Merge b2cea84fae into 9b56616750

2025-07-29 01:20:02 +03:00 · 2013-03-27 15:01:46 -07:00 · 2013-03-27 15:01:46 -07:00 · 3b5280de00
commit 3b5280de00
parent 9b56616750 b2cea84fae
3 changed files with 24 additions and 25 deletions
--- a/docs/api-guide/authentication.md
+++ b/docs/api-guide/authentication.md
@ -294,7 +294,7 @@ The only thing needed to make the `OAuth2Authentication` class work is to insert

 The command line to test the authentication looks like:

-    curl -H "Authorization: Bearer <your-access-token>" http://localhost:8000/api/?client_id=YOUR_CLIENT_ID\&client_secret=YOUR_CLIENT_SECRET
+    curl -H "Authorization: Bearer <your-access-token>" http://localhost:8000/api/

 ---

--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@ -2,14 +2,16 @@
 Provides a set of pluggable authentication policies.
 """
 from __future__ import unicode_literals
+import base64
+from datetime import datetime
+
 from django.contrib.auth import authenticate
 from django.core.exceptions import ImproperlyConfigured
 from rest_framework import exceptions, HTTP_HEADER_ENCODING
 from rest_framework.compat import CsrfViewMiddleware
 from rest_framework.compat import oauth, oauth_provider, oauth_provider_store
-from rest_framework.compat import oauth2_provider, oauth2_provider_forms, oauth2_provider_backends
+from rest_framework.compat import oauth2_provider, oauth2_provider_forms
 from rest_framework.authtoken.models import Token
-import base64


 def get_authorization_header(request):
@ -315,21 +317,15 @@ class OAuth2Authentication(BaseAuthentication):
        Authenticate the request, given the access token.
        """

-        # Authenticate the client
-        oauth2_client_form = oauth2_provider_forms.ClientAuthForm(request.REQUEST)
-        if not oauth2_client_form.is_valid():
-            raise exceptions.AuthenticationFailed('Client could not be validated')
-        client = oauth2_client_form.cleaned_data.get('client')
-
-        # Retrieve the `OAuth2AccessToken` instance from the access_token
-        auth_backend = oauth2_provider_backends.AccessTokenBackend()
-        token = auth_backend.authenticate(access_token, client)
-        if token is None:
+        try:
+            token = oauth2_provider.models.AccessToken.objects.select_related('user')
+            # TODO: Change to timezone aware datetime when oauth2_provider add
+            # support to it.
+            token = token.get(token=access_token, expires__gt=datetime.now())
+        except oauth2_provider.models.AccessToken.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

-        user = token.user
-
-        if not user.is_active:
+        if not token.user.is_active:
            msg = 'User inactive or deleted: %s' % user.username
            raise exceptions.AuthenticationFailed(msg)

--- a/rest_framework/tests/authentication.py
+++ b/rest_framework/tests/authentication.py
@ -499,15 +499,6 @@ class OAuth2Tests(TestCase):
        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
        self.assertEqual(response.status_code, 401)

-    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
-    def test_get_form_with_wrong_client_data_failing_auth(self):
-        """Ensure GETing form over OAuth with incorrect client credentials fails"""
-        auth = self._create_authorization_header()
-        params = self._client_credentials_params()
-        params['client_id'] += 'a'
-        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
-        self.assertEqual(response.status_code, 401)
-
    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
    def test_get_form_passing_auth(self):
        """Ensure GETing form over OAuth with correct client credentials succeed"""
@ -516,6 +507,18 @@ class OAuth2Tests(TestCase):
        response = self.csrf_client.get('/oauth2-test/', params, HTTP_AUTHORIZATION=auth)
        self.assertEqual(response.status_code, 200)

+    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
+    def test_get_form_passing_auth_without_client_params(self):
+        """
+        Ensure GETing form over OAuth without client credentials
+
+        Regression test for issue #759:
+        https://github.com/tomchristie/django-rest-framework/issues/759
+        """
+        auth = self._create_authorization_header()
+        response = self.csrf_client.get('/oauth2-test/', HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 200)
+
    @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
    def test_post_form_passing_auth(self):
        """Ensure POSTing form over OAuth with correct credentials passes and does not require CSRF"""