Skip to content

Fix OpenAPI schema for TokenObtainPairView #954

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Shrikantgiri25 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix OpenAPI schema for TokenObtainPairView #954

Shrikantgiri25 wants to merge 2 commits into from
+47 −0

Conversation

@Shrikantgiri25
Copy link

@Shrikantgiri25 Shrikantgiri25 commented Dec 6, 2025
edited
Loading

Problem

The OpenAPI / schema generated for TokenObtainPairView can be misleading.

TokenObtainPairSerializer dynamically adds the access and refresh
fields during validate(), but those fields are not declared on the serializer
itself. Schema generators that rely on serializer field introspection (for
example, drf-yasg or DRF core schema generation) may therefore produce an
incomplete or incorrect response schema.

In practice, the token obtain endpoint returns a JSON response containing both
tokens::

{
"access": "",
"refresh": ""
}

However, this response shape is not always reflected in the generated schema.

This issue has been reported previously:

Solution

Explicitly declare the access and refresh fields on
TokenObtainPairSerializer as read-only serializer fields.

These values are already returned by the serializer at runtime; this change
simply makes the serializer definition accurately reflect the real response
payload for schema generation purposes.

Why this change is safe

  • No change to runtime behavior
  • No change to token generation logic
  • Fully backward compatible
  • Minimal and non-invasive diff
  • Improves OpenAPI / schema accuracy for downstream tooling

Tests

A test was added to ensure that:

  • access and refresh fields exist on the serializer
  • Both fields are marked as read_only=True
  • Runtime validation and token issuance continue to behave as expected

This helps prevent regressions and ensures the serializer remains compatible
with schema generators.

Example schema output (after change)

Example OpenAPI schema generated after this change (drf-yasg / DRF schema)::


  openapi: 3.0.2
  paths:
    /api/token/:
      post:
        responses:
          '200':
            content:
              application/json:
                schema:
                  $ref: '#/components/schemas/TokenObtainPair'

  components:
    schemas:
      TokenObtainPair:
        type: object
        properties:
          refresh:
            type: string
            readOnly: true
          access:
            type: string
            readOnly: true
          username:
            type: string
            writeOnly: true
          password:
            type: string
            writeOnly: true
        required:
        - username
        - password

Summary

This change aligns the TokenObtainPairSerializer definition with its actual
response payload, improving schema correctness while keeping runtime behavior
unchanged.

@Shrikantgiri25 Shrikantgiri25 force-pushed the fix/token-obtain-serializer-bug branch 2 times, most recently from f33a5c8 to 99db04c Compare December 6, 2025 18:43
Shrikantgiri25 and others added 2 commits December 7, 2025 11:21
@Shrikantgiri25
Fix TokenObtainPairSerializer to declare access and refresh fields fo…
75ca9ba 
…r schema accuracy

Explicitly declare 'access' and 'refresh' as read-only fields so schema
generators correctly reflect the actual response payload.
@pre-commit-ci @Shrikantgiri25
Fix TokenObtainPairSerializer to declare access and refresh fields fo…
f0d2c4f 
…r schema accuracy

- Explicitly declare 'access' and 'refresh' fields as read-only
- Ensures schema generators (drf-yasg, DRF core) reflect the actual response
- No runtime behavior change
@Shrikantgiri25 Shrikantgiri25 force-pushed the fix/token-obtain-serializer-bug branch from 99db04c to f0d2c4f Compare December 7, 2025 05:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Shrikantgiri25