encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-07-14 18:22:19 +03:00
Code Issues Packages Projects Releases Wiki Activity

Implementing 401 vs 403 responses

Browse Source
This commit is contained in:
Tom Christie 2012-11-13 11:27:09 +00:00
parent 957700ecfb
commit 873a142af2
3 changed files with 67 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
rest_framework/authentication.py
View File

@ -34,27 +34,33 @@ class BasicAuthentication(BaseAuthentication):
""" """
HTTP Basic authentication against username/password. HTTP Basic authentication against username/password.
""" """
www_authenticate_realm = 'api'
def authenticate(self, request): def authenticate(self, request):
""" """
Returns a `User` if a correct username and password have been supplied Returns a `User` if a correct username and password have been supplied
using HTTP Basic authentication. Otherwise returns `None`. using HTTP Basic authentication. Otherwise returns `None`.
""" """
if 'HTTP_AUTHORIZATION' in request.META: auth = request.META.get('HTTP_AUTHORIZATION', '').split()
auth = request.META['HTTP_AUTHORIZATION'].split()
if len(auth) == 2 and auth[0].lower() == "basic":
try:
auth_parts = base64.b64decode(auth[1]).partition(':')
except TypeError:
return None
try: if not auth or auth[0].lower() != "basic":
userid = smart_unicode(auth_parts[0]) return None
password = smart_unicode(auth_parts[2])
except DjangoUnicodeDecodeError:
return None
return self.authenticate_credentials(userid, password) if len(auth) != 2:
raise exceptions.AuthenticationFailed('Invalid basic header')
try:
auth_parts = base64.b64decode(auth[1]).partition(':')
except TypeError:
raise exceptions.AuthenticationFailed('Invalid basic header')
try:
userid = smart_unicode(auth_parts[0])
password = smart_unicode(auth_parts[2])
except DjangoUnicodeDecodeError:
raise exceptions.AuthenticationFailed('Invalid basic header')
return self.authenticate_credentials(userid, password)
def authenticate_credentials(self, userid, password): def authenticate_credentials(self, userid, password):
""" """
@ -63,6 +69,10 @@ class BasicAuthentication(BaseAuthentication):
user = authenticate(username=userid, password=password) user = authenticate(username=userid, password=password)
if user is not None and user.is_active: if user is not None and user.is_active:
return (user, None) return (user, None)
raise exceptions.AuthenticationFailed('Invalid username/password')
def authenticate_header(self):
return 'Basic realm="%s"' % self.www_authenticate_realm
class SessionAuthentication(BaseAuthentication): class SessionAuthentication(BaseAuthentication):
@ -82,7 +92,7 @@ class SessionAuthentication(BaseAuthentication):
# Unauthenticated, CSRF validation not required # Unauthenticated, CSRF validation not required
if not user or not user.is_active: if not user or not user.is_active:
return return None
# Enforce CSRF validation for session based authentication. # Enforce CSRF validation for session based authentication.
class CSRFCheck(CsrfViewMiddleware): class CSRFCheck(CsrfViewMiddleware):
@ -93,7 +103,7 @@ class SessionAuthentication(BaseAuthentication):
reason = CSRFCheck().process_view(http_request, None, (), {}) reason = CSRFCheck().process_view(http_request, None, (), {})
if reason: if reason:
# CSRF failed, bail with explicit error message # CSRF failed, bail with explicit error message
raise exceptions.PermissionDenied('CSRF Failed: %s' % reason) raise exceptions.AuthenticationFailed('CSRF Failed: %s' % reason)
# CSRF passed with authenticated user # CSRF passed with authenticated user
return (user, None) return (user, None)
@ -120,14 +130,26 @@ class TokenAuthentication(BaseAuthentication):
def authenticate(self, request): def authenticate(self, request):
auth = request.META.get('HTTP_AUTHORIZATION', '').split() auth = request.META.get('HTTP_AUTHORIZATION', '').split()
if len(auth) == 2 and auth[0].lower() == "token": if not auth or auth[0].lower() != "token":
key = auth[1] return None
try:
token = self.model.objects.get(key=key) if len(auth) != 2:
except self.model.DoesNotExist: raise exceptions.AuthenticationFailed('Invalid token header')
return None
return self.authenticate_credentials(auth[1])
def authenticate_credentials(self, key):
try:
token = self.model.objects.get(key=key)
except self.model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')
if token.user.is_active:
return (token.user, token)
raise exceptions.AuthenticationFailed('User inactive or deleted')
def authenticate_header(self):
return 'Token'
if token.user.is_active:
return (token.user, token)
# TODO: OAuthAuthentication # TODO: OAuthAuthentication

29
rest_framework/request.py
View File

@ -86,6 +86,7 @@ class Request(object):
self._method = Empty self._method = Empty
self._content_type = Empty self._content_type = Empty
self._stream = Empty self._stream = Empty
self._authenticator = None
if self.parser_context is None: if self.parser_context is None:
self.parser_context = {} self.parser_context = {}
@ -166,7 +167,7 @@ class Request(object):
by the authentication classes provided to the request. by the authentication classes provided to the request.
""" """
if not hasattr(self, '_user'): if not hasattr(self, '_user'):
self._user, self._auth = self._authenticate() self._authenticator, self._user, self._auth = self._authenticate()
return self._user return self._user
@property @property
@ -176,9 +177,17 @@ class Request(object):
request, such as an authentication token. request, such as an authentication token.
""" """
if not hasattr(self, '_auth'): if not hasattr(self, '_auth'):
self._user, self._auth = self._authenticate() self._authenticator, self._user, self._auth = self._authenticate()
return self._auth return self._auth
@property
def successful_authenticator(self):
"""
Return the instance of the authentication instance class that was used
to authenticate the request, or `None`.
"""
return self._authenticator
def _load_data_and_files(self): def _load_data_and_files(self):
""" """
Parses the request content into self.DATA and self.FILES. Parses the request content into self.DATA and self.FILES.
@ -282,21 +291,23 @@ class Request(object):
def _authenticate(self): def _authenticate(self):
""" """
Attempt to authenticate the request using each authentication instance in turn. Attempt to authenticate the request using each authentication instance
Returns a two-tuple of (user, authtoken). in turn.
Returns a three-tuple of (authenticator, user, authtoken).
""" """
for authenticator in self.authenticators: for authenticator in self.authenticators:
user_auth_tuple = authenticator.authenticate(self) user_auth_tuple = authenticator.authenticate(self)
if not user_auth_tuple is None: if not user_auth_tuple is None:
return user_auth_tuple user, auth = user_auth_tuple
return (authenticator, user, auth)
return self._not_authenticated() return self._not_authenticated()
def _not_authenticated(self): def _not_authenticated(self):
""" """
Return a two-tuple of (user, authtoken), representing an Return a three-tuple of (authenticator, user, authtoken), representing
unauthenticated request. an unauthenticated request.
By default this will be (AnonymousUser, None). By default this will be (None, AnonymousUser, None).
""" """
if api_settings.UNAUTHENTICATED_USER: if api_settings.UNAUTHENTICATED_USER:
user = api_settings.UNAUTHENTICATED_USER() user = api_settings.UNAUTHENTICATED_USER()
@ -308,7 +319,7 @@ class Request(object):
else: else:
auth = None auth = None
return (user, auth) return (None, user, auth)
def __getattr__(self, attr): def __getattr__(self, attr):
""" """

2
rest_framework/views.py
View File

@ -148,6 +148,8 @@ class APIView(View):
""" """
If request is not permitted, determine what kind of exception to raise. If request is not permitted, determine what kind of exception to raise.
""" """
if self.request.successful_authenticator:
raise exceptions.NotAuthenticated()
raise exceptions.PermissionDenied() raise exceptions.PermissionDenied()
def throttled(self, request, wait): def throttled(self, request, wait):