django-rest-framework/rest_framework/authentication.py

"""
Provides a set of pluggable authentication policies.
"""

from django.contrib.auth import authenticate
from django.utils.encoding import DjangoUnicodeDecodeError
try:
    from django.utils.encoding import smart_text
except ImportError:
    from django.utils.encoding import smart_unicode as smart_text
from rest_framework import exceptions
from rest_framework.compat import CsrfViewMiddleware
from rest_framework.authtoken.models import Token
import base64


class BaseAuthentication(object):
    """
    All authentication classes should extend BaseAuthentication.
    """

    def authenticate(self, request):
        """
        Authenticate the request and return a two-tuple of (user, token).
        """
        raise NotImplementedError(".authenticate() must be overridden.")


class BasicAuthentication(BaseAuthentication):
    """
    HTTP Basic authentication against username/password.
    """

    def authenticate(self, request):
        """
        Returns a `User` if a correct username and password have been supplied
        using HTTP Basic authentication.  Otherwise returns `None`.
        """
        if 'HTTP_AUTHORIZATION' in request.META:
            auth = request.META['HTTP_AUTHORIZATION'].split()
            if len(auth) == 2 and auth[0].lower() == "basic":
                try:
                    auth_parts = base64.b64decode(auth[1].encode('utf8')).decode('utf8').partition(':')
                except TypeError:
                    return None

                try:
                    userid = smart_text(auth_parts[0])
                    password = smart_text(auth_parts[2])
                except DjangoUnicodeDecodeError:
                    return None

                return self.authenticate_credentials(userid, password)

    def authenticate_credentials(self, userid, password):
        """
        Authenticate the userid and password against username and password.
        """
        user = authenticate(username=userid, password=password)
        if user is not None and user.is_active:
            return (user, None)


class SessionAuthentication(BaseAuthentication):
    """
    Use Django's session framework for authentication.
    """

    def authenticate(self, request):
        """
        Returns a `User` if the request session currently has a logged in user.
        Otherwise returns `None`.
        """

        # Get the underlying HttpRequest object
        http_request = request._request
        user = getattr(http_request, 'user', None)

        # Unauthenticated, CSRF validation not required
        if not user or not user.is_active:
            return

        # Enforce CSRF validation for session based authentication.
        class CSRFCheck(CsrfViewMiddleware):
            def _reject(self, request, reason):
                # Return the failure reason instead of an HttpResponse
                return reason

        reason = CSRFCheck().process_view(http_request, None, (), {})
        if reason:
            # CSRF failed, bail with explicit error message
            raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)

        # CSRF passed with authenticated user
        return (user, None)


class TokenAuthentication(BaseAuthentication):
    """
    Simple token based authentication.

    Clients should authenticate by passing the token key in the "Authorization"
    HTTP header, prepended with the string "Token ".  For example:

        Authorization: Token 401f7ac837da42b97f613d789819ff93537bee6a
    """

    model = Token
    """
    A custom token model may be used, but must have the following properties.

    * key -- The string identifying the token
    * user -- The user to which the token belongs
    """

    def authenticate(self, request):
        auth = request.META.get('HTTP_AUTHORIZATION', '').split()

        if len(auth) == 2 and auth[0].lower() == "token":
            key = auth[1]
            try:
                token = self.model.objects.get(key=key)
            except self.model.DoesNotExist:
                return None

            if token.user.is_active:
                return (token.user, token)

# TODO: OAuthAuthentication
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`Provides a set of pluggable authentication policies.`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`

			`from django.contrib.auth import authenticate`
First passing test under p3k \o/ 2012-11-22 03:20:49 +04:00			`from django.utils.encoding import DjangoUnicodeDecodeError`
			`try:`
			`from django.utils.encoding import smart_text`
			`except ImportError:`
			`from django.utils.encoding import smart_unicode as smart_text`
Explicit CSRF failure message. Fixes #60. 2012-10-15 17:03:36 +04:00			`from rest_framework import exceptions`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`from rest_framework.compat import CsrfViewMiddleware`
			`from rest_framework.authtoken.models import Token`
			`import base64`


			`class BaseAuthentication(object):`
			`"""`
			`All authentication classes should extend BaseAuthentication.`
			`"""`

			`def authenticate(self, request):`
			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`Authenticate the request and return a two-tuple of (user, token).`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`raise NotImplementedError(".authenticate() must be overridden.")`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00

			`class BasicAuthentication(BaseAuthentication):`
			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`HTTP Basic authentication against username/password.`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`

			`def authenticate(self, request):`
			`"""`
			Returns a `User` if a correct username and password have been supplied
			using HTTP Basic authentication. Otherwise returns `None`.
			`"""`
			`if 'HTTP_AUTHORIZATION' in request.META:`
			`auth = request.META['HTTP_AUTHORIZATION'].split()`
			`if len(auth) == 2 and auth[0].lower() == "basic":`
			`try:`
6 first tests passes under python 3.2 2012-11-22 05:08:00 +04:00			`auth_parts = base64.b64decode(auth[1].encode('utf8')).decode('utf8').partition(':')`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`except TypeError:`
			`return None`

			`try:`
First passing test under p3k \o/ 2012-11-22 03:20:49 +04:00			`userid = smart_text(auth_parts[0])`
			`password = smart_text(auth_parts[2])`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`except DjangoUnicodeDecodeError:`
			`return None`

			`return self.authenticate_credentials(userid, password)`

			`def authenticate_credentials(self, userid, password):`
			`"""`
			`Authenticate the userid and password against username and password.`
			`"""`
			`user = authenticate(username=userid, password=password)`
			`if user is not None and user.is_active:`
			`return (user, None)`


			`class SessionAuthentication(BaseAuthentication):`
			`"""`
			`Use Django's session framework for authentication.`
			`"""`

			`def authenticate(self, request):`
			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			Returns a `User` if the request session currently has a logged in user.
			Otherwise returns `None`.
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Fix session auth 2012-10-10 19:36:25 +04:00
			`# Get the underlying HttpRequest object`
			`http_request = request._request`
			`user = getattr(http_request, 'user', None)`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
Explicit CSRF failure message. Fixes #60. 2012-10-15 17:03:36 +04:00			`# Unauthenticated, CSRF validation not required`
			`if not user or not user.is_active:`
			`return`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
Explicit CSRF failure message. Fixes #60. 2012-10-15 17:03:36 +04:00			`# Enforce CSRF validation for session based authentication.`
			`class CSRFCheck(CsrfViewMiddleware):`
			`def _reject(self, request, reason):`
			`# Return the failure reason instead of an HttpResponse`
			`return reason`

			`reason = CSRFCheck().process_view(http_request, None, (), {})`
			`if reason:`
			`# CSRF failed, bail with explicit error message`
			`raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)`

			`# CSRF passed with authenticated user`
			`return (user, None)`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00

			`class TokenAuthentication(BaseAuthentication):`
			`"""`
			`Simple token based authentication.`

			`Clients should authenticate by passing the token key in the "Authorization"`
			`HTTP header, prepended with the string "Token ". For example:`

			`Authorization: Token 401f7ac837da42b97f613d789819ff93537bee6a`
			`"""`

			`model = Token`
			`"""`
			`A custom token model may be used, but must have the following properties.`

			`* key -- The string identifying the token`
			`* user -- The user to which the token belongs`
			`"""`

			`def authenticate(self, request):`
			`auth = request.META.get('HTTP_AUTHORIZATION', '').split()`

			`if len(auth) == 2 and auth[0].lower() == "token":`
			`key = auth[1]`
			`try:`
			`token = self.model.objects.get(key=key)`
			`except self.model.DoesNotExist:`
			`return None`

Tweak authtoken 2012-10-09 12:57:31 +04:00			`if token.user.is_active:`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`return (token.user, token)`

			`# TODO: OAuthAuthentication`