django-rest-framework/rest_framework/authentication.py

"""
Provides various authentication policies.
"""
from __future__ import unicode_literals
import base64
from django.contrib.auth import authenticate
from django.middleware.csrf import CsrfViewMiddleware
from django.utils.translation import ugettext_lazy as _
from rest_framework import exceptions, HTTP_HEADER_ENCODING
from rest_framework.authtoken.models import Token
from rest_framework.compat import get_user_model

def get_authorization_header(request):
    """
    Return request's 'Authorization:' header, as a bytestring.

    Hide some test client ickyness where the header can be unicode.
    """
    auth = request.META.get('HTTP_AUTHORIZATION', b'')
    if isinstance(auth, type('')):
        # Work around django test client oddness
        auth = auth.encode(HTTP_HEADER_ENCODING)
    return auth


class CSRFCheck(CsrfViewMiddleware):
    def _reject(self, request, reason):
        # Return the failure reason instead of an HttpResponse
        return reason


class BaseAuthentication(object):
    """
    All authentication classes should extend BaseAuthentication.
    """

    def authenticate(self, request):
        """
        Authenticate the request and return a two-tuple of (user, token).
        """
        raise NotImplementedError(".authenticate() must be overridden.")

    def authenticate_header(self, request):
        """
        Return a string to be used as the value of the `WWW-Authenticate`
        header in a `401 Unauthenticated` response, or `None` if the
        authentication scheme should return `403 Permission Denied` responses.
        """
        pass


class BasicAuthentication(BaseAuthentication):
    """
    HTTP Basic authentication against username/password.
    """
    www_authenticate_realm = 'api'

    def authenticate(self, request):
        """
        Returns a `User` if a correct username and password have been supplied
        using HTTP Basic authentication.  Otherwise returns `None`.
        """
        auth = get_authorization_header(request).split()

        if not auth or auth[0].lower() != b'basic':
            return None

        if len(auth) == 1:
            msg = _('Invalid basic header. No credentials provided.')
            raise exceptions.AuthenticationFailed(msg)
        elif len(auth) > 2:
            msg = _('Invalid basic header. Credentials string should not contain spaces.')
            raise exceptions.AuthenticationFailed(msg)

        try:
            auth_parts = base64.b64decode(auth[1]).decode(HTTP_HEADER_ENCODING).partition(':')
        except (TypeError, UnicodeDecodeError):
            msg = _('Invalid basic header. Credentials not correctly base64 encoded.')
            raise exceptions.AuthenticationFailed(msg)

        userid, password = auth_parts[0], auth_parts[2]
        return self.authenticate_credentials(userid, password)

    def authenticate_credentials(self, userid, password):
        """
        Authenticate the userid and password against username and password.
        """
        user_model = get_user_model()
        if hasattr(user_model, 'USERNAME_FIELD'):
            username_field = user_model.USERNAME_FIELD
        else:
            username_field = 'username'
        credentials = {
            username_field: userid,
            'password': password
        }
        user = authenticate(**credentials)

        if user is None:
            raise exceptions.AuthenticationFailed(_('Invalid username/password.'))

        if not user.is_active:
            raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))

        return (user, None)

    def authenticate_header(self, request):
        return 'Basic realm="%s"' % self.www_authenticate_realm


class SessionAuthentication(BaseAuthentication):
    """
    Use Django's session framework for authentication.
    """

    def authenticate(self, request):
        """
        Returns a `User` if the request session currently has a logged in user.
        Otherwise returns `None`.
        """

        # Get the underlying HttpRequest object
        request = request._request
        user = getattr(request, 'user', None)

        # Unauthenticated, CSRF validation not required
        if not user or not user.is_active:
            return None

        self.enforce_csrf(request)

        # CSRF passed with authenticated user
        return (user, None)

    def enforce_csrf(self, request):
        """
        Enforce CSRF validation for session based authentication.
        """
        reason = CSRFCheck().process_view(request, None, (), {})
        if reason:
            # CSRF failed, bail with explicit error message
            raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)


class TokenAuthentication(BaseAuthentication):
    """
    Simple token based authentication.

    Clients should authenticate by passing the token key in the "Authorization"
    HTTP header, prepended with the string "Token ".  For example:

        Authorization: Token 401f7ac837da42b97f613d789819ff93537bee6a
    """

    model = Token
    """
    A custom token model may be used, but must have the following properties.

    * key -- The string identifying the token
    * user -- The user to which the token belongs
    """

    def authenticate(self, request):
        auth = get_authorization_header(request).split()

        if not auth or auth[0].lower() != b'token':
            return None

        if len(auth) == 1:
            msg = _('Invalid token header. No credentials provided.')
            raise exceptions.AuthenticationFailed(msg)
        elif len(auth) > 2:
            msg = _('Invalid token header. Token string should not contain spaces.')
            raise exceptions.AuthenticationFailed(msg)

        return self.authenticate_credentials(auth[1])

    def authenticate_credentials(self, key):
        try:
            token = self.model.objects.select_related('user').get(key=key)
        except self.model.DoesNotExist:
            raise exceptions.AuthenticationFailed(_('Invalid token.'))

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))

        return (token.user, token)

    def authenticate_header(self, request):
        return 'Token'
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Cleanup docstrings 2013-04-25 15:47:34 +04:00			`Provides various authentication policies.`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
3.2, 3.3 compat 2013-02-01 18:03:28 +04:00			`from __future__ import unicode_literals`
client credentials should be optional (fix #759) client credentials should only be required on token request Signed-off-by: Fernando Rocha <fernandogrd@gmail.com> 2013-03-27 21:05:46 +04:00			`import base64`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`from django.contrib.auth import authenticate`
Drop 1.3 support 2013-09-25 13:30:04 +04:00			`from django.middleware.csrf import CsrfViewMiddleware`
use double quotes for user visible strings; end user visible strings in full stops; add some missing translation tags 2015-01-07 15:01:11 +03:00			`from django.utils.translation import ugettext_lazy as _`
3.2, 3.3 compat 2013-02-01 18:03:28 +04:00			`from rest_framework import exceptions, HTTP_HEADER_ENCODING`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`from rest_framework.authtoken.models import Token`
Import get_user_model from compat module Import get_user_model from compat module to be compatible with older django versions (e.g. 1.4). 2015-05-19 18:00:17 +03:00			`from rest_framework.compat import get_user_model`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
More bits of cleanup 2013-03-09 00:23:11 +04:00			`def get_authorization_header(request):`
			`"""`
			`Return request's 'Authorization:' header, as a bytestring.`

			`Hide some test client ickyness where the header can be unicode.`
			`"""`
			`auth = request.META.get('HTTP_AUTHORIZATION', b'')`
Code linting and added runtests.py 2014-08-19 16:28:07 +04:00			`if isinstance(auth, type('')):`
More bits of cleanup 2013-03-09 00:23:11 +04:00			`# Work around django test client oddness`
			`auth = auth.encode(HTTP_HEADER_ENCODING)`
			`return auth`


Refactor SessionAuthentication slightly 2013-06-29 11:14:05 +04:00			`class CSRFCheck(CsrfViewMiddleware):`
			`def _reject(self, request, reason):`
			`# Return the failure reason instead of an HttpResponse`
			`return reason`


Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`class BaseAuthentication(object):`
			`"""`
			`All authentication classes should extend BaseAuthentication.`
			`"""`

			`def authenticate(self, request):`
			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`Authenticate the request and return a two-tuple of (user, token).`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`raise NotImplementedError(".authenticate() must be overridden.")`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
Add docs for 401 vs 403 responses 2012-10-17 17:59:53 +04:00			`def authenticate_header(self, request):`
			`"""`
			Return a string to be used as the value of the `WWW-Authenticate`
			header in a `401 Unauthenticated` response, or `None` if the
			authentication scheme should return `403 Permission Denied` responses.
			`"""`
			`pass`

Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
			`class BasicAuthentication(BaseAuthentication):`
			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			`HTTP Basic authentication against username/password.`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00			`www_authenticate_realm = 'api'`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
			`def authenticate(self, request):`
			`"""`
			Returns a `User` if a correct username and password have been supplied
			using HTTP Basic authentication. Otherwise returns `None`.
			`"""`
More bits of cleanup 2013-03-09 00:23:11 +04:00			`auth = get_authorization_header(request).split()`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00
3.2, 3.3 compat 2013-02-01 18:03:28 +04:00			`if not auth or auth[0].lower() != b'basic':`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00			`return None`

More bits of cleanup 2013-03-09 00:23:11 +04:00			`if len(auth) == 1:`
prefer single quotes in source and double quotes in user visible strings; add some missing full stops to user visible strings 2015-01-07 15:46:23 +03:00			`msg = _('Invalid basic header. No credentials provided.')`
Fixes for auth header checking. 2013-03-09 02:56:24 +04:00			`raise exceptions.AuthenticationFailed(msg)`
			`elif len(auth) > 2:`
prefer single quotes in source and double quotes in user visible strings; add some missing full stops to user visible strings 2015-01-07 15:46:23 +03:00			`msg = _('Invalid basic header. Credentials string should not contain spaces.')`
More bits of cleanup 2013-03-09 00:23:11 +04:00			`raise exceptions.AuthenticationFailed(msg)`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00
			`try:`
3.2, 3.3 compat 2013-02-01 18:03:28 +04:00			`auth_parts = base64.b64decode(auth[1]).decode(HTTP_HEADER_ENCODING).partition(':')`
			`except (TypeError, UnicodeDecodeError):`
prefer single quotes in source and double quotes in user visible strings; add some missing full stops to user visible strings 2015-01-07 15:46:23 +03:00			`msg = _('Invalid basic header. Credentials not correctly base64 encoded.')`
More bits of cleanup 2013-03-09 00:23:11 +04:00			`raise exceptions.AuthenticationFailed(msg)`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00
Merge & clean OAuth support 2013-03-07 13:01:53 +04:00			`userid, password = auth_parts[0], auth_parts[2]`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00			`return self.authenticate_credentials(userid, password)`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
			`def authenticate_credentials(self, userid, password):`
			`"""`
			`Authenticate the userid and password against username and password.`
			`"""`
Support User model in Django 1.4 that has not a USERNAME_FIELD attribute Support User model in Django 1.4 that has not a USERNAME_FIELD attribute. 2015-05-19 19:05:50 +03:00			`user_model = get_user_model()`
			`if hasattr(user_model, 'USERNAME_FIELD'):`
			`username_field = user_model.USERNAME_FIELD`
			`else:`
			`username_field = 'username'`
Support basic authentication with custom user models that change username field Support basic authentication with custom user models with a username field that is not named 'username'. 2015-05-19 17:42:44 +03:00			`credentials = {`
Support User model in Django 1.4 that has not a USERNAME_FIELD attribute Support User model in Django 1.4 that has not a USERNAME_FIELD attribute. 2015-05-19 19:05:50 +03:00			`username_field: userid,`
Support basic authentication with custom user models that change username field Support basic authentication with custom user models with a username field that is not named 'username'. 2015-05-19 17:42:44 +03:00			`'password': password`
			`}`
			`user = authenticate(**credentials)`
Minor authentication message improvement. 2015-02-04 12:07:10 +03:00
			`if user is None:`
prefer single quotes in source and double quotes in user visible strings; add some missing full stops to user visible strings 2015-01-07 15:46:23 +03:00			`raise exceptions.AuthenticationFailed(_('Invalid username/password.'))`
Minor authentication message improvement. 2015-02-04 12:07:10 +03:00
			`if not user.is_active:`
			`raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))`

More bits of cleanup 2013-03-09 00:23:11 +04:00			`return (user, None)`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00
WWW-Authenticate responses 2013-01-22 01:29:49 +04:00			`def authenticate_header(self, request):`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00			`return 'Basic realm="%s"' % self.www_authenticate_realm`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00

			`class SessionAuthentication(BaseAuthentication):`
			`"""`
			`Use Django's session framework for authentication.`
			`"""`

			`def authenticate(self, request):`
			`"""`
Tweak parsers to take parser_context 2012-10-15 16:27:50 +04:00			Returns a `User` if the request session currently has a logged in user.
			Otherwise returns `None`.
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00			`"""`
Fix session auth 2012-10-10 19:36:25 +04:00
			`# Get the underlying HttpRequest object`
Simplify APIClient implementation 2013-06-30 00:34:47 +04:00			`request = request._request`
			`user = getattr(request, 'user', None)`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
Explicit CSRF failure message. Fixes #60. 2012-10-15 17:03:36 +04:00			`# Unauthenticated, CSRF validation not required`
			`if not user or not user.is_active:`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00			`return None`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
Simplify APIClient implementation 2013-06-30 00:34:47 +04:00			`self.enforce_csrf(request)`
Refactor SessionAuthentication slightly 2013-06-29 11:14:05 +04:00
			`# CSRF passed with authenticated user`
			`return (user, None)`
Explicit CSRF failure message. Fixes #60. 2012-10-15 17:03:36 +04:00
Refactor SessionAuthentication slightly 2013-06-29 11:14:05 +04:00			`def enforce_csrf(self, request):`
			`"""`
			`Enforce CSRF validation for session based authentication.`
			`"""`
			`reason = CSRFCheck().process_view(request, None, (), {})`
Explicit CSRF failure message. Fixes #60. 2012-10-15 17:03:36 +04:00			`if reason:`
			`# CSRF failed, bail with explicit error message`
Changed return status for CSRF failures to HTTP 403 By default, Django returns "HTTP 403 Forbidden" responses when CSRF validation failed[1]. CSRF is a case of authorization, not of authentication. Therefore `PermissionDenied` should be raised instead of `AuthenticationFailed`. [1] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#rejected-requests 2014-06-02 02:41:58 +04:00			`raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)`
Explicit CSRF failure message. Fixes #60. 2012-10-15 17:03:36 +04:00
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
			`class TokenAuthentication(BaseAuthentication):`
			`"""`
			`Simple token based authentication.`

			`Clients should authenticate by passing the token key in the "Authorization"`
			`HTTP header, prepended with the string "Token ". For example:`

			`Authorization: Token 401f7ac837da42b97f613d789819ff93537bee6a`
			`"""`

			`model = Token`
			`"""`
			`A custom token model may be used, but must have the following properties.`

			`* key -- The string identifying the token`
			`* user -- The user to which the token belongs`
			`"""`

			`def authenticate(self, request):`
More bits of cleanup 2013-03-09 00:23:11 +04:00			`auth = get_authorization_header(request).split()`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:06:27 +04:00
Fixes for auth header checking. 2013-03-09 02:56:24 +04:00			`if not auth or auth[0].lower() != b'token':`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00			`return None`

More bits of cleanup 2013-03-09 00:23:11 +04:00			`if len(auth) == 1:`
prefer single quotes in source and double quotes in user visible strings; add some missing full stops to user visible strings 2015-01-07 15:46:23 +03:00			`msg = _('Invalid token header. No credentials provided.')`
Fixes for auth header checking. 2013-03-09 02:56:24 +04:00			`raise exceptions.AuthenticationFailed(msg)`
			`elif len(auth) > 2:`
prefer single quotes in source and double quotes in user visible strings; add some missing full stops to user visible strings 2015-01-07 15:46:23 +03:00			`msg = _('Invalid token header. Token string should not contain spaces.')`
More bits of cleanup 2013-03-09 00:23:11 +04:00			`raise exceptions.AuthenticationFailed(msg)`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00
			`return self.authenticate_credentials(auth[1])`

			`def authenticate_credentials(self, key):`
			`try:`
Prefetching the user object when getting the token in TokenAuthentication. Since the user object is fetched 4 lines after getting Token from the database, this removes a DB query for each token-authenticated request. 2015-02-04 17:08:41 +03:00			`token = self.model.objects.select_related('user').get(key=key)`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00			`except self.model.DoesNotExist:`
prefer single quotes in source and double quotes in user visible strings; add some missing full stops to user visible strings 2015-01-07 15:46:23 +03:00			`raise exceptions.AuthenticationFailed(_('Invalid token.'))`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00
More bits of cleanup 2013-03-09 00:23:11 +04:00			`if not token.user.is_active:`
prefer single quotes in source and double quotes in user visible strings; add some missing full stops to user visible strings 2015-01-07 15:46:23 +03:00			`raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))`
More bits of cleanup 2013-03-09 00:23:11 +04:00
			`return (token.user, token)`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00
WWW-Authenticate responses 2013-01-22 01:29:49 +04:00			`def authenticate_header(self, request):`
Implementing 401 vs 403 responses 2012-11-13 15:27:09 +04:00			`return 'Token'`