django-rest-framework/djangorestframework/authentication.py

"""
The :mod:`authentication` module provides a set of pluggable authentication classes.

Authentication behavior is provided by mixing the :class:`mixins.AuthMixin` class into a :class:`View` class.

The set of authentication methods which are used is then specified by setting the
:attr:`authentication` attribute on the :class:`View` class, and listing a set of authentication classes.
"""

from django.contrib.auth import authenticate
from django.middleware.csrf import CsrfViewMiddleware
from djangorestframework.utils import as_tuple
import base64

__all__ = (
    'BaseAuthenticaton',
    'BasicAuthenticaton',
    'UserLoggedInAuthenticaton'
)


class BaseAuthenticaton(object):
    """
    All authentication classes should extend BaseAuthentication.
    """

    def __init__(self, view):
        """
        :param view: :class:`Authentication` classes are always passed the current view on creation.
        """
        self.view = view

    def authenticate(self, request):
        """
        :param request: Request to be authenticated
        :rtype: :obj:`User` or None [*]_
       
        .. [*] The authentication context *will* typically be a :obj:`User`,
            but it need not be.  It can be any user-like object so long as the
            permissions classes on the view can handle the object and use
            it to determine if the request has the required permissions or not. 
    
            This can be an important distinction if you're implementing some token
            based authentication mechanism, where the authentication context
            may be more involved than simply mapping to a :obj:`User`.
        """
        return None


class BasicAuthenticaton(BaseAuthenticaton):
    """
    Use HTTP Basic authentication.
    """

    def authenticate(self, request):
        """
        Returns a :obj:`User` if a correct username and password have been supplied
        using HTTP Basic authentication.  Otherwise returns `None`.  
        """
        from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError
        
        if 'HTTP_AUTHORIZATION' in request.META:
            auth = request.META['HTTP_AUTHORIZATION'].split()
            if len(auth) == 2 and auth[0].lower() == "basic":
                try:
                    auth_parts = base64.b64decode(auth[1]).partition(':')
                except TypeError:
                    return None
                
                try:
                    uname, passwd = smart_unicode(auth_parts[0]), smart_unicode(auth_parts[2])
                except DjangoUnicodeDecodeError:
                    return None
                    
                user = authenticate(username=uname, password=passwd)
                if user is not None and user.is_active:
                    return user
        return None
                

class UserLoggedInAuthenticaton(BaseAuthenticaton):
    """
    Use Django's session framework for authentication.
    """

    def authenticate(self, request):
        """
        Returns a :obj:`User` if the request session currently has a logged in user, otherwise `None`.
        """
        # TODO: Switch this back to request.POST, and let FormParser/MultiPartParser deal with the consequences.
        if getattr(request, 'user', None) and request.user.is_active:
            # If this is a POST request we enforce CSRF validation.
            if request.method.upper() == 'POST':
                # Temporarily replace request.POST with .DATA,
                # so that we use our more generic request parsing
                request._post = self.view.DATA
                resp = CsrfViewMiddleware().process_view(request, None, (), {})
                del(request._post)
                if resp is not None:  # csrf failed
                    return None
            return request.user
        return None


# TODO: TokenAuthentication, DigestAuthentication, OAuthAuthentication
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
Nicely marked up source code. 2011-05-17 03:27:27 +04:00			The :mod:`authentication` module provides a set of pluggable authentication classes.
Clean up the docs 2011-02-19 16:12:35 +03:00
Nicely marked up source code. 2011-05-17 03:27:27 +04:00			Authentication behavior is provided by mixing the :class:`mixins.AuthMixin` class into a :class:`View` class.
Clean up the docs 2011-02-19 16:12:35 +03:00
More tests, getting new serialization into resource 2011-05-10 19:01:58 +04:00			`The set of authentication methods which are used is then specified by setting the`
Nicely marked up source code. 2011-05-17 03:27:27 +04:00			:attr:`authentication` attribute on the :class:`View` class, and listing a set of authentication classes.
Clean up the docs 2011-02-19 16:12:35 +03:00			`"""`
Getting the API into shape 2011-05-10 13:49:28 +04:00
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`from django.contrib.auth import authenticate`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`from django.middleware.csrf import CsrfViewMiddleware`
			`from djangorestframework.utils import as_tuple`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`import base64`

Getting the API into shape 2011-05-10 13:49:28 +04:00			`__all__ = (`
			`'BaseAuthenticaton',`
			`'BasicAuthenticaton',`
			`'UserLoggedInAuthenticaton'`
			`)`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00
Getting the API into shape 2011-05-10 13:49:28 +04:00
			`class BaseAuthenticaton(object):`
			`"""`
			`All authentication classes should extend BaseAuthentication.`
			`"""`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00
Generic permissions added, allowed_methods and anon_allowed_methods now defunct, dispatch now mirrors View.dispatch more nicely 2011-04-25 04:03:23 +04:00			`def __init__(self, view):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
Merge Marko's doc improvements. 2011-05-17 12:15:35 +04:00			:param view: :class:`Authentication` classes are always passed the current view on creation.
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
Generic permissions added, allowed_methods and anon_allowed_methods now defunct, dispatch now mirrors View.dispatch more nicely 2011-04-25 04:03:23 +04:00			`self.view = view`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00
			`def authenticate(self, request):`
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
Nicely marked up source code. 2011-05-17 03:27:27 +04:00			`:param request: Request to be authenticated`
Merge Marko's doc improvements. 2011-05-17 12:15:35 +04:00			:rtype: :obj:`User` or None [*]_

			.. [] The authentication context will* typically be a :obj:`User`,
Nicely marked up source code. 2011-05-17 03:27:27 +04:00			`but it need not be. It can be any user-like object so long as the`
			`permissions classes on the view can handle the object and use`
			`it to determine if the request has the required permissions or not.`

			`This can be an important distinction if you're implementing some token`
			`based authentication mechanism, where the authentication context`
			may be more involved than simply mapping to a :obj:`User`.
Getting the API into shape 2011-05-10 13:49:28 +04:00			`"""`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`return None`


Getting the API into shape 2011-05-10 13:49:28 +04:00			`class BasicAuthenticaton(BaseAuthenticaton):`
			`"""`
			`Use HTTP Basic authentication.`
			`"""`

Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`def authenticate(self, request):`
Merge Marko's doc improvements. 2011-05-17 12:15:35 +04:00			`"""`
			Returns a :obj:`User` if a correct username and password have been supplied
			using HTTP Basic authentication. Otherwise returns `None`.
			`"""`
Better error handling for Basic authentication. Catch exceptions that could be thrown due to malformed input 2011-04-05 05:40:18 +04:00			`from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError`

Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`if 'HTTP_AUTHORIZATION' in request.META:`
			`auth = request.META['HTTP_AUTHORIZATION'].split()`
			`if len(auth) == 2 and auth[0].lower() == "basic":`
Better error handling for Basic authentication. Catch exceptions that could be thrown due to malformed input 2011-04-05 05:40:18 +04:00			`try:`
			`auth_parts = base64.b64decode(auth[1]).partition(':')`
			`except TypeError:`
			`return None`

			`try:`
			`uname, passwd = smart_unicode(auth_parts[0]), smart_unicode(auth_parts[2])`
			`except DjangoUnicodeDecodeError:`
			`return None`

Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`user = authenticate(username=uname, password=passwd)`
			`if user is not None and user.is_active:`
			`return user`
			`return None`


Getting the API into shape 2011-05-10 13:49:28 +04:00			`class UserLoggedInAuthenticaton(BaseAuthenticaton):`
			`"""`
			`Use Django's session framework for authentication.`
			`"""`

Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`def authenticate(self, request):`
Merge Marko's doc improvements. 2011-05-17 12:15:35 +04:00			`"""`
			Returns a :obj:`User` if the request session currently has a logged in user, otherwise `None`.
			`"""`
More tests, getting new serialization into resource 2011-05-10 19:01:58 +04:00			`# TODO: Switch this back to request.POST, and let FormParser/MultiPartParser deal with the consequences.`
Turn streaming request parsing back on for 1.3. Fix CSRF which was breaking it. It's really not at all obvious if we need to byte limit the stream that we hand over or not. 2011-04-04 12:19:49 +04:00			`if getattr(request, 'user', None) and request.user.is_active:`
CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases 2011-04-27 00:08:36 +04:00			`# If this is a POST request we enforce CSRF validation.`
			`if request.method.upper() == 'POST':`
refactoring resource specfic stuff into ResourceMixin - validators now defunct 2011-05-12 15:55:13 +04:00			`# Temporarily replace request.POST with .DATA,`
CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases 2011-04-27 00:08:36 +04:00			`# so that we use our more generic request parsing`
refactoring resource specfic stuff into ResourceMixin - validators now defunct 2011-05-12 15:55:13 +04:00			`request._post = self.view.DATA`
CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases 2011-04-27 00:08:36 +04:00			`resp = CsrfViewMiddleware().process_view(request, None, (), {})`
			`del(request._post)`
			`if resp is not None: # csrf failed`
			`return None`
			`return request.user`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`return None`
Fix up tests and examples after refactoring 2011-04-27 21:07:28 +04:00

Getting the API into shape 2011-05-10 13:49:28 +04:00			`# TODO: TokenAuthentication, DigestAuthentication, OAuthAuthentication`