Releases: openedx/edx-drf-extensions
Updated the supported versions for python and Django
5.1.0 updated the tox and travis configs
Downgraded drf-jwt to 1.14.0
With drf-jwt>=1.15.0 unit tests running against SQLite failed to catch: the migrations of the new blacklist app in drf-jwt 1.15.0 and above fail in MySQL. So downgraded the version of drf-jwt==1.14.0.
Release 4.0.4 as 5.0.0
5.0.0 is the same release as 4.0.4. It is being released as its own major version, because 4.0.1 had BREAKING CHANGES and should have been its own release. This 5.0.0 version is simply being used to call additional attention to the BREAKING CHANGES in 4.0.1.
NOTE: At this time, we do not plan on going through the effort of releasing 4.0.5 to revert back to 4.0.0, especially because this may add confusion to those that don't expect this revert.
Cherry-picks 3.0.1 fix on to 4.x.x
WARNING: BREAKING CHANGES were introduced separately in both 4.0.0 and 4.0.1.
This adds the fixes introduced in 3.0.1 to 4.x.x.
Added support for latest version of drf-jwt
WARNING: BREAKING CHANGES were introduced separately in both 4.0.0 and 4.0.1.
-Remove constraint from drf-jwt
-Added support for latest version of drf-jwt
fix for edx-drf-extensions 3.0.0
In 3.0.0, the switch oauth2.enforce_jwt_scopes was removed, which
starts checking is_restricted in JWTs. This works fine for JWTs created
with the LMS, but uncovered a pre-existing bug that will only show
itself in the Ecommerce Service for certain JWTs which were meant to be
decoded with a custom jwt_decode_handler. In the Ecommerce Service only,
this custom jwt_decode_handler is set using the JWT_DECODE_HANDLER
setting.
This fix updates the JWT code to respect the JWT_DECODE_HANDLER setting
of JWT_AUTH, and uses the configured handler rather than assuming the
edx-drf-extensions version will always be used.
Additionally, the fix accounts for JWTs that are missing certain
claims in the payload (e.g 'is_restricted' and 'filters'), by using
appropriate defaults.
ARCHBOM-1036
Loosened DRF constraint in requirements
WARNING: BREAKING CHANGES were introduced separately in both 4.0.0 and 4.0.1.
Removed upper limit constraint for DRF in requirements.
Django 2.2 Support
- All django 2.2 tests were fixed and now edx-drf-extensions properly supports django>=1.11,<=2.2.
- djangorestframework-jwt library was replaced with drf-jwt to support django2.2.
BREAKING CHANGES:
- To preserve compatibility with existing clients, the
JWT_AUTH_HEADER_PREFIXDjango setting must be set to "JWT". This was the default in djangorestframework-jwt, but it changed to "Bearer" in drf-jwt 1.12.8. - You may also need to add
rest_framework_jwtandrest_framework_jwt.blacklistto theINSTALLED_APPSlist.
Removing ENABLE_ANONYMOUS_ACCESS_ROLLOUT flag
ENABLE_ANONYMOUS_ACCESS_ROLLOUT flag was a temporarily used to facilitate rollout
of CSFR protection for MFEs. With that effort finished, the flag is no longer necessary
and is now being removed.
This removes flag and replaces it with
logic equivalent to setting ENABLE_ANONYMOUS_ACCESS_ROLLOUT to True.
remove oauth2.enforce_jwt_scopes toggle
The oauth2.enforce_jwt_scopes waffle switch was added temporarily for
the rollout of JWT scopes. This removes the toggle and replaces it with
logic equivalent to setting oauth2.enforce_jwt_scopes to True.
BREAKING CHANGE:
This removes a toggle that may or may not have been set in any
particular environment, and was defaulted to False.
Before taking this upgrade:
- Make sure your IDA includes
EnsureJWTAuthSettingsMiddlewarein its
declaredMIDDLEWAREorMIDDLEWARE_CLASSES. - Although you could first check and/or set the
oauth2.enforce_jwt_scopeswaffle switch to True in all environments
for your IDA, this upgrade is unlikely to cause an issue. If you want to
play it safe, setting the switch first is how you do it, but then you
need remove the switch.
After taking this upgrade:
- Once the upgrade has been deployed and is stable, delete the
oauth2.enforce_jwt_scopeswaffle switch from all environments for the
IDA with the upgrade.