CVE-2024-22513

@@ -1,3 +1,35 @@
+## 5.5.1
+
+Missing Migration for rest_framework_simplejwt.token_blacklist app. A previously missing migration (0013_blacklist) has now been added. This issue arose because the migration file was mistakenly not generated earlier. This migration was never part of an official release, but users following the latest master branch may have encountered it.
+
+**Notes for Users**
+If you previously ran makemigrations in production and have a 0013_blacklist migration in your django_migrations table, follow these steps before upgrading:
+
+1. Roll back to the last known migration:
+```bash
+python manage.py migrate rest_framework_simplejwt.token_blacklist 0012
+```
+2. Upgrade djangorestframework-simplejwt to the latest version.
+3. Apply the migrations correctly:
+```bash
+python manage.py migrate
+```
+**Important**: If other migrations depend on 0013_blacklist, be cautious when removing it. You may need to adjust or regenerate dependent migrations to ensure database integrity.
+
+* fix:  add missing migration for token_blacklist app by @juanbailon in https://github.com/jazzband/djangorestframework-simplejwt/pull/894
+* :globe_with_meridians: Fix typos and improve clarity in es_AR translations by @fabianfalon in https://github.com/jazzband/djangorestframework-simplejwt/pull/876
+* docs: Add warning in docs for `for_user` usage by @vgrozdanic in https://github.com/jazzband/djangorestframework-simplejwt/pull/872
+* feat: log warning if token is being created for inactive user by @vgrozdanic in https://github.com/jazzband/djangorestframework-simplejwt/pull/873
+* ref: full tracebacks on exceptions by @vgrozdanic in https://github.com/jazzband/djangorestframework-simplejwt/pull/870
+* #858 New i18n messages by @Cloves23 in https://github.com/jazzband/djangorestframework-simplejwt/pull/879
+* Repair the type annotations in the TokenViewBase class. by @triplepoint in https://github.com/jazzband/djangorestframework-simplejwt/pull/880
+* fix: Token.outstand forces users to install blacklist app by @Andrew-Chen-Wang in https://github.com/jazzband/djangorestframework-simplejwt/pull/884
+* fix: PytestConfigWarning Unknown config option: python_paths by @vgrozdanic in https://github.com/jazzband/djangorestframework-simplejwt/pull/886
+* fix: Do not copy `iat` claim from refresh token by @vgrozdanic in https://github.com/jazzband/djangorestframework-simplejwt/pull/888
+* fix:  add missing migration for token_blacklist app by @juanbailon in https://github.com/jazzband/djangorestframework-simplejwt/pull/894
+* Update Persian translations (fa, fa_IR) for Django application by @mahdirahimi1999 in https://github.com/jazzband/djangorestframework-simplejwt/pull/897
+* fix: always stringify user_id claim ([#887](https://github.com/jazzband/djangorestframework-simplejwt/pull/897))
+
 ## 5.5.0
 * Cap PyJWT version to <2.10.0 to avoid incompatibility with subject claim type requirement by @grayver in https://github.com/jazzband/djangorestframework-simplejwt/pull/843
 * Add specific "token expired" exceptions by @vainu-arto in https://github.com/jazzband/djangorestframework-simplejwt/pull/830

@@ -23,6 +23,7 @@
     datetime_to_epoch,
     format_lazy,
     get_md5_hash_password,
+    logger,
 )
 
 if TYPE_CHECKING:
@@ -235,6 +236,12 @@ def for_user(cls: type[T], user: AuthUser) -> T:
         Returns an authorization token for the given user that will be provided
         after authenticating the user's credentials.
         """
+
+        if hasattr(user, "is_active") and not user.is_active:
+            logger.warning(
+                f"Creating token for inactive user: {user.id}. If this is not intentional, consider checking the user's status before calling the `for_user` method."
+            )
+
         user_id = getattr(user, api_settings.USER_ID_FIELD)
         if not isinstance(user_id, int):
             user_id = str(user_id)

@@ -1,4 +1,5 @@
 import hashlib
+import logging
 from calendar import timegm
 from datetime import datetime, timezone
 from typing import Callable
@@ -46,3 +47,5 @@ def format_lazy(s: str, *args, **kwargs) -> str:
 
 
 format_lazy: Callable = lazy(format_lazy, str)
+
+logger = logging.getLogger("rest_framework_simplejwt")

@@ -6,11 +6,19 @@ Creating tokens manually
 Sometimes, you may wish to manually create a token for a user.  This could be
 done as follows:
 
+.. warning::
+    The ``for_user`` method does not check if the user is active. If you need to verify the user's status,
+    this check needs to be done before creating the tokens.
+
 .. code-block:: python
 
   from rest_framework_simplejwt.tokens import RefreshToken
+  from rest_framework_simplejwt.exceptions import AuthenticationFailed
 
   def get_tokens_for_user(user):
+      if not user.is_active:
+        raise AuthenticationFailed("User is not active")
+
       refresh = RefreshToken.for_user(user)
 
       return {