Merge pull request #318 from morty/280-count-non-expiring-tokens

Count non expiring tokens when determining if the limit is reached
jazzband · Oct 2, 2024 · bd1d062 · bd1d062
2 parents 7f35152 + 36a07e7
commit bd1d062
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/knox/views.py b/knox/views.py
@@ -1,4 +1,5 @@
 from django.contrib.auth.signals import user_logged_in, user_logged_out
+from django.db.models import Q
 from django.utils import timezone
 from rest_framework import status
 from rest_framework.permissions import IsAuthenticated
@@ -66,7 +67,9 @@ def post(self, request, format=None):
         token_limit_per_user = self.get_token_limit_per_user()
         if token_limit_per_user is not None:
             now = timezone.now()
-            token = request.user.auth_token_set.filter(expiry__gt=now)
+            token = request.user.auth_token_set.filter(
+                Q(expiry__gt=now) | Q(expiry__isnull=True)
+            )
             if token.count() >= token_limit_per_user:
                 return Response(
                     {"error": "Maximum amount of tokens allowed per user exceeded."},

diff --git a/tests/tests.py b/tests/tests.py
@@ -372,8 +372,10 @@ def test_exceed_token_amount_per_user(self):
 
         with override_settings(REST_KNOX=token_user_limit_knox):
             reload(views)
-            for _ in range(10):
+            for _ in range(5):
                 AuthToken.objects.create(user=self.user)
+            for _ in range(5):
+                AuthToken.objects.create(user=self.user, expiry=None)
             url = reverse('knox_login')
             self.client.credentials(
                 HTTP_AUTHORIZATION=get_basic_auth_header(self.username, self.password)