Update authentication scheme from Token to JWT

[tomatoprinx]

Types of changes

• Refactoring

Description

add 2 APIs:

1. api/token
2. api/token/refresh

resolves #1035

Steps to Test This Pull Request

Authenticate with JWT access token

1. send GET request to api/token/

curl --location --request POST 'http://127.0.0.1:8000/api/token/' \
--header 'Content-Type: application/json' \
--data'{
    "email": "email",
    "password": "password"
}'

2. retrieve access token and refresh token

{
    "refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTYyOTAwMDU1MywianRpIjoiMTc4MjMzZjBjZmY1NGIyNmIxZjRjNzJiYzZjMTI1ZmIiLCJ1c2VyX2lkIjoxNDczMjAyNjg3MzU1OTEyMTk0fQ.tzUPzWf0YTGzz7np9Pn6P_pmTkADioZZHaMuLpzbDcA",
    "access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNjI4OTE0NDUzLCJqdGkiOiJmOTdmNzM2NmI2OTE0MzdlOWIxMDljMDhjNGFhZTJmYyIsInVzZXJfaWQiOjE0NzMyMDI2ODczNTU5MTIxOTR9.Nvcn420emlxgT_tIyqQXaFu84npe9XVVTZO9UL-RAqY"
}

3. verify access token with header Authorization: Token <access-token>

curl --location --request GET 'http://127.0.0.1:8000/api/sponsors' \
--header 'Authorization: Token eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNjI4OTA4Njc2LCJqdGkiOiI0YWJkNjY1ZTUyMTI0ZWE0YmQxM2Y4MmNkMDFlOGQ1YyIsInVzZXJfaWQiOjE0NzMyMDI2ODczNTU5MTIxOTR9.sTVkLAAfNKNyit6kwB069czVbYEqQtIwFSp7zZHVrUk' 

access token has expired ↓↓↓

{
    "detail": "Given token not valid for any token type",
    "code": "token_not_valid",
    "messages": [
        {
            "token_class": "AccessToken",
            "token_type": "access",
            "message": "Token is invalid or expired"
        }
    ]
}

refresh token has expired

{
    "detail": "Token is invalid or expired",
    "code": "token_not_valid"
}

---

Refresh an expired access token

1. send GET request to api/token/refresh/ to refresh access token

curl --location --request POST 'http://127.0.0.1:8000/api/token/refresh/' \
--header 'Content-Type: application/json' \
--data '{
    "refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTYyODk5MDQyNCwianRpIjoiOWQyZjdjYjFmOTkxNDExNDg0NzU5MTFhZTNhYmU2ZjAiLCJ1c2VyX2lkIjoxNDczMjAyNjg3MzU1OTEyMTk0fQ.i7hNgCJQ3taPkBj8f7fA4y0enC32Ff_t52q3PV3um_0"
}'

response

{
    "access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNjI4OTE0NzQ4LCJqdGkiOiI4Y2IyNTM1OTAwZDE0NmRjOTUwN2YwNTUzMjM0ZDI4NiIsInVzZXJfaWQiOjE0NzMyMDI2ODczNTU5MTIxOTR9.HwYx-me_X7jwMMVOsB8d9Fd_bn3gYayoPetMo_JrMCo"
}

Expected behavior

• call api/token/ to retrieve access token and refresh token
• call api/token/refresh to refresh access token when expired
• the access token is expected to expire after 5 mins
• the refresh token is expected to expire after 1 day

More Information

• django-rest-framework-simplejwt

[codecov-commenter]

Codecov Report

Merging #1038 (fbc7e34) into master (53db620) will decrease coverage by 0.08%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #1038      +/-   ##
==========================================
- Coverage   68.54%   68.46%   -0.09%     
==========================================
  Files          90       91       +1     
  Lines        3526     3529       +3     
==========================================
- Hits         2417     2416       -1     
- Misses       1109     1113       +4     

Impacted Files	Coverage Δ
src/pycontw2016/urls.py	85.71% <ø> (ø)
src/attendee/api/views.py	48.00% <100.00%> (ø)
src/events/api/views.py	43.71% <100.00%> (ø)
src/security/urls.py	100.00% <100.00%> (ø)
src/sponsors/api/views.py	41.17% <100.00%> (ø)
src/core/authentication.py	0.00% <0.00%> (-100.00%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 53db620...fbc7e34. Read the comment docs.