Enable custom user authentication role for token refreshes

[Larspolo]

Since #814 the TokenRefreshSerializer (correctly) validates the authentication of the user before continuing. However, initial validation might differ from the refresh validation. I dont think there is an option to change this. Would a solution be to add a REFRESH_USER_AUTHENTICATION_RULE setting which by default is USER_AUTHENTICATION_RULE?

[Andrew-Chen-Wang]

initial validation might differ from the refresh validation.

Can you clarify what you mean by this?

[Larspolo]

I have a custom implementation of USER_AUTHENTICATION_RULE which also checks if the user is able to login via the token endpoint. This is not available for users that have restricted login options enforced by their company. However, once they are logged in via another method, the user will still make use of the USER_AUTHENTICATION_RULE when trying to refresh their token

[Andrew-Chen-Wang]

I see. My immediate answer would be to inherit the serializer you're using and create a custom implementation. I'm not sure how widely this is needed or has been asked for. Since authentication is such a sprawling field, I've always leaned into asking folks to customize the serializers rather than making more changes to the library unless it was spec related.

---

Broadly speaking, an enhancement can be accepted, but there'd be two issues:

1. What happens if we create more serializers? Would we need an authentication rule per serializer?
2. What if the USER_AUTHENTICATION_RULE accepted the token and the serializer class as arguments? Would that be useful and cater to all needs?

I think point 2 is the best option to reduce the number of settings options. In the case of point 2, the user authentication function only accepts one parameter: user. To be backwards compatible, you should take a look into Python annotations with the inspect package to do some form of dependency injection: injecting variables depending on whether and where they appear in a function signature.

Let me know; I'm open to PRs!