django-rest-framework/djangorestframework/authentication.py

108 lines
4.0 KiB
Python
Raw Normal View History

2011-05-10 13:49:28 +04:00
"""
2011-05-17 03:27:27 +04:00
The :mod:`authentication` module provides a set of pluggable authentication classes.
2011-02-19 16:12:35 +03:00
2011-05-17 03:27:27 +04:00
Authentication behavior is provided by mixing the :class:`mixins.AuthMixin` class into a :class:`View` class.
2011-02-19 16:12:35 +03:00
The set of authentication methods which are used is then specified by setting the
:attr:`authentication` attribute on the :class:`View` class, and listing a set of :class:`authentication` classes.
2011-02-19 16:12:35 +03:00
"""
2011-05-10 13:49:28 +04:00
2011-01-24 21:59:23 +03:00
from django.contrib.auth import authenticate
from django.middleware.csrf import CsrfViewMiddleware
from djangorestframework.utils import as_tuple
2011-01-24 21:59:23 +03:00
import base64
2011-05-10 13:49:28 +04:00
__all__ = (
2011-06-07 17:12:02 +04:00
'BaseAuthentication',
'BasicAuthentication',
'UserLoggedInAuthentication'
2011-05-10 13:49:28 +04:00
)
2011-05-10 13:49:28 +04:00
2011-06-07 17:12:02 +04:00
class BaseAuthentication(object):
2011-05-10 13:49:28 +04:00
"""
All authentication classes should extend BaseAuthentication.
"""
2011-01-24 21:59:23 +03:00
def __init__(self, view):
2011-05-10 13:49:28 +04:00
"""
:class:`Authentication` classes are always passed the current view on creation.
2011-05-10 13:49:28 +04:00
"""
self.view = view
2011-01-24 21:59:23 +03:00
def authenticate(self, request):
2011-05-10 13:49:28 +04:00
"""
2011-05-19 11:49:57 +04:00
Authenticate the :obj:`request` and return a :obj:`User` or :const:`None`. [*]_
2011-05-17 12:15:35 +04:00
.. [*] The authentication context *will* typically be a :obj:`User`,
2011-05-17 03:27:27 +04:00
but it need not be. It can be any user-like object so long as the
2011-05-19 11:49:57 +04:00
permissions classes (see the :mod:`permissions` module) on the view can
handle the object and use it to determine if the request has the required
permissions or not.
2011-05-17 03:27:27 +04:00
This can be an important distinction if you're implementing some token
based authentication mechanism, where the authentication context
may be more involved than simply mapping to a :obj:`User`.
2011-05-10 13:49:28 +04:00
"""
2011-01-24 21:59:23 +03:00
return None
2011-06-07 17:12:02 +04:00
class BasicAuthentication(BaseAuthentication):
2011-05-10 13:49:28 +04:00
"""
Use HTTP Basic authentication.
"""
2011-01-24 21:59:23 +03:00
def authenticate(self, request):
2011-05-17 12:15:35 +04:00
"""
Returns a :obj:`User` if a correct username and password have been supplied
using HTTP Basic authentication. Otherwise returns :const:`None`.
2011-05-17 12:15:35 +04:00
"""
from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError
2011-01-24 21:59:23 +03:00
if 'HTTP_AUTHORIZATION' in request.META:
auth = request.META['HTTP_AUTHORIZATION'].split()
if len(auth) == 2 and auth[0].lower() == "basic":
try:
auth_parts = base64.b64decode(auth[1]).partition(':')
except TypeError:
return None
try:
uname, passwd = smart_unicode(auth_parts[0]), smart_unicode(auth_parts[2])
except DjangoUnicodeDecodeError:
return None
2011-01-24 21:59:23 +03:00
user = authenticate(username=uname, password=passwd)
if user is not None and user.is_active:
return user
return None
2011-06-07 17:12:02 +04:00
class UserLoggedInAuthentication(BaseAuthentication):
2011-05-10 13:49:28 +04:00
"""
Use Django's session framework for authentication.
"""
check_csrf = True
2011-05-10 13:49:28 +04:00
2011-01-24 21:59:23 +03:00
def authenticate(self, request):
2011-05-17 12:15:35 +04:00
"""
2011-05-19 11:49:57 +04:00
Returns a :obj:`User` if the request session currently has a logged in user.
Otherwise returns :const:`None`.
2011-05-17 12:15:35 +04:00
"""
# TODO: Switch this back to request.POST, and let FormParser/MultiPartParser deal with the consequences.
if getattr(request, 'user', None) and request.user.is_active:
# If this is a POST request we enforce CSRF validation.
if request.method.upper() == 'POST' and self.check_csrf:
# Temporarily replace request.POST with .DATA,
# so that we use our more generic request parsing
request._post = self.view.DATA
resp = CsrfViewMiddleware().process_view(request, None, (), {})
del(request._post)
if resp is not None: # csrf failed
return None
return request.user
2011-01-24 21:59:23 +03:00
return None
2011-05-10 13:49:28 +04:00
# TODO: TokenAuthentication, DigestAuthentication, OAuthAuthentication