fix: allow jwt/session user mismatch

edx · Apr 15, 2024 · 42a7189 · 42a7189
1 parent 3180e3f
commit 42a7189
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 26 deletions.
diff --git a/edx_exams/apps/core/middleware.py b/edx_exams/apps/core/middleware.py
diff --git a/edx_exams/settings/base.py b/edx_exams/settings/base.py
@@ -64,8 +64,6 @@ def root(*path_fragments):
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.locale.LocaleMiddleware',
     'django.middleware.common.CommonMiddleware',
-    # Forces JWT auth if edx JWT cookie exists
-    'edx_exams.apps.core.middleware.ForceJWTAuthMiddleware',
     'edx_rest_framework_extensions.auth.jwt.middleware.JwtAuthCookieMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
@@ -253,6 +251,11 @@ def root(*path_fragments):
 }
 
 # Carry fields from the JWT token and LMS user into the local user
+# Note: ENABLE_SET_REQUEST_USER_FOR_JWT_COOKIE applies a fix for 
+# https://github.com/jpadilla/django-rest-framework-jwt/issues/45
+# However, we cannot use it in this service since the session user may
+# differ from the JWT user when performing LTI launches with multiple accounts
+# in the same browser.
 EDX_DRF_EXTENSIONS = {
     "JWT_PAYLOAD_USER_ATTRIBUTE_MAPPING": {
         "administrator": "is_staff",
@@ -261,7 +264,7 @@ def root(*path_fragments):
         "user_id": "lms_user_id",
     },
     "OAUTH2_USER_INFO_URL": "http://127.0.0.1:8000/oauth2/user_info",
-    "ENABLE_SET_REQUEST_USER_FOR_JWT_COOKIE": True,
+    "ENABLE_SET_REQUEST_USER_FOR_JWT_COOKIE": False,
 }
 
 # Request the user's permissions in the ID token