Merge pull request #378 from naviens/develop

giovannicimolin · web-flow · commit 20ca95a69aa4 · 2025-04-25T17:55:20.000+09:00
Fix for n+1 query on AuthToken.user
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 5.0.3
+- Fix for Potential n+1 query detected on AuthToken.user
+
 ## 5.0.2
 - Implement AUTO_REFRESH_MAX_TTL to limit total token lifetime when AUTO_REFRESH = True
 
diff --git a/knox/auth.py b/knox/auth.py
@@ -60,7 +60,7 @@ def authenticate_credentials(self, token):
         msg = _('Invalid token.')
         token = token.decode("utf-8")
         for auth_token in get_token_model().objects.filter(
-                token_key=token[:CONSTANTS.TOKEN_KEY_LENGTH]):
+                token_key=token[:CONSTANTS.TOKEN_KEY_LENGTH]).select_related('user'):
             if self._cleanup_token(auth_token):
                 continue
 
diff --git a/tests/test_views.py b/tests/test_views.py
@@ -229,6 +229,19 @@ def test_update_token_key(self):
             auth_token.token_key,
         )
 
+    def test_token_auth_n_plus_one(self):
+        self.assertEqual(AuthToken.objects.count(), 0)
+        _, token = AuthToken.objects.create(self.user)
+        rf = APIRequestFactory()
+        request = rf.get('/')
+        request.META = {'HTTP_AUTHORIZATION': f'Token {token}'}
+        with self.assertNumQueries(2):
+            (self.user, auth_token) = TokenAuthentication().authenticate(request)
+            self.assertEqual(
+                token[:CONSTANTS.TOKEN_KEY_LENGTH],
+                auth_token.token_key,
+            )
+
     def test_authorization_header_empty(self):
         rf = APIRequestFactory()
         request = rf.get('/')
