Merge branch 'fix_auth' of github.com:bellini666/django-ninja into bellini666-fix_auth

vitalik · vitalik · commit 19dd8486a48b · 2025-08-10T16:00:41.000+03:00
diff --git a/ninja/operation.py b/ninja/operation.py
@@ -15,7 +15,7 @@
 )
 
 import pydantic
-from asgiref.sync import async_to_sync
+from asgiref.sync import async_to_sync, sync_to_async
 from django.http import HttpRequest, HttpResponse, HttpResponseNotAllowed
 from django.http.response import HttpResponseBase
 
@@ -387,7 +387,7 @@ async def _run_authentication(self, request: HttpRequest) -> Optional[HttpRespon
                     else:
                         result = await cor
                 else:
-                    result = callback(request)
+                    result = await sync_to_async(callback)(request)
             except Exception as exc:
                 return self.api.on_exception(request, exc)
 
@@ -501,8 +501,6 @@ def _sync_view(self, request: HttpRequest, *a: Any, **kw: Any) -> HttpResponseBa
     async def _async_view(
         self, request: HttpRequest, *a: Any, **kw: Any
     ) -> HttpResponseBase:
-        from asgiref.sync import sync_to_async
-
         operation = self._find_operation(request)
         if operation is None:
             return self._not_allowed()
diff --git a/tests/test_auth.py b/tests/test_auth.py
@@ -1,6 +1,7 @@
 from unittest.mock import Mock
 
 import pytest
+from django.utils.asyncio import async_unsafe
 
 from ninja import NinjaAPI
 from ninja.errors import AuthorizationError, ConfigError
@@ -16,6 +17,7 @@
 )
 from ninja.security.base import AuthBase
 from ninja.testing import TestClient
+from ninja.testing.client import TestAsyncClient
 
 
 def callable_auth(request):
@@ -315,3 +317,46 @@ class MyAuth2(AuthBase):
 
     with pytest.raises(TypeError):
         HttpBasicAuth()(request)
+
+
+@pytest.mark.asyncio
+async def test_async_auth():
+    _sync_auth_called = False
+    _async_auth_called = False
+    _async_unsafe_func_called = False
+
+    # This is the same decorator Django uses to mark its ORM functions as async unsafe,
+    # which in turns raises a `SynchronousOnlyOperation` error if called
+    # without `sync_to_async`.
+    @async_unsafe("called without sync_to_async")
+    def async_unsafe_function():
+        nonlocal _async_unsafe_func_called
+        _async_unsafe_func_called = True
+
+    class AsyncAuth(APIKeyQuery):
+        async def authenticate(self, request, key):
+            nonlocal _async_auth_called
+            _async_auth_called = True
+            return False
+
+    class SyncAuth(APIKeyQuery):
+        def authenticate(self, request, key):
+            async_unsafe_function()
+            nonlocal _sync_auth_called
+            _sync_auth_called = True
+            return True
+
+    async def handle_request(request):
+        return {"ok": True}
+
+    api = NinjaAPI(csrf=True)
+    api.get("/foobar", auth=[AsyncAuth(), SyncAuth()])(handle_request)
+
+    client = TestAsyncClient(api)
+    response = await client.get("/foobar")
+    assert response.status_code == 200
+    assert response.json() == {"ok": True}
+
+    assert _sync_auth_called is True
+    assert _async_auth_called is True
+    assert _async_unsafe_func_called is True
