secure django-rest-framework-social-oauth2 views

[Chitrank-Dixit]

Hello Team,

I am creating an Oauth provider using django-rest-framework-social-oauth2, I would only need to use convert-token API, but I need to put the django-rest-framework-social-oauth2.urls in my urls.py, without this I get the error.

NoReverseMatch at /oauth/yg-token/
'social' is not a registered namespace

I do not need path('auth/', include('rest_framework_social_oauth2.urls')),, as this would impose security converns of being accessed by someone(I know it will not happen as on prod we would keep DEBUG=True, so there will not be anyone accessing the api, but still for some edge cases I am concerned and also I want to use convert token logic just to create a token in other API and give it back to me. I did that but I am getting the above error. My custom view to enable convert-token feature is

class TestTokenView(CustomMetaDataMixin, OAuthLibMixin, APIView):
    server_class = SocialTokenServer
    validator_class = oauth2_settings.OAUTH2_VALIDATOR_CLASS
    oauthlib_backend_class = KeepRequestCore
    permission_classes = (permissions.AllowAny,)

    def post(self, request, format=None) -> Response:
        """

        :rtype: json object
        :param request: app request object
        :param format: defaults to None
        :return: Response as Yg account token
        """
        test_auth_code = request.POST['test_auth_code']
        test_auth = TestAuthorizationCodeFlow(test_auth_code=test_auth_code)
        query_params, provider_key = test_auth.get_auth_code_from_test_token()
        oauth_facade = OAuthFacade(provider_name=provider_key,
                                   query_params=query_params)
        token = oauth_facade.token_flow()
        test = testAccountOauth2(provider=PROVIDER_CUSTOM)
        request_data = test.convert_token_generator(request=request, token=token['access_token'],
                                                  backend=BACKENDS[provider_key])

        url, headers, body, status = self.create_token_response(request_data._request)

        if status != 200:
            raise serializers.ValidationError(
                {"Error": "Error while converting token from service"})

        response = Response(data=json.loads(body), status=status)
        for k, v in headers.items():
            response[k] = v

        return Response({"message": "Token generated.", "data": response.data})

Now line url, headers, body, status = self.create_token_response(request_data._request), gives me issues, as it would call again internally the refresh token and would definitely search for the namespace in my project, which I have commented from urls to make the urls secure. Is there any way to fake it.

[wagnerdelima]

Hi all.

My team and I are constantly using this framework and it seems it has died out there. I contacted the owner by email asking if he would add some of us as maintainers so we could continue to improve it. However we didn't get a response.

I am publishing the project under my profile and we are going to continue to invest time in it.

So I would like to gently ask you to contribute to this project on: https://github.com/wagnerdelima/drf-social-oauth2

Thank you for understanding.