feat: [FC-0031] Add Bearer Authentication to Delete Account view

openedx/core/djangoapps/user_api/accounts/tests/test_retirement_views.py

@@ -74,6 +74,7 @@
 from openedx.core.djangolib.testing.utils import skip_unless_lms
 from xmodule.modulestore.tests.django_utils import ModuleStoreTestCase  # lint-amnesty, pylint: disable=wrong-import-order
 from xmodule.modulestore.tests.factories import CourseFactory  # lint-amnesty, pylint: disable=wrong-import-order
+from openedx.core.djangoapps.oauth_dispatch.tests.factories import ApplicationFactory, AccessTokenFactory
 
 from ...tests.factories import UserOrgTagFactory
 from ..views import USER_PROFILE_PII, AccountRetirementView
@@ -263,6 +264,22 @@ def test_called_twice(self):
         response = self.client.post(self.url, self.build_post(self.test_password), **headers)
         assert response.status_code == status.HTTP_403_FORBIDDEN
 
+    def test_bearer_auth(self):
+        """
+        Test the account deactivation/logout endpoint using Bearer auth
+        """
+        # testing with broken token
+        headers = {'HTTP_AUTHORIZATION': 'Bearer broken_token'}
+        response = self.client.post(self.url, self.build_post(self.test_password), **headers)
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+        # testing with correct token
+        access_token = AccessTokenFactory(user=self.test_user,
+                                          application=ApplicationFactory(name="test_bearer",
+                                                                         user=self.test_user)).token
+        headers = {'HTTP_AUTHORIZATION': f'Bearer {access_token}'}
+        response = self.client.post(self.url, self.build_post(self.test_password), **headers)
+        assert response.status_code == status.HTTP_204_NO_CONTENT
+
 
 @skip_unless_lms
 class TestPartnerReportingCleanup(ModuleStoreTestCase):

openedx/core/djangoapps/user_api/accounts/views.py

@@ -21,6 +21,7 @@
 from edx_ace import ace
 from edx_ace.recipient import Recipient
 from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
+from openedx.core.lib.api.authentication import BearerAuthentication
 from edx_rest_framework_extensions.auth.session.authentication import SessionAuthenticationAllowInactiveUser
 from enterprise.models import EnterpriseCourseEnrollment, EnterpriseCustomerUser, PendingEnterpriseCustomerUser
 from integrated_channels.degreed.models import DegreedLearnerDataTransmissionAudit
@@ -567,7 +568,10 @@ class DeactivateLogoutView(APIView):
     -  Log the user out
     - Create a row in the retirement table for that user
     """
-    authentication_classes = (JwtAuthentication, SessionAuthentication,)
+    # BearerAuthentication is added here to support account deletion
+    # from the mobile app until it moves to JWT Auth.
+    # See mobile roadmap issue https://github.com/openedx/edx-platform/issues/33307.
+    authentication_classes = (JwtAuthentication, SessionAuthentication, BearerAuthentication)
     permission_classes = (permissions.IsAuthenticated,)
 
     def post(self, request):