2011-05-10 13:49:28 +04:00
|
|
|
"""
|
2011-05-17 03:27:27 +04:00
|
|
|
The :mod:`authentication` module provides a set of pluggable authentication classes.
|
2011-02-19 16:12:35 +03:00
|
|
|
|
2011-05-17 03:27:27 +04:00
|
|
|
Authentication behavior is provided by mixing the :class:`mixins.AuthMixin` class into a :class:`View` class.
|
2011-02-19 16:12:35 +03:00
|
|
|
|
2011-05-10 19:01:58 +04:00
|
|
|
The set of authentication methods which are used is then specified by setting the
|
2011-05-19 00:13:48 +04:00
|
|
|
:attr:`authentication` attribute on the :class:`View` class, and listing a set of :class:`authentication` classes.
|
2011-02-19 16:12:35 +03:00
|
|
|
"""
|
2011-05-10 13:49:28 +04:00
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
from django.contrib.auth import authenticate
|
2011-02-19 13:26:27 +03:00
|
|
|
from django.middleware.csrf import CsrfViewMiddleware
|
|
|
|
from djangorestframework.utils import as_tuple
|
2011-01-24 21:59:23 +03:00
|
|
|
import base64
|
|
|
|
|
2011-05-10 13:49:28 +04:00
|
|
|
__all__ = (
|
|
|
|
'BaseAuthenticaton',
|
|
|
|
'BasicAuthenticaton',
|
|
|
|
'UserLoggedInAuthenticaton'
|
|
|
|
)
|
2011-02-19 13:26:27 +03:00
|
|
|
|
2011-05-10 13:49:28 +04:00
|
|
|
|
|
|
|
class BaseAuthenticaton(object):
|
|
|
|
"""
|
|
|
|
All authentication classes should extend BaseAuthentication.
|
|
|
|
"""
|
2011-01-24 21:59:23 +03:00
|
|
|
|
2011-04-25 04:03:23 +04:00
|
|
|
def __init__(self, view):
|
2011-05-10 13:49:28 +04:00
|
|
|
"""
|
2011-05-19 00:13:48 +04:00
|
|
|
:class:`Authentication` classes are always passed the current view on creation.
|
2011-05-10 13:49:28 +04:00
|
|
|
"""
|
2011-04-25 04:03:23 +04:00
|
|
|
self.view = view
|
2011-01-24 21:59:23 +03:00
|
|
|
|
|
|
|
def authenticate(self, request):
|
2011-05-10 13:49:28 +04:00
|
|
|
"""
|
2011-05-19 11:49:57 +04:00
|
|
|
Authenticate the :obj:`request` and return a :obj:`User` or :const:`None`. [*]_
|
2011-05-17 12:15:35 +04:00
|
|
|
|
|
|
|
.. [*] The authentication context *will* typically be a :obj:`User`,
|
2011-05-17 03:27:27 +04:00
|
|
|
but it need not be. It can be any user-like object so long as the
|
2011-05-19 11:49:57 +04:00
|
|
|
permissions classes (see the :mod:`permissions` module) on the view can
|
|
|
|
handle the object and use it to determine if the request has the required
|
|
|
|
permissions or not.
|
2011-05-19 00:13:48 +04:00
|
|
|
|
2011-05-17 03:27:27 +04:00
|
|
|
This can be an important distinction if you're implementing some token
|
|
|
|
based authentication mechanism, where the authentication context
|
|
|
|
may be more involved than simply mapping to a :obj:`User`.
|
2011-05-10 13:49:28 +04:00
|
|
|
"""
|
2011-01-24 21:59:23 +03:00
|
|
|
return None
|
|
|
|
|
|
|
|
|
2011-05-10 13:49:28 +04:00
|
|
|
class BasicAuthenticaton(BaseAuthenticaton):
|
|
|
|
"""
|
|
|
|
Use HTTP Basic authentication.
|
|
|
|
"""
|
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
def authenticate(self, request):
|
2011-05-17 12:15:35 +04:00
|
|
|
"""
|
|
|
|
Returns a :obj:`User` if a correct username and password have been supplied
|
2011-05-19 00:13:48 +04:00
|
|
|
using HTTP Basic authentication. Otherwise returns :const:`None`.
|
2011-05-17 12:15:35 +04:00
|
|
|
"""
|
2011-04-05 05:40:18 +04:00
|
|
|
from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError
|
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
if 'HTTP_AUTHORIZATION' in request.META:
|
|
|
|
auth = request.META['HTTP_AUTHORIZATION'].split()
|
|
|
|
if len(auth) == 2 and auth[0].lower() == "basic":
|
2011-04-05 05:40:18 +04:00
|
|
|
try:
|
|
|
|
auth_parts = base64.b64decode(auth[1]).partition(':')
|
|
|
|
except TypeError:
|
|
|
|
return None
|
|
|
|
|
|
|
|
try:
|
|
|
|
uname, passwd = smart_unicode(auth_parts[0]), smart_unicode(auth_parts[2])
|
|
|
|
except DjangoUnicodeDecodeError:
|
|
|
|
return None
|
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
user = authenticate(username=uname, password=passwd)
|
|
|
|
if user is not None and user.is_active:
|
|
|
|
return user
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
2011-05-10 13:49:28 +04:00
|
|
|
class UserLoggedInAuthenticaton(BaseAuthenticaton):
|
|
|
|
"""
|
|
|
|
Use Django's session framework for authentication.
|
|
|
|
"""
|
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
def authenticate(self, request):
|
2011-05-17 12:15:35 +04:00
|
|
|
"""
|
2011-05-19 11:49:57 +04:00
|
|
|
Returns a :obj:`User` if the request session currently has a logged in user.
|
|
|
|
Otherwise returns :const:`None`.
|
2011-05-17 12:15:35 +04:00
|
|
|
"""
|
2011-05-10 19:01:58 +04:00
|
|
|
# TODO: Switch this back to request.POST, and let FormParser/MultiPartParser deal with the consequences.
|
2011-04-04 12:19:49 +04:00
|
|
|
if getattr(request, 'user', None) and request.user.is_active:
|
2011-04-27 00:08:36 +04:00
|
|
|
# If this is a POST request we enforce CSRF validation.
|
|
|
|
if request.method.upper() == 'POST':
|
2011-05-12 15:55:13 +04:00
|
|
|
# Temporarily replace request.POST with .DATA,
|
2011-04-27 00:08:36 +04:00
|
|
|
# so that we use our more generic request parsing
|
2011-05-12 15:55:13 +04:00
|
|
|
request._post = self.view.DATA
|
2011-04-27 00:08:36 +04:00
|
|
|
resp = CsrfViewMiddleware().process_view(request, None, (), {})
|
|
|
|
del(request._post)
|
|
|
|
if resp is not None: # csrf failed
|
|
|
|
return None
|
|
|
|
return request.user
|
2011-01-24 21:59:23 +03:00
|
|
|
return None
|
2011-04-27 21:07:28 +04:00
|
|
|
|
|
|
|
|
2011-05-10 13:49:28 +04:00
|
|
|
# TODO: TokenAuthentication, DigestAuthentication, OAuthAuthentication
|