From 01770c49bd7b2c83abef1db7142cdcdfe08b7d23 Mon Sep 17 00:00:00 2001 From: Troy Sankey Date: Mon, 14 Jul 2025 14:32:54 -0700 Subject: [PATCH] fix: Unauthenticated BFF endpoints should still check logged-in JWT tokens --- enterprise_access/apps/api/v1/views/bffs/common.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/enterprise_access/apps/api/v1/views/bffs/common.py b/enterprise_access/apps/api/v1/views/bffs/common.py index f705683a4..0cb1b428a 100644 --- a/enterprise_access/apps/api/v1/views/bffs/common.py +++ b/enterprise_access/apps/api/v1/views/bffs/common.py @@ -3,14 +3,13 @@ """ import logging from collections import OrderedDict -from datetime import datetime from django.utils import timezone from drf_spectacular.utils import OpenApiParameter, OpenApiTypes, extend_schema from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication from rest_framework import status from rest_framework.decorators import action -from rest_framework.permissions import IsAuthenticated +from rest_framework.permissions import AllowAny, IsAuthenticated from rest_framework.response import Response from rest_framework.throttling import AnonRateThrottle from rest_framework.viewsets import ViewSet @@ -213,8 +212,8 @@ class BaseUnauthenticatedBFFViewSet(BaseBFFViewSetMixin, ViewSet): Uses BaseHandlerContext which doesn't store customer or user data. """ - authentication_classes = [] - permission_classes = [] + authentication_classes = [JwtAuthentication] + permission_classes = [IsAuthenticated | AllowAny] throttle_classes = [BFFAnonRateThrottle] def load_route_data_and_build_response(self, request, handler_class, response_builder_class):