smartfile · willstott101 · Nov 4, 2021 · Nov 5, 2021
diff --git a/django_session_jwt/middleware/session.py b/django_session_jwt/middleware/session.py
@@ -172,7 +172,7 @@ def process_request(self, request):
             request.session['jwt'] = fields
 
     def process_response(self, request, response):
-        if not request.user.is_authenticated:
+        if not hasattr(request, 'user') or not request.user.is_authenticated:
             # The user is unauthenticated. Try to determine the user by the
             # session JWT
             User = get_user_model()

diff --git a/django_session_jwt/settings.py b/django_session_jwt/settings.py
@@ -75,8 +75,9 @@
 )
 
 MIDDLEWARE = (
-    'django.middleware.common.CommonMiddleware',
     'django_session_jwt.middleware.SessionMiddleware',
+    # MiddlewareFailTestCase relies on this ordering.
+    'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',

diff --git a/django_session_jwt/tests.py b/django_session_jwt/tests.py
@@ -133,6 +133,16 @@ def test_unauthenicated_view(self):
                 r.cookies.get(settings.SESSION_COOKIE_NAME).value)
         self.assertNotEqual(jwt1['iat'], jwt2['iat'])
 
+    def test_middleware_early_return(self):
+        """
+        By passing an incorrect HOST, CommonMiddleware returns early before
+        AuthenticationMiddleware is reached. We test this to ensure we don't error in
+        process_response, and end up hiding the real error with a HTTP 500
+        """
+        response = self.client.post('/login/', {'username': 'john', 'password': 'password'},
+            HTTP_HOST="blahblah.com")
+        self.assertEqual(response.status_code, 400)
+
 
 class TestClientTestCase(BaseTestCase):
     def test_login(self):