django-rest-framework/rest_framework/authentication.py

182 lines
5.8 KiB
Python
Raw Permalink Normal View History

"""
2013-04-25 15:47:34 +04:00
Provides various authentication policies.
"""
2013-02-01 18:03:28 +04:00
from __future__ import unicode_literals
import base64
from django.contrib.auth import authenticate
2013-09-25 13:30:04 +04:00
from django.middleware.csrf import CsrfViewMiddleware
from django.utils.translation import ugettext_lazy as _
2013-02-01 18:03:28 +04:00
from rest_framework import exceptions, HTTP_HEADER_ENCODING
from rest_framework.authtoken.models import Token
2013-03-09 00:23:11 +04:00
def get_authorization_header(request):
"""
Return request's 'Authorization:' header, as a bytestring.
Hide some test client ickyness where the header can be unicode.
"""
auth = request.META.get('HTTP_AUTHORIZATION', b'')
2014-08-19 16:28:07 +04:00
if isinstance(auth, type('')):
2013-03-09 00:23:11 +04:00
# Work around django test client oddness
auth = auth.encode(HTTP_HEADER_ENCODING)
return auth
class CSRFCheck(CsrfViewMiddleware):
def _reject(self, request, reason):
# Return the failure reason instead of an HttpResponse
return reason
class BaseAuthentication(object):
"""
All authentication classes should extend BaseAuthentication.
"""
def authenticate(self, request):
"""
2012-10-15 16:27:50 +04:00
Authenticate the request and return a two-tuple of (user, token).
"""
2012-10-15 16:27:50 +04:00
raise NotImplementedError(".authenticate() must be overridden.")
2012-10-17 17:59:53 +04:00
def authenticate_header(self, request):
"""
Return a string to be used as the value of the `WWW-Authenticate`
header in a `401 Unauthenticated` response, or `None` if the
authentication scheme should return `403 Permission Denied` responses.
"""
pass
class BasicAuthentication(BaseAuthentication):
"""
2012-10-15 16:27:50 +04:00
HTTP Basic authentication against username/password.
"""
2012-11-13 15:27:09 +04:00
www_authenticate_realm = 'api'
def authenticate(self, request):
"""
Returns a `User` if a correct username and password have been supplied
using HTTP Basic authentication. Otherwise returns `None`.
"""
2013-03-09 00:23:11 +04:00
auth = get_authorization_header(request).split()
2012-11-13 15:27:09 +04:00
2013-02-01 18:03:28 +04:00
if not auth or auth[0].lower() != b'basic':
2012-11-13 15:27:09 +04:00
return None
2013-03-09 00:23:11 +04:00
if len(auth) == 1:
msg = _('Invalid basic header. No credentials provided.')
2013-03-09 02:56:24 +04:00
raise exceptions.AuthenticationFailed(msg)
elif len(auth) > 2:
msg = _('Invalid basic header. Credentials string should not contain spaces.')
2013-03-09 00:23:11 +04:00
raise exceptions.AuthenticationFailed(msg)
2012-11-13 15:27:09 +04:00
try:
2013-02-01 18:03:28 +04:00
auth_parts = base64.b64decode(auth[1]).decode(HTTP_HEADER_ENCODING).partition(':')
except (TypeError, UnicodeDecodeError):
msg = _('Invalid basic header. Credentials not correctly base64 encoded.')
2013-03-09 00:23:11 +04:00
raise exceptions.AuthenticationFailed(msg)
2012-11-13 15:27:09 +04:00
2013-03-07 13:01:53 +04:00
userid, password = auth_parts[0], auth_parts[2]
2012-11-13 15:27:09 +04:00
return self.authenticate_credentials(userid, password)
def authenticate_credentials(self, userid, password):
"""
Authenticate the userid and password against username and password.
"""
user = authenticate(username=userid, password=password)
if user is None:
raise exceptions.AuthenticationFailed(_('Invalid username/password.'))
if not user.is_active:
raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))
2013-03-09 00:23:11 +04:00
return (user, None)
2012-11-13 15:27:09 +04:00
2013-01-22 01:29:49 +04:00
def authenticate_header(self, request):
2012-11-13 15:27:09 +04:00
return 'Basic realm="%s"' % self.www_authenticate_realm
class SessionAuthentication(BaseAuthentication):
"""
Use Django's session framework for authentication.
"""
def authenticate(self, request):
"""
2012-10-15 16:27:50 +04:00
Returns a `User` if the request session currently has a logged in user.
Otherwise returns `None`.
"""
2012-10-10 19:36:25 +04:00
# Get the underlying HttpRequest object
2013-06-30 00:34:47 +04:00
request = request._request
user = getattr(request, 'user', None)
# Unauthenticated, CSRF validation not required
if not user or not user.is_active:
2012-11-13 15:27:09 +04:00
return None
2013-06-30 00:34:47 +04:00
self.enforce_csrf(request)
# CSRF passed with authenticated user
return (user, None)
def enforce_csrf(self, request):
"""
Enforce CSRF validation for session based authentication.
"""
reason = CSRFCheck().process_view(request, None, (), {})
if reason:
# CSRF failed, bail with explicit error message
raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
class TokenAuthentication(BaseAuthentication):
"""
Simple token based authentication.
Clients should authenticate by passing the token key in the "Authorization"
HTTP header, prepended with the string "Token ". For example:
Authorization: Token 401f7ac837da42b97f613d789819ff93537bee6a
"""
model = Token
"""
A custom token model may be used, but must have the following properties.
* key -- The string identifying the token
* user -- The user to which the token belongs
"""
def authenticate(self, request):
2013-03-09 00:23:11 +04:00
auth = get_authorization_header(request).split()
2013-03-09 02:56:24 +04:00
if not auth or auth[0].lower() != b'token':
2012-11-13 15:27:09 +04:00
return None
2013-03-09 00:23:11 +04:00
if len(auth) == 1:
msg = _('Invalid token header. No credentials provided.')
2013-03-09 02:56:24 +04:00
raise exceptions.AuthenticationFailed(msg)
elif len(auth) > 2:
msg = _('Invalid token header. Token string should not contain spaces.')
2013-03-09 00:23:11 +04:00
raise exceptions.AuthenticationFailed(msg)
2012-11-13 15:27:09 +04:00
return self.authenticate_credentials(auth[1])
def authenticate_credentials(self, key):
try:
token = self.model.objects.get(key=key)
except self.model.DoesNotExist:
raise exceptions.AuthenticationFailed(_('Invalid token.'))
2012-11-13 15:27:09 +04:00
2013-03-09 00:23:11 +04:00
if not token.user.is_active:
raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))
2013-03-09 00:23:11 +04:00
return (token.user, token)
2012-11-13 15:27:09 +04:00
2013-01-22 01:29:49 +04:00
def authenticate_header(self, request):
2012-11-13 15:27:09 +04:00
return 'Token'