"Token contained no recognizable user identification" when refreshing access token

i have the following setup for logging user in and giving out the access and refresh token, refresh token is set in cookies and the access_token is just handed out in json

# login_views
class UserLoginAPIView(APIView):
    class UserLoginInputSerializer(serializers.Serializer):
        username_or_email = serializers.CharField(write_only=True)
        password = serializers.CharField(write_only=True)

    class UserLoginOutputSerializer(serializers.Serializer):
        username = serializers.CharField(read_only=True)
        user_email = serializers.EmailField(read_only=True)
        full_name = serializers.CharField(read_only=True)
        is_verified = serializers.BooleanField(read_only=True)
        verification_required = serializers.BooleanField(read_only=True)
        user_type = serializers.ListField(child=serializers.CharField(), read_only=True)
        staff = serializers.BooleanField(read_only=True)
        superuser = serializers.BooleanField(read_only=True)
        access_token = serializers.CharField(read_only=True)

    def post(self, request, *args, **kwargs):
        input_serializer = self.UserLoginInputSerializer(data=request.data)
        input_serializer.is_valid(raise_exception=True)

        try:
            login_details, refresh_token = user_login(
                **input_serializer.validated_data
            )
        except DjangoValidationError as e:
            return Response(
                {
                    "success": False,
                    "message": e.message,
                },
                status=status.HTTP_401_UNAUTHORIZED,
            )
        except ValidationError as e:
            return Response(
                {
                    "success": False,
                    "message": e.detail[0],
                },
                status=status.HTTP_401_UNAUTHORIZED,
            )
        except Exception as e:
            return Response(
                {
                    "success": False,
                    "message": str(e),
                },
                status=status.HTTP_400_BAD_REQUEST,
            )
        output_serializer = self.UserLoginOutputSerializer(login_details)
        response = Response(
            {
                "success": True,
                "message": "User log in successful.",
                "data": output_serializer.data,
            },
            status=status.HTTP_200_OK,
        )
        response.set_cookie(
            "refresh_token",
            refresh_token,
            max_age=settings.REFRESH_COOKIE_MAX_AGE,
            httponly=True,
            samesite="none",
            secure=False,
        )

        return response


def user_login(*, username_or_email: str, password: str) -> tuple:
    """
    Verifies user's credentials & returns access token & refresh token.
    """

    @dataclass(frozen=True)
    class UserLoginDetails:
        user_type: List[str]
        username: str
        user_email: str
        full_name: str
        is_verified: bool
        access_token: str
        staff: bool
        superuser: bool
    
    credential_type = identify_email_or_username(credential=username_or_email)
    if credential_type == "email":
        user = user_get_from_email(email=username_or_email.lower())
    else:
        user = user_get_from_username(username=username_or_email.lower())

    if user is None:
        logger.warning(f"User with the given credentials does not exist.")
        raise ValidationError(detail=_("Invalid credentials."))

    if not user.check_password(password):
        logger.warning(f"User with the given credentials does not exist.")
        raise ValidationError(detail=_("Invalid credentials."))

    username = user.username
    user_email = user.email
    full_name = user.full_name
    is_verified = user.is_verified
    user_type = get_user_roles_by_user(user=user)
    staff = user.is_staff
    superuser = user.is_superuser

    print(user_type)

    token = RefreshToken.for_user(user)
    access_token = str(token.access_token)
    refresh_token = str(token)

    user_login_details = UserLoginDetails(
        user_type, username, user_email, full_name, is_verified, access_token, staff, superuser
    )

    return user_login_details, refresh_token

and i have the following views to rotate the access token, when it expires

class RotateAccessTokenAPIView(APIView):
    def post(self, request, *args, **kwargs):
        try:
            token = RefreshToken(request.COOKIES.get('refresh_token'))
            new_access_token = str(token.access_token)
            response = Response(
                {
                    "success": True,
                    "message": "Access token refreshed successfully.",
                    "data": {
                        "access_token": new_access_token,
                    },
                },
                status=status.HTTP_200_OK,
            )
            return response
        except TokenError as e:
            return Response(
                {
                    "success": False,
                    "message": "Invalid refresh token.",
                },
                status=status.HTTP_401_UNAUTHORIZED,
            )
        except Exception as e:
            return Response(
                {
                    "success": False,
                    "message": str(e),
                },
                status=status.HTTP_400_BAD_REQUEST,
            )

but when the token is refreshed and the new access token is set in the authorization header and then the request is sent to other protected api routes, it goes on to say:

{
    "detail": "Token contained no recognizable user identification",
    "code": "token_not_valid"
}

what am i missing here?

Вернуться на верх