Fix user can get in bad auth state while navigating

Author: daniel-slaugh

django/domains/iam/auth/adapters.py

@@ -36,7 +36,14 @@ def is_open_for_signup(self, request: HttpRequest):
     def _consume_handoff_messages(self, request: HttpRequest, redirect_url: str) -> str:
         handoff_url = get_stored_account_post_auth_handoff(request)
         if handoff_url and redirect_url == handoff_url:
-            list(get_messages(request))
+            storage = get_messages(request)
+            list(storage)
+            if hasattr(storage, "_queued_messages"):
+                storage._queued_messages.clear()
+            if hasattr(storage, "_loaded_data"):
+                storage._loaded_data.clear()
+            if hasattr(storage, "used"):
+                storage.used = True
         return redirect_url
 
     def _should_skip_handoff_message(

django/interfaces/actions/management/commands/load_etl_test_data.py

@@ -1,21 +1,23 @@
+from pathlib import Path
+
 from django.core.management.base import BaseCommand
 from django.core.management import call_command
 
 
+BASE_DIR = Path(__file__).resolve().parents[4]
+
+
 class Command(BaseCommand):
     help = "Loads test data from fixtures"
 
     def handle(self, *args, **kwargs):
         fixtures = [
-            "tests/fixtures/test_etl_data_connections.yaml",
-            "tests/fixtures/test_etl_orchestration_systems.yaml",
-            "tests/fixtures/test_etl_tasks.yaml",
+            BASE_DIR / "tests/fixtures/test_etl_data_connections.yaml",
+            BASE_DIR / "tests/fixtures/test_etl_orchestration_systems.yaml",
+            BASE_DIR / "tests/fixtures/test_etl_tasks.yaml",
         ]
 
         for fixture in fixtures:
             self.stdout.write(self.style.NOTICE(f"Loading fixture: {fixture}"))
-            try:
-                call_command("loaddata", fixture)
-                self.stdout.write(self.style.SUCCESS(f"Successfully loaded {fixture}"))
-            except Exception as e:
-                self.stderr.write(self.style.ERROR(f"Failed to load {fixture}: {e}"))
+            call_command("loaddata", str(fixture))
+            self.stdout.write(self.style.SUCCESS(f"Successfully loaded {fixture}"))

django/interfaces/actions/management/commands/load_iam_test_data.py

@@ -1,23 +1,25 @@
+from pathlib import Path
+
 from django.core.management.base import BaseCommand
 from django.core.management import call_command
 
 
+BASE_DIR = Path(__file__).resolve().parents[4]
+
+
 class Command(BaseCommand):
     help = "Loads test data from fixtures"
 
     def handle(self, *args, **kwargs):
         fixtures = [
-            "tests/fixtures/test_users.yaml",
-            "tests/fixtures/test_workspaces.yaml",
-            "tests/fixtures/test_roles.yaml",
-            "tests/fixtures/test_collaborators.yaml",
-            "tests/fixtures/test_api_keys.yaml",
+            BASE_DIR / "tests/fixtures/test_users.yaml",
+            BASE_DIR / "tests/fixtures/test_workspaces.yaml",
+            BASE_DIR / "tests/fixtures/test_roles.yaml",
+            BASE_DIR / "tests/fixtures/test_collaborators.yaml",
+            BASE_DIR / "tests/fixtures/test_api_keys.yaml",
         ]
 
         for fixture in fixtures:
             self.stdout.write(self.style.NOTICE(f"Loading fixture: {fixture}"))
-            try:
-                call_command("loaddata", fixture)
-                self.stdout.write(self.style.SUCCESS(f"Successfully loaded {fixture}"))
-            except Exception as e:
-                self.stderr.write(self.style.ERROR(f"Failed to load {fixture}: {e}"))
+            call_command("loaddata", str(fixture))
+            self.stdout.write(self.style.SUCCESS(f"Successfully loaded {fixture}"))

django/interfaces/actions/management/commands/load_sta_test_data.py

@@ -1,30 +1,32 @@
+from pathlib import Path
+
 from django.core.management.base import BaseCommand
 from django.core.management import call_command
 
 
+BASE_DIR = Path(__file__).resolve().parents[4]
+
+
 class Command(BaseCommand):
     help = "Loads test data from fixtures"
 
     def handle(self, *args, **kwargs):
         fixtures = [
-            "tests/fixtures/test_users.yaml",
-            "tests/fixtures/test_workspaces.yaml",
-            "tests/fixtures/test_roles.yaml",
-            "tests/fixtures/test_collaborators.yaml",
-            "tests/fixtures/test_things.yaml",
-            "tests/fixtures/test_observed_properties.yaml",
-            "tests/fixtures/test_processing_levels.yaml",
-            "tests/fixtures/test_result_qualifiers.yaml",
-            "tests/fixtures/test_sensors.yaml",
-            "tests/fixtures/test_units.yaml",
-            "tests/fixtures/test_datastreams.yaml",
-            "tests/fixtures/test_observations.yaml",
+            BASE_DIR / "tests/fixtures/test_users.yaml",
+            BASE_DIR / "tests/fixtures/test_workspaces.yaml",
+            BASE_DIR / "tests/fixtures/test_roles.yaml",
+            BASE_DIR / "tests/fixtures/test_collaborators.yaml",
+            BASE_DIR / "tests/fixtures/test_things.yaml",
+            BASE_DIR / "tests/fixtures/test_observed_properties.yaml",
+            BASE_DIR / "tests/fixtures/test_processing_levels.yaml",
+            BASE_DIR / "tests/fixtures/test_result_qualifiers.yaml",
+            BASE_DIR / "tests/fixtures/test_sensors.yaml",
+            BASE_DIR / "tests/fixtures/test_units.yaml",
+            BASE_DIR / "tests/fixtures/test_datastreams.yaml",
+            BASE_DIR / "tests/fixtures/test_observations.yaml",
         ]
 
         for fixture in fixtures:
             self.stdout.write(self.style.NOTICE(f"Loading fixture: {fixture}"))
-            try:
-                call_command("loaddata", fixture)
-                self.stdout.write(self.style.SUCCESS(f"Successfully loaded {fixture}"))
-            except Exception as e:
-                self.stderr.write(self.style.ERROR(f"Failed to load {fixture}: {e}"))
+            call_command("loaddata", str(fixture))
+            self.stdout.write(self.style.SUCCESS(f"Successfully loaded {fixture}"))

django/interfaces/http/auth/oidc.py

@@ -3,7 +3,6 @@
 from allauth.idp.oidc.adapter import get_adapter
 from allauth.idp.oidc.internal.tokens import decode_jwt_token
 from allauth.idp.oidc.models import Client, Token
-from ninja.errors import HttpError
 from ninja.security import HttpBearer
 
 
@@ -17,8 +16,7 @@ def authenticate(self, request, token):
             request.user = user
             request.principal = user
             return user
-        elif token:
-            raise HttpError(401, "Invalid token")
+        return None
 
     def _authenticate_opaque_token(self, token):
         access_token = Token.objects.lookup(Token.Type.ACCESS_TOKEN, token)

django/templates/account/login.html

@@ -35,6 +35,7 @@
             {% endelement %}
         {% endslot %}
     {% endelement %}
+
 {% endif %}
 
 {% if LOGIN_BY_CODE_ENABLED or PASSKEY_LOGIN_ENABLED %}

django/tests/conftest.py

@@ -12,7 +12,7 @@ def django_db_setup(django_db_setup, django_db_blocker):
     with django_db_blocker.unblock():
         call_command("migrate")
 
-        call_command("loaddata", "domains/iam/fixtures/default_roles.yaml")
+        call_command("loaddata", "default_roles")
         call_command("load_iam_test_data")
         call_command("load_sta_test_data")
         call_command("load_etl_test_data")

django/tests/hydroserver/test_oidc_auth.py

@@ -2,10 +2,9 @@
 import uuid
 
 import jwt
-import pytest
 from django.contrib.auth import get_user_model
 from django.test import RequestFactory
-from ninja.errors import HttpError
+import pytest
 
 from allauth.core.context import request_context
 from allauth.core.internal import jwkkit
@@ -113,10 +112,7 @@ def test_oidc_auth_rejects_expired_opaque_tokens(request_factory, oidc_client):
     access_token.set_scopes(["openid", "profile", "email"])
     access_token.save(update_fields=["scopes"])
 
-    with pytest.raises(HttpError) as exc_info:
-        oidc_auth.authenticate(request, token_value)
-
-    assert exc_info.value.status_code == 401
+    assert oidc_auth.authenticate(request, token_value) is None
 
 
 def test_oidc_auth_rejects_jwt_access_tokens_without_matching_audience(
@@ -144,10 +140,7 @@ def test_oidc_auth_rejects_jwt_access_tokens_without_matching_audience(
     )
 
     with request_context(request):
-        with pytest.raises(HttpError) as exc_info:
-            oidc_auth.authenticate(request, token_value)
-
-    assert exc_info.value.status_code == 401
+        assert oidc_auth.authenticate(request, token_value) is None
 
 
 def test_oidc_auth_rejects_expired_jwt_tokens(request_factory, oidc_client, settings):
@@ -173,19 +166,42 @@ def test_oidc_auth_rejects_expired_jwt_tokens(request_factory, oidc_client, sett
     )
 
     with request_context(request):
-        with pytest.raises(HttpError) as exc_info:
-            oidc_auth.authenticate(request, token_value)
-
-    assert exc_info.value.status_code == 401
+        assert oidc_auth.authenticate(request, token_value) is None
 
 
 def test_oidc_auth_rejects_invalid_access_tokens(request_factory):
     request = request_factory.get("/api/data/workspaces")
 
-    with pytest.raises(HttpError) as exc_info:
-        oidc_auth.authenticate(request, "invalid-access-token")
+    assert oidc_auth.authenticate(request, "invalid-access-token") is None
+
+
+def test_public_workspace_listing_ignores_invalid_bearer_token(client):
+    response = client.get(
+        "/api/data/workspaces?expand_related=true",
+        HTTP_AUTHORIZATION="Bearer invalid-access-token",
+    )
+
+    assert response.status_code == 200
+
+
+def test_public_thing_markers_ignore_invalid_bearer_token(client):
+    response = client.get(
+        "/api/data/things/markers",
+        HTTP_AUTHORIZATION="Bearer invalid-access-token",
+    )
+
+    assert response.status_code == 200
+
+
+def test_protected_workspace_creation_with_invalid_bearer_token_returns_401(client):
+    response = client.post(
+        "/api/data/workspaces?expand_related=true",
+        data={"name": "Unauthorized"},
+        content_type="application/json",
+        HTTP_AUTHORIZATION="Bearer invalid-access-token",
+    )
 
-    assert exc_info.value.status_code == 401
+    assert response.status_code == 401
 
 
 def test_browser_session_endpoint_returns_authenticated_account(client):