jazzband · pchiquet · May 2, 2024 · May 2, 2024 · May 2, 2024 · Jun 26, 2024
diff --git a/rest_framework_simplejwt/serializers.py b/rest_framework_simplejwt/serializers.py
@@ -63,7 +63,7 @@ def validate(self, attrs: Dict[str, Any]) -> Dict[Any, Any]:
 
     @classmethod
     def get_token(cls, user: AuthUser) -> Token:
-        return cls.token_class.for_user(user)  # type: ignore
+        return cls.token_class.for_validated_user(user)  # type: ignore
 
 
 class TokenObtainPairSerializer(TokenObtainSerializer):

diff --git a/rest_framework_simplejwt/tokens.py b/rest_framework_simplejwt/tokens.py
@@ -202,6 +202,20 @@ def for_user(cls: Type[T], user: AuthUser) -> T:
         Returns an authorization token for the given user that will be provided
         after authenticating the user's credentials.
         """
+        # Prevent incorrect usage of Token.for_user (when creating tokens manually)
+        # see https://github.com/jazzband/djangorestframework-simplejwt/issues/779
+        if not api_settings.USER_AUTHENTICATION_RULE(user):
+            raise TokenError(_("Token is invalid or expired"))
+        return cls.for_validated_user(user)
+
+    @classmethod
+    def for_validated_user(cls: Type[T], user: AuthUser) -> T:
+        """
+        Returns an authorization token for the given user.
+
+        This DOES NOT check if the provided user validates the ``USER_AUTHENTICATION_RULE``.
+        Use :meth:`for_user` to have the user validated.
+        """
         user_id = getattr(user, api_settings.USER_ID_FIELD)
         if not isinstance(user_id, int):
             user_id = str(user_id)
@@ -278,11 +292,11 @@ def blacklist(self) -> BlacklistedToken:
             return BlacklistedToken.objects.get_or_create(token=token)
 
         @classmethod
-        def for_user(cls: Type[T], user: AuthUser) -> T:
+        def for_validated_user(cls: Type[T], user: AuthUser) -> T:
             """
             Adds this token to the outstanding token list.
             """
-            token = super().for_user(user)  # type: ignore
+            token = super().for_validated_user(user)  # type: ignore
 
             jti = token[api_settings.JTI_CLAIM]
             exp = token["exp"]

diff --git a/tests/test_tokens.py b/tests/test_tokens.py
@@ -390,6 +390,15 @@ def test_for_user_with_username(self):
         token = MyToken.for_user(self.user)
         self.assertEqual(token[api_settings.USER_ID_CLAIM], self.username)
 
+    def test_for_user_fails_if_is_active_false(self):
+        # works with is_active=True
+        token = MyToken.for_user(self.user)
+
+        # fails with is_active=False
+        self.user.is_active = False
+        with self.assertRaises(TokenError):
+            token = MyToken.for_user(self.user)
+
     @override_api_settings(CHECK_REVOKE_TOKEN=True)
     def test_revoke_token_claim_included_in_authorization_token(self):
         token = MyToken.for_user(self.user)