Django API quickstart uses unmaintained package

[jlucas91]

Description

The Django API quickstart guide uses a package that's been unmaintained for two years. This was a pretty unpleasant surprise to find after implementing an initial Auth0 integration.

Reproduction

https://auth0.com/docs/quickstart/backend/django/01-authorization . drf-jwt is unmaintained and has been for two years.

See: jpadilla/django-rest-framework-jwt#484

Environment

N/A

[jlucas91]

Further - as far as I can tell the recommendation to add the RemoteUserMiddleware has no effect. The RemoteUserMiddleware looks for a REMOTE_USER header - which is almost certainly not set by the application making the request.

The actual change that matters here is the RemoteUserBackend addition. That, in combination with the authenticate() call in jwt_get_username_from_payload_handler, creates/logs in the user based solely on username.

[ElRoberto538]

The current version of drf-jwt on PyPi is maintained, and the latest release was only a couple of months ago. It has been forked from the Repo you listed. https://pypi.org/project/drf-jwt/.