the breaking changes have been clearly documented however I ran across this one which was not.
Previously ObtainJSONWebTokenView in jpadilla's version would raise ValidationError("User account is disabled.") if a non active user attempted to use the view and obtain a token. However now in the "Dropped support for drf<3.7, django<1.11. Refactored tests. " commit JSONWebTokenSerializer.validate was changed to no longer fail if the user was inactive.
The other views provided by this library use serializers like VerifyAuthTokenSerializer and RefreshAuthTokenSerializer which call check_user in their validate method which does raise for inactive users, however ObtainJSONWebTokenView uses JSONWebTokenSerializer which no longer does.
We can work around this change in our usage of drf-jwt for now, however:
- I'm not sure how intended this change in behaviour was, but perhaps there is a good reason for this change?
- It's a bit odd that the other views do check this but ObtainJSONWebTokenView does not.
- This is a breaking change from the old version and might trip up other users migrating.
If there is a good reason for this change then I am happy to open an MR updating the documentation to clearly state this change. However if not and we believe this should be fixed then I am also happy to fix it. To do so my initial thoughts are:
- Call
check_userinJSONWebTokenSerializer.validate - Create a new Serializer for ObtainJSONWebTokenView which calls
check_user - Copy the exact old check from jpadilla's
JSONWebTokenSerializer.validateback into this libraries version
Let me know which if any of these you would prefer.
Thanks for the fork and all the new features!