django-rest-framework/djangorestframework/authentication.py

"""
The :mod:`authentication` module provides a set of pluggable authentication classes.

Authentication behavior is provided by mixing the :class:`mixins.RequestMixin` class into a :class:`View` class.
"""

from django.contrib.auth import authenticate
from djangorestframework.compat import CsrfViewMiddleware
import base64

__all__ = (
    'BaseAuthentication',
    'BasicAuthentication',
    'SessionAuthentication'
)


class BaseAuthentication(object):
    """
    All authentication classes should extend BaseAuthentication.
    """

    def authenticate(self, request):
        """
        Authenticate the :obj:`request` and return a :obj:`User` or :const:`None`. [*]_

        .. [*] The authentication context *will* typically be a :obj:`User`,
            but it need not be.  It can be any user-like object so long as the
            permissions classes (see the :mod:`permissions` module) on the view can
            handle the object and use it to determine if the request has the required
            permissions or not.

            This can be an important distinction if you're implementing some token
            based authentication mechanism, where the authentication context
            may be more involved than simply mapping to a :obj:`User`.
        """
        return None


class BasicAuthentication(BaseAuthentication):
    """
    Base class for HTTP Basic authentication.
    Subclasses should implement `.authenticate_credentials()`.
    """

    def authenticate(self, request):
        """
        Returns a `User` if a correct username and password have been supplied
        using HTTP Basic authentication.  Otherwise returns `None`.
        """
        from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError

        if 'HTTP_AUTHORIZATION' in request.META:
            auth = request.META['HTTP_AUTHORIZATION'].split()
            if len(auth) == 2 and auth[0].lower() == "basic":
                try:
                    auth_parts = base64.b64decode(auth[1]).partition(':')
                except TypeError:
                    return None

                try:
                    userid, password = smart_unicode(auth_parts[0]), smart_unicode(auth_parts[2])
                except DjangoUnicodeDecodeError:
                    return None

                return self.authenticate_credentials(userid, password)

    def authenticate_credentials(self, userid, password):
        """
        Given the Basic authentication userid and password, authenticate
        and return a user instance.
        """
        raise NotImplementedError('.authenticate_credentials() must be overridden')


class UserBasicAuthentication(BasicAuthentication):
    def authenticate_credentials(self, userid, password):
        """
        Authenticate the userid and password against username and password.
        """
        user = authenticate(username=userid, password=password)
        if user is not None and user.is_active:
            return (user, None)


class SessionAuthentication(BaseAuthentication):
    """
    Use Django's session framework for authentication.
    """

    def authenticate(self, request):
        """
        Returns a :obj:`User` if the request session currently has a logged in user.
        Otherwise returns :const:`None`.
        """
        user = getattr(request._request, 'user', None)

        if user and user.is_active:
            # Enforce CSRF validation for session based authentication.
            resp = CsrfViewMiddleware().process_view(request, None, (), {})

            if resp is None:  # csrf passed
                return (user, None)


# TODO: TokenAuthentication, DigestAuthentication, OAuthAuthentication
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
Nicely marked up source code. 2011-05-17 03:27:27 +04:00			The :mod:`authentication` module provides a set of pluggable authentication classes.
Clean up the docs 2011-02-19 16:12:35 +03:00
updated docs 2012-02-24 01:34:20 +04:00			Authentication behavior is provided by mixing the :class:`mixins.RequestMixin` class into a :class:`View` class.
Clean up the docs 2011-02-19 16:12:35 +03:00			`"""`
Getting the API into shape 2011-05-10 13:49:28 +04:00
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`from django.contrib.auth import authenticate`
Use 1.4's CSRFMiddleware, so that PUT and DELETE get CSRF validation if session authentication is being used 2011-12-15 00:10:06 +04:00			`from djangorestframework.compat import CsrfViewMiddleware`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`import base64`

Getting the API into shape 2011-05-10 13:49:28 +04:00			`__all__ = (`
Typo. Authenticat<i>on 2011-06-07 17:12:02 +04:00			`'BaseAuthentication',`
			`'BasicAuthentication',`
Bits of cleanup 2012-09-04 15:02:05 +04:00			`'SessionAuthentication'`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`)`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00
Getting the API into shape 2011-05-10 13:49:28 +04:00
Typo. Authenticat<i>on 2011-06-07 17:12:02 +04:00			`class BaseAuthentication(object):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`All authentication classes should extend BaseAuthentication.`
			`"""`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00
			`def authenticate(self, request):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
Merge in marko's doc markup 2011-05-19 11:49:57 +04:00			Authenticate the :obj:`request` and return a :obj:`User` or :const:`None`. [*]_
whitespace fixes 2011-12-29 17:31:12 +04:00
Merge Marko's doc improvements. 2011-05-17 12:15:35 +04:00			.. [] The authentication context will* typically be a :obj:`User`,
Nicely marked up source code. 2011-05-17 03:27:27 +04:00			`but it need not be. It can be any user-like object so long as the`
Merge in marko's doc markup 2011-05-19 11:49:57 +04:00			permissions classes (see the :mod:`permissions` module) on the view can
			`handle the object and use it to determine if the request has the required`
whitespace fixes 2011-12-29 17:31:12 +04:00			`permissions or not.`

Nicely marked up source code. 2011-05-17 03:27:27 +04:00			`This can be an important distinction if you're implementing some token`
			`based authentication mechanism, where the authentication context`
			may be more involved than simply mapping to a :obj:`User`.
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`return None`


Typo. Authenticat<i>on 2011-06-07 17:12:02 +04:00			`class BasicAuthentication(BaseAuthentication):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
Refactoring some basics 2012-09-06 16:49:15 +04:00			`Base class for HTTP Basic authentication.`
			Subclasses should implement `.authenticate_credentials()`.
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`

Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`def authenticate(self, request):`
Merge Marko's doc improvements. 2011-05-17 12:15:35 +04:00			`"""`
Refactoring some basics 2012-09-06 16:49:15 +04:00			Returns a `User` if a correct username and password have been supplied
			using HTTP Basic authentication. Otherwise returns `None`.
Merge Marko's doc improvements. 2011-05-17 12:15:35 +04:00			`"""`
Better error handling for Basic authentication. Catch exceptions that could be thrown due to malformed input 2011-04-05 05:40:18 +04:00			`from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError`
whitespace fixes 2011-12-29 17:31:12 +04:00
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`if 'HTTP_AUTHORIZATION' in request.META:`
			`auth = request.META['HTTP_AUTHORIZATION'].split()`
			`if len(auth) == 2 and auth[0].lower() == "basic":`
Better error handling for Basic authentication. Catch exceptions that could be thrown due to malformed input 2011-04-05 05:40:18 +04:00			`try:`
			`auth_parts = base64.b64decode(auth[1]).partition(':')`
			`except TypeError:`
			`return None`
whitespace fixes 2011-12-29 17:31:12 +04:00
Better error handling for Basic authentication. Catch exceptions that could be thrown due to malformed input 2011-04-05 05:40:18 +04:00			`try:`
Refactoring some basics 2012-09-06 16:49:15 +04:00			`userid, password = smart_unicode(auth_parts[0]), smart_unicode(auth_parts[2])`
Better error handling for Basic authentication. Catch exceptions that could be thrown due to malformed input 2011-04-05 05:40:18 +04:00			`except DjangoUnicodeDecodeError:`
			`return None`
whitespace fixes 2011-12-29 17:31:12 +04:00
Refactoring some basics 2012-09-06 16:49:15 +04:00			`return self.authenticate_credentials(userid, password)`
whitespace fixes 2011-12-29 17:31:12 +04:00
Refactoring some basics 2012-09-06 16:49:15 +04:00			`def authenticate_credentials(self, userid, password):`
			`"""`
			`Given the Basic authentication userid and password, authenticate`
			`and return a user instance.`
			`"""`
			`raise NotImplementedError('.authenticate_credentials() must be overridden')`


			`class UserBasicAuthentication(BasicAuthentication):`
			`def authenticate_credentials(self, userid, password):`
			`"""`
			`Authenticate the userid and password against username and password.`
			`"""`
			`user = authenticate(username=userid, password=password)`
			`if user is not None and user.is_active:`
Add support for request.auth 2012-09-06 17:50:43 +04:00			`return (user, None)`
Refactoring some basics 2012-09-06 16:49:15 +04:00
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00
Bits of cleanup 2012-09-04 15:02:05 +04:00			`class SessionAuthentication(BaseAuthentication):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
			`Use Django's session framework for authentication.`
			`"""`

Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`def authenticate(self, request):`
Merge Marko's doc improvements. 2011-05-17 12:15:35 +04:00			`"""`
Merge in marko's doc markup 2011-05-19 11:49:57 +04:00			Returns a :obj:`User` if the request session currently has a logged in user.
			Otherwise returns :const:`None`.
Merge Marko's doc improvements. 2011-05-17 12:15:35 +04:00			`"""`
Merge work from sebpiq 2012-04-11 20:38:47 +04:00			`user = getattr(request._request, 'user', None)`
Fix UserLoggedInAuthentication for POST requests. Fixes #78. 2012-01-24 23:26:37 +04:00
authentication refactor : request.user + tests pass 2012-02-24 00:47:45 +04:00			`if user and user.is_active:`
CSRF for non-dict like .DATA. Fixes #85 2011-12-15 00:19:17 +04:00			`# Enforce CSRF validation for session based authentication.`
			`resp = CsrfViewMiddleware().process_view(request, None, (), {})`

			`if resp is None: # csrf passed`
Add support for request.auth 2012-09-06 17:50:43 +04:00			`return (user, None)`
Fix up tests and examples after refactoring 2011-04-27 21:07:28 +04:00

Getting the API into shape 2011-05-10 13:49:28 +04:00			`# TODO: TokenAuthentication, DigestAuthentication, OAuthAuthentication`