Add option to decode access token

ckng0221 · ckng0221 · commit d2c961aff5d1 · 2023-02-24T23:55:03.000+08:00
diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,7 @@
 .cache
 .python-version
 .venv
+venv/
 .idea/
 
 /build/
@@ -17,3 +18,4 @@
 
 # Editors
 .idea/
+.vscode/
diff --git a/README.rst b/README.rst
@@ -72,3 +72,7 @@ you can use the ``COGNITO_USER_MODEL`` setting.
 .. code-block:: python
 
 	COGNITO_USER_MODEL = "myproject.AppUser"
+
+The library by default uses id token. To use access token, add the following lines to your Django ``settings.py`` file:
+.. {'id', 'access'} Default: 'id'
+COGNITO_TOKEN_TYPE = 'access' 
diff --git a/src/django_cognito_jwt/backend.py b/src/django_cognito_jwt/backend.py
@@ -58,6 +58,7 @@ def get_token_validator(self, request):
             settings.COGNITO_AWS_REGION,
             settings.COGNITO_USER_POOL,
             settings.COGNITO_AUDIENCE,
+            settings.COGNITO_TOKEN_TYPE,
         )
 
     def authenticate_header(self, request):
diff --git a/src/django_cognito_jwt/validator.py b/src/django_cognito_jwt/validator.py
@@ -1,4 +1,5 @@
 import json
+from typing import Literal
 
 import jwt
 import requests
@@ -13,10 +14,14 @@ class TokenError(Exception):
 
 
 class TokenValidator:
-    def __init__(self, aws_region, aws_user_pool, audience):
+    def __init__(self, aws_region, aws_user_pool, audience, token_type: Literal["id", "access"] = "id"):
         self.aws_region = aws_region
         self.aws_user_pool = aws_user_pool
         self.audience = audience
+        self.token_type = token_type
+
+        if token_type not in ["id", "access"]:
+            raise TokenError("Invalid token type. Choose either id or access token.")
 
     @cached_property
     def pool_url(self):
@@ -58,13 +63,16 @@ def validate(self, token):
             raise TokenError("No key found for this token")
 
         try:
-            jwt_data = jwt.decode(
-                token,
-                public_key,
-                audience=self.audience,
-                issuer=self.pool_url,
-                algorithms=["RS256"],
-            )
+            params = {
+                "jwt": token,
+                "key": public_key,
+                "issuer": self.pool_url,
+                "algorithms": ["RS256"]
+            }
+            if self.token_type == "id":
+                params.update({"audience": self.audience})
+
+            jwt_data = jwt.decode(**params)
         except (
             jwt.InvalidTokenError,
             jwt.ExpiredSignatureError,

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,7 @@ def get_token_validator(self, request):`
`58`	`58`	`settings.COGNITO_AWS_REGION,`
`59`	`59`	`settings.COGNITO_USER_POOL,`
`60`	`60`	`settings.COGNITO_AUDIENCE,`
	`61`	`+ settings.COGNITO_TOKEN_TYPE,`
`61`	`62`	`)`
`62`	`63`
`63`	`64`	`def authenticate_header(self, request):`