From f3e65eab6b60a23eeed2178db4f6034ce2c6ac3d Mon Sep 17 00:00:00 2001 From: Mjumbe Wawatu Poe Date: Fri, 7 Sep 2012 12:53:39 -0400 Subject: [PATCH 1/8] Add a TokenAuthentication class in a sub-application --- djangorestframework/runtests/settings.py | 1 + djangorestframework/tests/authentication.py | 42 +++++++++++++++++++ djangorestframework/tokenauth/__init__.py | 0 .../tokenauth/authentication.py | 33 +++++++++++++++ djangorestframework/tokenauth/models.py | 19 +++++++++ 5 files changed, 95 insertions(+) create mode 100644 djangorestframework/tokenauth/__init__.py create mode 100644 djangorestframework/tokenauth/authentication.py create mode 100644 djangorestframework/tokenauth/models.py diff --git a/djangorestframework/runtests/settings.py b/djangorestframework/runtests/settings.py index 7cb3e27b2..1fc6b47b0 100644 --- a/djangorestframework/runtests/settings.py +++ b/djangorestframework/runtests/settings.py @@ -90,6 +90,7 @@ INSTALLED_APPS = ( # Uncomment the next line to enable admin documentation: # 'django.contrib.admindocs', 'djangorestframework', + 'djangorestframework.tokenauth', ) STATIC_URL = '/static/' diff --git a/djangorestframework/tests/authentication.py b/djangorestframework/tests/authentication.py index 791947181..2806da36a 100644 --- a/djangorestframework/tests/authentication.py +++ b/djangorestframework/tests/authentication.py @@ -8,6 +8,9 @@ from django.http import HttpResponse from djangorestframework.views import APIView from djangorestframework import permissions +from djangorestframework.tokenauth.models import Token +from djangorestframework.tokenauth.authentication import TokenAuthentication + import base64 @@ -20,6 +23,8 @@ class MockView(APIView): def put(self, request): return HttpResponse({'a': 1, 'b': 2, 'c': 3}) +MockView.authentication += (TokenAuthentication,) + urlpatterns = patterns('', (r'^$', MockView.as_view()), ) @@ -104,3 +109,40 @@ class SessionAuthTests(TestCase): """ response = self.csrf_client.post('/', {'example': 'example'}) self.assertEqual(response.status_code, 403) + + +class TokenAuthTests(TestCase): + """Token authentication""" + urls = 'djangorestframework.tests.authentication' + + def setUp(self): + self.csrf_client = Client(enforce_csrf_checks=True) + self.username = 'john' + self.email = 'lennon@thebeatles.com' + self.password = 'password' + self.user = User.objects.create_user(self.username, self.email, self.password) + + self.key = 'abcd1234' + self.token = Token.objects.create(key=self.key, user=self.user) + + def test_post_form_passing_token_auth(self): + """Ensure POSTing json over token auth with correct credentials passes and does not require CSRF""" + auth = self.key + response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth) + self.assertEqual(response.status_code, 200) + + def test_post_json_passing_token_auth(self): + """Ensure POSTing form over token auth with correct credentials passes and does not require CSRF""" + auth = self.key + response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth) + self.assertEqual(response.status_code, 200) + + def test_post_form_failing_token_auth(self): + """Ensure POSTing form over token auth without correct credentials fails""" + response = self.csrf_client.post('/', {'example': 'example'}) + self.assertEqual(response.status_code, 403) + + def test_post_json_failing_token_auth(self): + """Ensure POSTing json over token auth without correct credentials fails""" + response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json') + self.assertEqual(response.status_code, 403) diff --git a/djangorestframework/tokenauth/__init__.py b/djangorestframework/tokenauth/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/djangorestframework/tokenauth/authentication.py b/djangorestframework/tokenauth/authentication.py new file mode 100644 index 000000000..35d562115 --- /dev/null +++ b/djangorestframework/tokenauth/authentication.py @@ -0,0 +1,33 @@ +from djangorestframework.authentication import BaseAuthentication +from .models import Token + +class TokenAuthentication(BaseAuthentication): + """ + Use a token model for authentication. + + A custom token model may be used here, but must have the following minimum + properties: + + * key -- The string identifying the token + * user -- The user to which the token belongs + * revoked -- The status of the token + + The BaseToken class is available as an abstract model to be derived from. + + The token key should be passed in as a string to the "Authorization" HTTP + header. + """ + model = Token + + def authenticate(self, request): + key = request.META.get('HTTP_AUTHORIZATION', '').strip() + if not key: + return None + + try: + token = self.model.objects.get(key=key) + except self.model.DoesNotExist: + return None + + if token.user.is_active and not token.revoked: + return (token.user, token) diff --git a/djangorestframework/tokenauth/models.py b/djangorestframework/tokenauth/models.py new file mode 100644 index 000000000..3b9a55bcf --- /dev/null +++ b/djangorestframework/tokenauth/models.py @@ -0,0 +1,19 @@ +from django.db import models + +class BaseToken(models.Model): + """ + The base abstract authorization token model class. + """ + key = models.CharField(max_length=32, primary_key=True) + user = models.ForeignKey('auth.User') + revoked = models.BooleanField(default=False) + + class Meta: + abstract=True + + +class Token(BaseToken): + """ + The default authorization token model class. + """ + pass From 5a3874ee112490937f83fa5700899f3631a14128 Mon Sep 17 00:00:00 2001 From: Mjumbe Wawatu Poe Date: Fri, 7 Sep 2012 13:15:24 -0400 Subject: [PATCH 2/8] Create a key by default if none is specified --- djangorestframework/tests/authentication.py | 5 +++++ djangorestframework/tokenauth/models.py | 8 +++++++- djangorestframework/tokenauth/views.py | 0 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 djangorestframework/tokenauth/views.py diff --git a/djangorestframework/tests/authentication.py b/djangorestframework/tests/authentication.py index 2806da36a..fb9996be4 100644 --- a/djangorestframework/tests/authentication.py +++ b/djangorestframework/tests/authentication.py @@ -146,3 +146,8 @@ class TokenAuthTests(TestCase): """Ensure POSTing json over token auth without correct credentials fails""" response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json') self.assertEqual(response.status_code, 403) + + def test_token_has_auto_assigned_key_if_none_provided(self): + """Ensure creating a token with no key will auto-assign a key""" + token = Token.objects.create(user=self.user) + self.assertEqual(len(token.key), 32) diff --git a/djangorestframework/tokenauth/models.py b/djangorestframework/tokenauth/models.py index 3b9a55bcf..b5a9f7b92 100644 --- a/djangorestframework/tokenauth/models.py +++ b/djangorestframework/tokenauth/models.py @@ -1,16 +1,22 @@ +import uuid from django.db import models class BaseToken(models.Model): """ The base abstract authorization token model class. """ - key = models.CharField(max_length=32, primary_key=True) + key = models.CharField(max_length=32, primary_key=True, blank=True) user = models.ForeignKey('auth.User') revoked = models.BooleanField(default=False) class Meta: abstract=True + def save(self, *args, **kwargs): + if not self.key: + self.key = uuid.uuid4().hex + return super(BaseToken, self).save(*args, **kwargs) + class Token(BaseToken): """ diff --git a/djangorestframework/tokenauth/views.py b/djangorestframework/tokenauth/views.py new file mode 100644 index 000000000..e69de29bb From 7f98741939ef9f919fe3c1fab9ecdd4d867543f6 Mon Sep 17 00:00:00 2001 From: Mjumbe Wawatu Poe Date: Fri, 7 Sep 2012 14:07:35 -0400 Subject: [PATCH 3/8] Use "Token" as the scheme for token auth --- djangorestframework/tests/authentication.py | 4 ++-- .../tokenauth/authentication.py | 23 +++++++++++-------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/djangorestframework/tests/authentication.py b/djangorestframework/tests/authentication.py index fb9996be4..da003a053 100644 --- a/djangorestframework/tests/authentication.py +++ b/djangorestframework/tests/authentication.py @@ -127,13 +127,13 @@ class TokenAuthTests(TestCase): def test_post_form_passing_token_auth(self): """Ensure POSTing json over token auth with correct credentials passes and does not require CSRF""" - auth = self.key + auth = 'Token %s' % self.key response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth) self.assertEqual(response.status_code, 200) def test_post_json_passing_token_auth(self): """Ensure POSTing form over token auth with correct credentials passes and does not require CSRF""" - auth = self.key + auth = 'Token %s' % self.key response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth) self.assertEqual(response.status_code, 200) diff --git a/djangorestframework/tokenauth/authentication.py b/djangorestframework/tokenauth/authentication.py index 35d562115..167edf96f 100644 --- a/djangorestframework/tokenauth/authentication.py +++ b/djangorestframework/tokenauth/authentication.py @@ -15,19 +15,22 @@ class TokenAuthentication(BaseAuthentication): The BaseToken class is available as an abstract model to be derived from. The token key should be passed in as a string to the "Authorization" HTTP - header. + header. For example: + + Authorization: Token 0123456789abcdef0123456789abcdef + """ model = Token def authenticate(self, request): - key = request.META.get('HTTP_AUTHORIZATION', '').strip() - if not key: - return None + auth = request.META.get('HTTP_AUTHORIZATION', '').strip().split() + if len(auth) == 2 and auth[0].lower() == "token": + key = auth[1] - try: - token = self.model.objects.get(key=key) - except self.model.DoesNotExist: - return None + try: + token = self.model.objects.get(key=key) + except self.model.DoesNotExist: + return None - if token.user.is_active and not token.revoked: - return (token.user, token) + if token.user.is_active and not token.revoked: + return (token.user, token) From 36cd91bbbe6bc0aeef9b1eb711415988f5c4e501 Mon Sep 17 00:00:00 2001 From: Mjumbe Wawatu Poe Date: Fri, 7 Sep 2012 14:12:46 -0400 Subject: [PATCH 4/8] Update docs for tokenauth --- docs/api-guide/authentication.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index ed7ac2880..c5e4c1ccb 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -8,7 +8,7 @@ Authentication will run the first time either the `request.user` or `request.aut The `request.user` property will typically be set to an instance of the `contrib.auth` package's `User` class. -The `request.auth` property is used for any additional authentication information, for example, it may be used to represent an authentication token that the request was signed with. +The `request.auth` property is used for any additional authentication information, for example, it may be used to represent an authentication token that the request was signed with. ## How authentication is determined @@ -36,7 +36,7 @@ You can also set the authentication policy on a per-view basis, using the `APIVi def get(self, request, format=None): content = { - 'user': unicode(request.user), # `django.contrib.auth.User` instance. + 'user': unicode(request.user), # `django.contrib.auth.User` instance. 'auth': unicode(request.auth), # None } return Response(content) @@ -49,7 +49,7 @@ Or, if you're using the `@api_view` decorator with function based views. ) def example_view(request, format=None): content = { - 'user': unicode(request.user), # `django.contrib.auth.User` instance. + 'user': unicode(request.user), # `django.contrib.auth.User` instance. 'auth': unicode(request.auth), # None } return Response(content) @@ -65,16 +65,20 @@ If successfully authenticated, `UserBasicAuthentication` provides the following * `request.user` will be a `django.contrib.auth.models.User` instance. * `request.auth` will be `None`. -## TokenBasicAuthentication +## TokenAuthentication -This policy uses [HTTP Basic Authentication][basicauth], signed against a token key and secret. Token basic authentication is appropriate for client-server setups, such as native desktop and mobile clients. +This policy uses [HTTP Authentication][basicauth] with a custom authentication scheme called "Token". Token basic authentication is appropriate for client-server setups, such as native desktop and mobile clients. The token key should be passed in as a string to the "Authorization" HTTP header. For example: -**Note:** If you run `TokenBasicAuthentication` in production your API must be `https` only, or it will be completely insecure. + curl http://my.api.org/ -X POST -H "Authorization: Token 0123456789abcdef0123456789abcdef" -If successfully authenticated, `TokenBasicAuthentication` provides the following credentials. +**Note:** If you run `TokenAuthentication` in production your API must be `https` only, or it will be completely insecure. + +If successfully authenticated, `TokenAuthentication` provides the following credentials. * `request.user` will be a `django.contrib.auth.models.User` instance. -* `request.auth` will be a `djangorestframework.models.BasicToken` instance. +* `request.auth` will be a `djangorestframework.tokenauth.models.Token` instance. + +To use the `TokenAuthentication` scheme, you must have a token model. Django REST Framework comes with a minimal default token model. To use it, include `djangorestframework.tokenauth` in your installed applications. To use your own token model, subclass the `djangorestframework.tokenauth.authentication.TokenAuthentication` class and specify a `model` attribute that references your custom token model. The token model must provide `user`, `key`, and `revoked` attributes. For convenience, the `djangorestframework.tokenauth.models.BaseToken` abstract model implements this minimum contract, and also randomly populates the key field when none is provided. ## OAuthAuthentication From 3b1404bd7d37d8c60cf45071852f86eea8d4c68f Mon Sep 17 00:00:00 2001 From: Mjumbe Wawatu Poe Date: Fri, 7 Sep 2012 14:23:53 -0400 Subject: [PATCH 5/8] Rename the default token class to "BasicToken" --- djangorestframework/tests/authentication.py | 6 +++--- djangorestframework/tokenauth/authentication.py | 4 ++-- djangorestframework/tokenauth/models.py | 2 +- docs/api-guide/authentication.md | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/djangorestframework/tests/authentication.py b/djangorestframework/tests/authentication.py index da003a053..dfed2fccc 100644 --- a/djangorestframework/tests/authentication.py +++ b/djangorestframework/tests/authentication.py @@ -8,7 +8,7 @@ from django.http import HttpResponse from djangorestframework.views import APIView from djangorestframework import permissions -from djangorestframework.tokenauth.models import Token +from djangorestframework.tokenauth.models import BasicToken from djangorestframework.tokenauth.authentication import TokenAuthentication import base64 @@ -123,7 +123,7 @@ class TokenAuthTests(TestCase): self.user = User.objects.create_user(self.username, self.email, self.password) self.key = 'abcd1234' - self.token = Token.objects.create(key=self.key, user=self.user) + self.token = BasicToken.objects.create(key=self.key, user=self.user) def test_post_form_passing_token_auth(self): """Ensure POSTing json over token auth with correct credentials passes and does not require CSRF""" @@ -149,5 +149,5 @@ class TokenAuthTests(TestCase): def test_token_has_auto_assigned_key_if_none_provided(self): """Ensure creating a token with no key will auto-assign a key""" - token = Token.objects.create(user=self.user) + token = BasicToken.objects.create(user=self.user) self.assertEqual(len(token.key), 32) diff --git a/djangorestframework/tokenauth/authentication.py b/djangorestframework/tokenauth/authentication.py index 167edf96f..327a4a09f 100644 --- a/djangorestframework/tokenauth/authentication.py +++ b/djangorestframework/tokenauth/authentication.py @@ -1,5 +1,5 @@ from djangorestframework.authentication import BaseAuthentication -from .models import Token +from .models import BasicToken class TokenAuthentication(BaseAuthentication): """ @@ -20,7 +20,7 @@ class TokenAuthentication(BaseAuthentication): Authorization: Token 0123456789abcdef0123456789abcdef """ - model = Token + model = BasicToken def authenticate(self, request): auth = request.META.get('HTTP_AUTHORIZATION', '').strip().split() diff --git a/djangorestframework/tokenauth/models.py b/djangorestframework/tokenauth/models.py index b5a9f7b92..81d98863f 100644 --- a/djangorestframework/tokenauth/models.py +++ b/djangorestframework/tokenauth/models.py @@ -18,7 +18,7 @@ class BaseToken(models.Model): return super(BaseToken, self).save(*args, **kwargs) -class Token(BaseToken): +class BasicToken(BaseToken): """ The default authorization token model class. """ diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index c5e4c1ccb..c5b7ac9c2 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -76,7 +76,7 @@ This policy uses [HTTP Authentication][basicauth] with a custom authentication s If successfully authenticated, `TokenAuthentication` provides the following credentials. * `request.user` will be a `django.contrib.auth.models.User` instance. -* `request.auth` will be a `djangorestframework.tokenauth.models.Token` instance. +* `request.auth` will be a `djangorestframework.tokenauth.models.BasicToken` instance. To use the `TokenAuthentication` scheme, you must have a token model. Django REST Framework comes with a minimal default token model. To use it, include `djangorestframework.tokenauth` in your installed applications. To use your own token model, subclass the `djangorestframework.tokenauth.authentication.TokenAuthentication` class and specify a `model` attribute that references your custom token model. The token model must provide `user`, `key`, and `revoked` attributes. For convenience, the `djangorestframework.tokenauth.models.BaseToken` abstract model implements this minimum contract, and also randomly populates the key field when none is provided. From 10450bafc9d98f022e0f0a5246a7fb1c7e53dc39 Mon Sep 17 00:00:00 2001 From: Mjumbe Wawatu Poe Date: Fri, 7 Sep 2012 15:45:34 -0400 Subject: [PATCH 6/8] Fix renderer tests. - All MockViews return Response objects - Only one urlpatterns attribute in the module - Renamed `RendererIntegrationTests` to `RendererEndToEndTests`, as the former wasn't being run locally (but it was on Travis...dunno). --- djangorestframework/tests/renderers.py | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/djangorestframework/tests/renderers.py b/djangorestframework/tests/renderers.py index 0a1cd9c70..692243e60 100644 --- a/djangorestframework/tests/renderers.py +++ b/djangorestframework/tests/renderers.py @@ -55,27 +55,27 @@ class MockView(APIView): def get(self, request, **kwargs): response = Response(DUMMYCONTENT, status=DUMMYSTATUS) - return self.render(response) + return response class MockGETView(APIView): def get(self, request, **kwargs): - return {'foo': ['bar', 'baz']} + return Response({'foo': ['bar', 'baz']}) class HTMLView(APIView): renderers = (DocumentingHTMLRenderer, ) def get(self, request, **kwargs): - return 'text' + return Response('text') class HTMLView1(APIView): renderers = (DocumentingHTMLRenderer, JSONRenderer) def get(self, request, **kwargs): - return 'text' + return Response('text') urlpatterns = patterns('', url(r'^.*\.(?P.+)$', MockView.as_view(renderers=[RendererA, RendererB])), @@ -88,7 +88,7 @@ urlpatterns = patterns('', ) -class RendererIntegrationTests(TestCase): +class RendererEndToEndTests(TestCase): """ End-to-end testing of renderers using an RendererMixin on a generic view. """ @@ -216,18 +216,6 @@ class JSONRendererTests(TestCase): self.assertEquals(strip_trailing_whitespace(content), _indented_repr) -class MockGETView(APIView): - - def get(self, request, *args, **kwargs): - return Response({'foo': ['bar', 'baz']}) - - -urlpatterns = patterns('', - url(r'^jsonp/jsonrenderer$', MockGETView.as_view(renderers=[JSONRenderer, JSONPRenderer])), - url(r'^jsonp/nojsonrenderer$', MockGETView.as_view(renderers=[JSONPRenderer])), -) - - class JSONPRendererTests(TestCase): """ Tests specific to the JSONP Renderer From f741cdae44bc455089a5ed7e1dbea4760ca97b85 Mon Sep 17 00:00:00 2001 From: Mjumbe Wawatu Poe Date: Fri, 7 Sep 2012 16:12:33 -0400 Subject: [PATCH 7/8] Move TokenAuthentication class into djangorestframework.authentication --- djangorestframework/authentication.py | 36 ++++++++++++++++++- djangorestframework/tests/authentication.py | 6 ++-- .../tokenauth/authentication.py | 36 ------------------- docs/api-guide/authentication.md | 6 ++-- 4 files changed, 41 insertions(+), 43 deletions(-) delete mode 100644 djangorestframework/tokenauth/authentication.py diff --git a/djangorestframework/authentication.py b/djangorestframework/authentication.py index 4d5a7e864..2446fbbdd 100644 --- a/djangorestframework/authentication.py +++ b/djangorestframework/authentication.py @@ -103,4 +103,38 @@ class SessionAuthentication(BaseAuthentication): return (user, None) -# TODO: TokenAuthentication, DigestAuthentication, OAuthAuthentication +class TokenAuthentication(BaseAuthentication): + """ + Use a token model for authentication. + + A custom token model may be used here, but must have the following minimum + properties: + + * key -- The string identifying the token + * user -- The user to which the token belongs + * revoked -- The status of the token + + The token key should be passed in as a string to the "Authorization" HTTP + header. For example: + + Authorization: 0123456789abcdef0123456789abcdef + + """ + model = None + + def authenticate(self, request): + key = request.META.get('HTTP_AUTHORIZATION', '').strip() + + if self.model is None: + from djangorestframework.tokenauth.models import BasicToken + self.model = BasicToken + + try: + token = self.model.objects.get(key=key) + except self.model.DoesNotExist: + return None + + if token.user.is_active and not token.revoked: + return (token.user, token) + +# TODO: DigestAuthentication, OAuthAuthentication diff --git a/djangorestframework/tests/authentication.py b/djangorestframework/tests/authentication.py index dfed2fccc..fcc8f7bad 100644 --- a/djangorestframework/tests/authentication.py +++ b/djangorestframework/tests/authentication.py @@ -9,7 +9,7 @@ from djangorestframework.views import APIView from djangorestframework import permissions from djangorestframework.tokenauth.models import BasicToken -from djangorestframework.tokenauth.authentication import TokenAuthentication +from djangorestframework.authentication import TokenAuthentication import base64 @@ -127,13 +127,13 @@ class TokenAuthTests(TestCase): def test_post_form_passing_token_auth(self): """Ensure POSTing json over token auth with correct credentials passes and does not require CSRF""" - auth = 'Token %s' % self.key + auth = self.key response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth) self.assertEqual(response.status_code, 200) def test_post_json_passing_token_auth(self): """Ensure POSTing form over token auth with correct credentials passes and does not require CSRF""" - auth = 'Token %s' % self.key + auth = self.key response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth) self.assertEqual(response.status_code, 200) diff --git a/djangorestframework/tokenauth/authentication.py b/djangorestframework/tokenauth/authentication.py deleted file mode 100644 index 327a4a09f..000000000 --- a/djangorestframework/tokenauth/authentication.py +++ /dev/null @@ -1,36 +0,0 @@ -from djangorestframework.authentication import BaseAuthentication -from .models import BasicToken - -class TokenAuthentication(BaseAuthentication): - """ - Use a token model for authentication. - - A custom token model may be used here, but must have the following minimum - properties: - - * key -- The string identifying the token - * user -- The user to which the token belongs - * revoked -- The status of the token - - The BaseToken class is available as an abstract model to be derived from. - - The token key should be passed in as a string to the "Authorization" HTTP - header. For example: - - Authorization: Token 0123456789abcdef0123456789abcdef - - """ - model = BasicToken - - def authenticate(self, request): - auth = request.META.get('HTTP_AUTHORIZATION', '').strip().split() - if len(auth) == 2 and auth[0].lower() == "token": - key = auth[1] - - try: - token = self.model.objects.get(key=key) - except self.model.DoesNotExist: - return None - - if token.user.is_active and not token.revoked: - return (token.user, token) diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index c5b7ac9c2..5f176d02d 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -67,9 +67,9 @@ If successfully authenticated, `UserBasicAuthentication` provides the following ## TokenAuthentication -This policy uses [HTTP Authentication][basicauth] with a custom authentication scheme called "Token". Token basic authentication is appropriate for client-server setups, such as native desktop and mobile clients. The token key should be passed in as a string to the "Authorization" HTTP header. For example: +This policy uses [HTTP Authentication][basicauth] with no authentication scheme. Token basic authentication is appropriate for client-server setups, such as native desktop and mobile clients. The token key should be passed in as a string to the "Authorization" HTTP header. For example: - curl http://my.api.org/ -X POST -H "Authorization: Token 0123456789abcdef0123456789abcdef" + curl http://my.api.org/ -X POST -H "Authorization: 0123456789abcdef0123456789abcdef" **Note:** If you run `TokenAuthentication` in production your API must be `https` only, or it will be completely insecure. @@ -78,7 +78,7 @@ If successfully authenticated, `TokenAuthentication` provides the following cred * `request.user` will be a `django.contrib.auth.models.User` instance. * `request.auth` will be a `djangorestframework.tokenauth.models.BasicToken` instance. -To use the `TokenAuthentication` scheme, you must have a token model. Django REST Framework comes with a minimal default token model. To use it, include `djangorestframework.tokenauth` in your installed applications. To use your own token model, subclass the `djangorestframework.tokenauth.authentication.TokenAuthentication` class and specify a `model` attribute that references your custom token model. The token model must provide `user`, `key`, and `revoked` attributes. For convenience, the `djangorestframework.tokenauth.models.BaseToken` abstract model implements this minimum contract, and also randomly populates the key field when none is provided. +To use the `TokenAuthentication` policy, you must have a token model. Django REST Framework comes with a minimal default token model. To use it, include `djangorestframework.tokenauth` in your installed applications and sync your database. To use your own token model, subclass the `djangorestframework.tokenauth.TokenAuthentication` class and specify a `model` attribute that references your custom token model. The token model must provide `user`, `key`, and `revoked` attributes. For convenience, the `djangorestframework.tokenauth.models.BaseToken` abstract model implements this minimum contract, and also randomly populates the key field when none is provided. ## OAuthAuthentication From 8df71f4d1d9a8a3df8e053d99340fbe5bf78b8ad Mon Sep 17 00:00:00 2001 From: Mjumbe Wawatu Poe Date: Fri, 7 Sep 2012 16:19:15 -0400 Subject: [PATCH 8/8] Get rid of the BaseToken abstract model --- djangorestframework/tokenauth/models.py | 16 +++------------- docs/api-guide/authentication.md | 2 +- 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/djangorestframework/tokenauth/models.py b/djangorestframework/tokenauth/models.py index 81d98863f..f289b0fd5 100644 --- a/djangorestframework/tokenauth/models.py +++ b/djangorestframework/tokenauth/models.py @@ -1,25 +1,15 @@ import uuid from django.db import models -class BaseToken(models.Model): +class BasicToken(models.Model): """ - The base abstract authorization token model class. + The default authorization token model class. """ key = models.CharField(max_length=32, primary_key=True, blank=True) user = models.ForeignKey('auth.User') revoked = models.BooleanField(default=False) - class Meta: - abstract=True - def save(self, *args, **kwargs): if not self.key: self.key = uuid.uuid4().hex - return super(BaseToken, self).save(*args, **kwargs) - - -class BasicToken(BaseToken): - """ - The default authorization token model class. - """ - pass + return super(BasicToken, self).save(*args, **kwargs) diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index 5f176d02d..45da2c552 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -78,7 +78,7 @@ If successfully authenticated, `TokenAuthentication` provides the following cred * `request.user` will be a `django.contrib.auth.models.User` instance. * `request.auth` will be a `djangorestframework.tokenauth.models.BasicToken` instance. -To use the `TokenAuthentication` policy, you must have a token model. Django REST Framework comes with a minimal default token model. To use it, include `djangorestframework.tokenauth` in your installed applications and sync your database. To use your own token model, subclass the `djangorestframework.tokenauth.TokenAuthentication` class and specify a `model` attribute that references your custom token model. The token model must provide `user`, `key`, and `revoked` attributes. For convenience, the `djangorestframework.tokenauth.models.BaseToken` abstract model implements this minimum contract, and also randomly populates the key field when none is provided. +To use the `TokenAuthentication` policy, you must have a token model. Django REST Framework comes with a minimal default token model. To use it, include `djangorestframework.tokenauth` in your installed applications and sync your database. To use your own token model, subclass the `djangorestframework.tokenauth.TokenAuthentication` class and specify a `model` attribute that references your custom token model. The token model must provide `user`, `key`, and `revoked` attributes. Refer to the `djangorestframework.tokenauth.models.BasicToken` model as an example. ## OAuthAuthentication