django-rest-framework/djangorestframework/authenticators.py

"""The :mod:`authenticators` modules provides for pluggable authentication behaviour.

Authentication behaviour is provided by adding the mixin class :class:`AuthenticatorMixin` to a :class:`.Resource` or Django :class:`View` class.

The set of authenticators which are use is then specified by setting the :attr:`authenticators` attribute on the class, and listing a set of authenticator classes.
"""
from django.contrib.auth import authenticate
from django.middleware.csrf import CsrfViewMiddleware
from djangorestframework.utils import as_tuple
import base64


class AuthenticatorMixin(object):
    """Adds pluggable authentication behaviour."""
    
    """The set of authenticators to use."""
    authenticators = None

    def authenticate(self, request):
        """Attempt to authenticate the request, returning an authentication context or None.
        An authentication context may be any object, although in many cases it will simply be a :class:`User` instance."""
        
        # Attempt authentication against each authenticator in turn,
        # and return None if no authenticators succeed in authenticating the request.
        for authenticator in as_tuple(self.authenticators):
            auth_context = authenticator(self).authenticate(request)
            if auth_context:
                return auth_context

        return None


class BaseAuthenticator(object):
    """All authenticators should extend BaseAuthenticator."""

    def __init__(self, mixin):
        """Initialise the authenticator with the mixin instance as state,
        in case the authenticator needs to access any metadata on the mixin object."""
        self.mixin = mixin

    def authenticate(self, request):
        """Authenticate the request and return the authentication context or None.

        An authentication context might be something as simple as a User object, or it might
        be some more complicated token, for example authentication tokens which are signed
        against a particular set of permissions for a given user, over a given timeframe.

        The default permission checking on Resource will use the allowed_methods attribute
        for permissions if the authentication context is not None, and use anon_allowed_methods otherwise.

        The authentication context is passed to the method calls eg Resource.get(request, auth) in order to
        allow them to apply any more fine grained permission checking at the point the response is being generated.
        
        This function must be overridden to be implemented."""
        return None


class BasicAuthenticator(BaseAuthenticator):
    """Use HTTP Basic authentication"""
    def authenticate(self, request):
        from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError
        
        if 'HTTP_AUTHORIZATION' in request.META:
            auth = request.META['HTTP_AUTHORIZATION'].split()
            if len(auth) == 2 and auth[0].lower() == "basic":
                try:
                    auth_parts = base64.b64decode(auth[1]).partition(':')
                except TypeError:
                    return None
                
                try:
                    uname, passwd = smart_unicode(auth_parts[0]), smart_unicode(auth_parts[2])
                except DjangoUnicodeDecodeError:
                    return None
                    
                user = authenticate(username=uname, password=passwd)
                if user is not None and user.is_active:
                    return user
        return None
                

class UserLoggedInAuthenticator(BaseAuthenticator):
    """Use Django's built-in request session for authentication."""
    def authenticate(self, request):
        if getattr(request, 'user', None) and request.user.is_active:
            # If this is a POST request we enforce CSRF validation.
            if request.method.upper() == 'POST':
                # Temporarily replace request.POST with .RAW_CONTENT,
                # so that we use our more generic request parsing
                request._post = self.mixin.RAW_CONTENT
                resp = CsrfViewMiddleware().process_view(request, None, (), {})
                del(request._post)
                if resp is not None:  # csrf failed
                    return None
            return request.user
        return None
Clean up the docs 2011-02-19 16:12:35 +03:00			"""The :mod:`authenticators` modules provides for pluggable authentication behaviour.

			Authentication behaviour is provided by adding the mixin class :class:`AuthenticatorMixin` to a :class:`.Resource` or Django :class:`View` class.

			The set of authenticators which are use is then specified by setting the :attr:`authenticators` attribute on the class, and listing a set of authenticator classes.
			`"""`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`from django.contrib.auth import authenticate`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`from django.middleware.csrf import CsrfViewMiddleware`
			`from djangorestframework.utils import as_tuple`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`import base64`

Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00
			`class AuthenticatorMixin(object):`
Clean up the docs 2011-02-19 16:12:35 +03:00			`"""Adds pluggable authentication behaviour."""`

			`"""The set of authenticators to use."""`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`authenticators = None`

			`def authenticate(self, request):`
			`"""Attempt to authenticate the request, returning an authentication context or None.`
Clean up the docs 2011-02-19 16:12:35 +03:00			An authentication context may be any object, although in many cases it will simply be a :class:`User` instance."""
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00
			`# Attempt authentication against each authenticator in turn,`
			`# and return None if no authenticators succeed in authenticating the request.`
			`for authenticator in as_tuple(self.authenticators):`
			`auth_context = authenticator(self).authenticate(request)`
			`if auth_context:`
			`return auth_context`

			`return None`


Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`class BaseAuthenticator(object):`
			`"""All authenticators should extend BaseAuthenticator."""`

Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`def __init__(self, mixin):`
			`"""Initialise the authenticator with the mixin instance as state,`
			`in case the authenticator needs to access any metadata on the mixin object."""`
			`self.mixin = mixin`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00
			`def authenticate(self, request):`
			`"""Authenticate the request and return the authentication context or None.`

Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`An authentication context might be something as simple as a User object, or it might`
			`be some more complicated token, for example authentication tokens which are signed`
			`against a particular set of permissions for a given user, over a given timeframe.`

Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`The default permission checking on Resource will use the allowed_methods attribute`
			`for permissions if the authentication context is not None, and use anon_allowed_methods otherwise.`

			`The authentication context is passed to the method calls eg Resource.get(request, auth) in order to`
			`allow them to apply any more fine grained permission checking at the point the response is being generated.`

			`This function must be overridden to be implemented."""`
			`return None`


			`class BasicAuthenticator(BaseAuthenticator):`
			`"""Use HTTP Basic authentication"""`
			`def authenticate(self, request):`
Better error handling for Basic authentication. Catch exceptions that could be thrown due to malformed input 2011-04-05 05:40:18 +04:00			`from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError`

Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`if 'HTTP_AUTHORIZATION' in request.META:`
			`auth = request.META['HTTP_AUTHORIZATION'].split()`
			`if len(auth) == 2 and auth[0].lower() == "basic":`
Better error handling for Basic authentication. Catch exceptions that could be thrown due to malformed input 2011-04-05 05:40:18 +04:00			`try:`
			`auth_parts = base64.b64decode(auth[1]).partition(':')`
			`except TypeError:`
			`return None`

			`try:`
			`uname, passwd = smart_unicode(auth_parts[0]), smart_unicode(auth_parts[2])`
			`except DjangoUnicodeDecodeError:`
			`return None`

Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`user = authenticate(username=uname, password=passwd)`
			`if user is not None and user.is_active:`
			`return user`
			`return None`


			`class UserLoggedInAuthenticator(BaseAuthenticator):`
CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases 2011-04-27 00:08:36 +04:00			`"""Use Django's built-in request session for authentication."""`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`def authenticate(self, request):`
Turn streaming request parsing back on for 1.3. Fix CSRF which was breaking it. It's really not at all obvious if we need to byte limit the stream that we hand over or not. 2011-04-04 12:19:49 +04:00			`if getattr(request, 'user', None) and request.user.is_active:`
CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases 2011-04-27 00:08:36 +04:00			`# If this is a POST request we enforce CSRF validation.`
			`if request.method.upper() == 'POST':`
			`# Temporarily replace request.POST with .RAW_CONTENT,`
			`# so that we use our more generic request parsing`
			`request._post = self.mixin.RAW_CONTENT`
			`resp = CsrfViewMiddleware().process_view(request, None, (), {})`
			`del(request._post)`
			`if resp is not None: # csrf failed`
			`return None`
			`return request.user`
Added authenicators. Awesome. 2011-01-24 21:59:23 +03:00			`return None`