Fix MRO to return 405 for unsupported methods

[dhruvkb]

Fixes

Fixes #2374 by @krysal

Description

This PR fixes the method resolution order of the token APIView so that the exception handler will be invoked and a 405 Method Not Allowed response will be sent. When the MRO is incorrect the exception is not handled and results in a 500 Internal Server Error.

Testing Instructions

0. Check out the PR and run the dev server.
1. Make a GET request to the /v1/auth_tokens/token/ endpoint.
2. Receive a 405 response.

Checklist

• My pull request has a descriptive title (not a vague title likeUpdate index.md).
• My pull request targets the default branch of the repository (main) or a parent feature branch.
• My commit messages follow best practices.
• My code follows the established code style of the repository.
• I added or updated tests for the changes I made (if applicable).
• I added or updated documentation (if applicable).
• I tried running the project locally and verified that there are no visible errors.
• I ran the DAG documentation generator (if applicable).

Developer Certificate of Origin

Developer Certificate of Origin

Developer Certificate of Origin
Version 1.1

Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
1 Letterman Drive
Suite D4700
San Francisco, CA, 94129

Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.


Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.

[krysal]

Great find @dhruvkb! Tested manually and it returns the error message correctly. Could you add an automated test for when the HTTP method is different from POST? It may go in tests/test_auth.py.

[sarayourfriend]

Just one small request to remove some unnecessary (at least I think, could be wrong) JSON parsing. Krystle's change to the unit test is also critical too 🙂

Otherwise LGTM!

[sarayourfriend]

Is it necessary to json.loads the content? Would something like this work without the need for that?

Suggested change

	data = json.loads(res.content)
	return Response(data, status=res.status_code)
	data = json.loads(res.content)
	return HttpResponse(content=res.content, content_type="application/json", status=res.status_code)

HttpResponse is the more low-level version from django.http that allows you to bypass the DRF Response data parsing. Doing json.loads and then passing it directly to Response means we're unnecessary marshalling the JSON string to Python and then immediately back to a string.

[sarayourfriend]

Although, more general question: why is it necessary to do anything manual here at all, other than just return res like we used to? Does APIView complain about not receiving the right type of response object or something?

[dhruvkb]

Using the Response class simply provides a nicer interface for returning content-negotiated Web API responses, that can be rendered to multiple formats.
— DRF docs

We can use HttpResponse for sure, but sending DRF's Response is more consistent and it renders the DRF API UI in the browser like our other endpoints.

I agree that it's one more step of JSON parsing followed by serialization but DRF doesn't allow any other way to set data where the content_type can be negotiated automatically.

[sarayourfriend]

We can use HttpResponse for sure, but sending DRF's Response is more consistent and it renders the DRF API UI in the browser like our other endpoints.

Ahh, interesting, I didn't realise that was a side effect. For this view, it doesn't seem like a tragic loss, though? It's not exactly a "browseable" response 🤔 At least not any less so if your browser just renders a nice JSON explorer (Firefox does this, not sure of others).

I also don't think we want to support anyone using this view over anything than JSON anyway, but I guess Response handles it regardless so 🤷 I would personally use HttpResponse but if you prefer to keep it, all good with me as well 👍

[krysal]

Excellent! Thank you, @dhruvkb.