From e029e44477111ed16da8954a53dcf08c08cfb403 Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Sat, 10 Nov 2012 16:09:14 -0800 Subject: [PATCH 01/12] Added authtoken login/logout urlpatterns and views to support scripted logins and logouts using TokenAuthentication. Added unittests. --- rest_framework/authtoken/serializers.py | 37 +++++++++++++++++++++++++ rest_framework/authtoken/urls.py | 21 ++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 rest_framework/authtoken/serializers.py create mode 100644 rest_framework/authtoken/urls.py diff --git a/rest_framework/authtoken/serializers.py b/rest_framework/authtoken/serializers.py new file mode 100644 index 000000000..8e0128c14 --- /dev/null +++ b/rest_framework/authtoken/serializers.py @@ -0,0 +1,37 @@ +from django.contrib.auth import authenticate + +from rest_framework import serializers +from rest_framework.authtoken.models import Token + + +class AuthTokenSerializer(serializers.Serializer): + token = serializers.Field(source="key") + username = serializers.CharField(max_length=30) + password = serializers.CharField() + + def validate(self, attrs): + username = attrs.get('username') + password = attrs.get('password') + + if username and password: + user = authenticate(username=username, password=password) + + if user: + if not user.is_active: + raise serializers.ValidationError('User account is disabled.') + attrs['user'] = user + return attrs + else: + raise serializers.ValidationError('Unable to login with provided credentials.') + else: + raise serializers.ValidationError('Must include "username" and "password"') + + def convert_object(self, obj): + ret = self._dict_class() + ret['token'] = obj.key + ret['user'] = obj.user.id + return ret + + def restore_object(self, attrs, instance=None): + token, created = Token.objects.get_or_create(user=attrs['user']) + return token diff --git a/rest_framework/authtoken/urls.py b/rest_framework/authtoken/urls.py new file mode 100644 index 000000000..2a3e81150 --- /dev/null +++ b/rest_framework/authtoken/urls.py @@ -0,0 +1,21 @@ +""" +Login and logout views for token authentication. + +Add these to your root URLconf if you're using token authentication +your API requires authentication. + +The urls must be namespaced as 'rest_framework', and you should make sure +your authentication settings include `TokenAuthentication`. + + urlpatterns = patterns('', + ... + url(r'^auth-token', include('rest_framework.authtoken.urls', namespace='rest_framework')) + ) +""" +from django.conf.urls.defaults import patterns, url +from rest_framework.authtoken.views import AuthTokenView + +urlpatterns = patterns('rest_framework.authtoken.views', + url(r'^login/$', AuthTokenView.as_view(), name='token_login'), +# url(r'^logout/$', 'token_logout', name='token_logout'), +) From 063c027c7b4278620fda6cf4aa7825a817748cc0 Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Sat, 10 Nov 2012 16:17:50 -0800 Subject: [PATCH 02/12] Added authtoken login/logout urlpatterns and views --- rest_framework/authtoken/urls.py | 6 ++-- rest_framework/authtoken/views.py | 19 +++++++++++ rest_framework/tests/authentication.py | 46 +++++++++++++++++++++++++- 3 files changed, 67 insertions(+), 4 deletions(-) diff --git a/rest_framework/authtoken/urls.py b/rest_framework/authtoken/urls.py index 2a3e81150..8bea46c00 100644 --- a/rest_framework/authtoken/urls.py +++ b/rest_framework/authtoken/urls.py @@ -13,9 +13,9 @@ your authentication settings include `TokenAuthentication`. ) """ from django.conf.urls.defaults import patterns, url -from rest_framework.authtoken.views import AuthTokenView +from rest_framework.authtoken.views import AuthTokenLoginView, AuthTokenLogoutView urlpatterns = patterns('rest_framework.authtoken.views', - url(r'^login/$', AuthTokenView.as_view(), name='token_login'), -# url(r'^logout/$', 'token_logout', name='token_logout'), + url(r'^login/$', AuthTokenLoginView.as_view(), name='token_login'), + url(r'^logout/$', AuthTokenLogoutView.as_view(), name='token_logout'), ) diff --git a/rest_framework/authtoken/views.py b/rest_framework/authtoken/views.py index e69de29bb..a52f0a77c 100644 --- a/rest_framework/authtoken/views.py +++ b/rest_framework/authtoken/views.py @@ -0,0 +1,19 @@ +from rest_framework.views import APIView +from rest_framework.generics import CreateAPIView +from rest_framework.authtoken.models import Token +from rest_framework.authtoken.serializers import AuthTokenSerializer +from django.http import HttpResponse + +class AuthTokenLoginView(CreateAPIView): + model = Token + serializer_class = AuthTokenSerializer + + +class AuthTokenLogoutView(APIView): + def post(self, request): + if request.user.is_authenticated() and request.auth: + request.auth.delete() + return HttpResponse("logged out") + else: + return HttpResponse("not logged in") + diff --git a/rest_framework/tests/authentication.py b/rest_framework/tests/authentication.py index 8ab4c4e40..d1bc23d9b 100644 --- a/rest_framework/tests/authentication.py +++ b/rest_framework/tests/authentication.py @@ -1,4 +1,4 @@ -from django.conf.urls.defaults import patterns +from django.conf.urls.defaults import patterns, include from django.contrib.auth.models import User from django.test import Client, TestCase @@ -27,6 +27,7 @@ MockView.authentication_classes += (TokenAuthentication,) urlpatterns = patterns('', (r'^$', MockView.as_view()), + (r'^auth-token/', include('rest_framework.authtoken.urls')), ) @@ -152,3 +153,46 @@ class TokenAuthTests(TestCase): self.token.delete() token = Token.objects.create(user=self.user) self.assertTrue(bool(token.key)) + + def test_token_login_json(self): + """Ensure token login view using JSON POST works.""" + client = Client(enforce_csrf_checks=True) + response = client.post('/auth-token/login/', + json.dumps({'username': self.username, 'password': self.password}), 'application/json') + self.assertEqual(response.status_code, 201) + self.assertEqual(json.loads(response.content)['token'], self.key) + + def test_token_login_json_bad_creds(self): + """Ensure token login view using JSON POST fails if bad credentials are used.""" + client = Client(enforce_csrf_checks=True) + response = client.post('/auth-token/login/', + json.dumps({'username': self.username, 'password': "badpass"}), 'application/json') + self.assertEqual(response.status_code, 400) + + def test_token_login_json_missing_fields(self): + """Ensure token login view using JSON POST fails if missing fields.""" + client = Client(enforce_csrf_checks=True) + response = client.post('/auth-token/login/', + json.dumps({'username': self.username}), 'application/json') + self.assertEqual(response.status_code, 400) + + def test_token_login_form(self): + """Ensure token login view using form POST works.""" + client = Client(enforce_csrf_checks=True) + response = client.post('/auth-token/login/', + {'username': self.username, 'password': self.password}) + self.assertEqual(response.status_code, 201) + self.assertEqual(json.loads(response.content)['token'], self.key) + + def test_token_logout(self): + """Ensure token logout view using JSON POST works.""" + # Use different User and Token as to isolate this test's effects on other unittests in class + username = "ringo" + user = User.objects.create_user(username, "starr@thebeatles.com", "pass") + token = Token.objects.create(user=user) + auth = "Token " + token.key + client = Client(enforce_csrf_checks=True) + response = client.post('/auth-token/logout/', HTTP_AUTHORIZATION=auth) + self.assertEqual(response.status_code, 200) + # Ensure token no longer exists + self.assertRaises(Token.DoesNotExist, lambda token: Token.objects.get(key=token.key), token) From 8eb37e1f7e879fc53c4550e5f1a545dd755cd07e Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Mon, 12 Nov 2012 15:16:53 -0800 Subject: [PATCH 03/12] Updates to login view for TokenAuthentication from feedback from Tom --- rest_framework/authtoken/serializers.py | 15 +------------- rest_framework/authtoken/urls.py | 5 ++--- rest_framework/authtoken/views.py | 27 ++++++++++++++----------- rest_framework/tests/authentication.py | 25 ++++++----------------- 4 files changed, 24 insertions(+), 48 deletions(-) diff --git a/rest_framework/authtoken/serializers.py b/rest_framework/authtoken/serializers.py index 8e0128c14..a5ed6e6d7 100644 --- a/rest_framework/authtoken/serializers.py +++ b/rest_framework/authtoken/serializers.py @@ -1,12 +1,8 @@ from django.contrib.auth import authenticate - from rest_framework import serializers -from rest_framework.authtoken.models import Token - class AuthTokenSerializer(serializers.Serializer): - token = serializers.Field(source="key") - username = serializers.CharField(max_length=30) + username = serializers.CharField() password = serializers.CharField() def validate(self, attrs): @@ -26,12 +22,3 @@ class AuthTokenSerializer(serializers.Serializer): else: raise serializers.ValidationError('Must include "username" and "password"') - def convert_object(self, obj): - ret = self._dict_class() - ret['token'] = obj.key - ret['user'] = obj.user.id - return ret - - def restore_object(self, attrs, instance=None): - token, created = Token.objects.get_or_create(user=attrs['user']) - return token diff --git a/rest_framework/authtoken/urls.py b/rest_framework/authtoken/urls.py index 8bea46c00..878721367 100644 --- a/rest_framework/authtoken/urls.py +++ b/rest_framework/authtoken/urls.py @@ -13,9 +13,8 @@ your authentication settings include `TokenAuthentication`. ) """ from django.conf.urls.defaults import patterns, url -from rest_framework.authtoken.views import AuthTokenLoginView, AuthTokenLogoutView +from rest_framework.authtoken.views import AuthTokenView urlpatterns = patterns('rest_framework.authtoken.views', - url(r'^login/$', AuthTokenLoginView.as_view(), name='token_login'), - url(r'^logout/$', AuthTokenLogoutView.as_view(), name='token_logout'), + url(r'^login/$', AuthTokenView.as_view(), name='token_login'), ) diff --git a/rest_framework/authtoken/views.py b/rest_framework/authtoken/views.py index a52f0a77c..e027dff1c 100644 --- a/rest_framework/authtoken/views.py +++ b/rest_framework/authtoken/views.py @@ -1,19 +1,22 @@ from rest_framework.views import APIView -from rest_framework.generics import CreateAPIView +from rest_framework import status +from rest_framework import parsers +from rest_framework import renderers +from rest_framework.response import Response from rest_framework.authtoken.models import Token from rest_framework.authtoken.serializers import AuthTokenSerializer -from django.http import HttpResponse -class AuthTokenLoginView(CreateAPIView): +class AuthTokenView(APIView): + throttle_classes = () + permission_classes = () + parser_classes = (parsers.FormParser, parsers.MultiPartParser, parsers.JSONParser,) + renderer_classes = (renderers.JSONRenderer,) model = Token - serializer_class = AuthTokenSerializer - -class AuthTokenLogoutView(APIView): def post(self, request): - if request.user.is_authenticated() and request.auth: - request.auth.delete() - return HttpResponse("logged out") - else: - return HttpResponse("not logged in") - + serializer = AuthTokenSerializer(data=request.DATA) + if serializer.is_valid(): + token, created = Token.objects.get_or_create(user=serializer.object['user']) + return Response({'token': token.key}) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + diff --git a/rest_framework/tests/authentication.py b/rest_framework/tests/authentication.py index d1bc23d9b..cb16ef1e8 100644 --- a/rest_framework/tests/authentication.py +++ b/rest_framework/tests/authentication.py @@ -158,41 +158,28 @@ class TokenAuthTests(TestCase): """Ensure token login view using JSON POST works.""" client = Client(enforce_csrf_checks=True) response = client.post('/auth-token/login/', - json.dumps({'username': self.username, 'password': self.password}), 'application/json') - self.assertEqual(response.status_code, 201) + json.dumps({'username': self.username, 'password': self.password}), 'application/json') + self.assertEqual(response.status_code, 200) self.assertEqual(json.loads(response.content)['token'], self.key) def test_token_login_json_bad_creds(self): """Ensure token login view using JSON POST fails if bad credentials are used.""" client = Client(enforce_csrf_checks=True) response = client.post('/auth-token/login/', - json.dumps({'username': self.username, 'password': "badpass"}), 'application/json') + json.dumps({'username': self.username, 'password': "badpass"}), 'application/json') self.assertEqual(response.status_code, 400) def test_token_login_json_missing_fields(self): """Ensure token login view using JSON POST fails if missing fields.""" client = Client(enforce_csrf_checks=True) response = client.post('/auth-token/login/', - json.dumps({'username': self.username}), 'application/json') + json.dumps({'username': self.username}), 'application/json') self.assertEqual(response.status_code, 400) def test_token_login_form(self): """Ensure token login view using form POST works.""" client = Client(enforce_csrf_checks=True) response = client.post('/auth-token/login/', - {'username': self.username, 'password': self.password}) - self.assertEqual(response.status_code, 201) - self.assertEqual(json.loads(response.content)['token'], self.key) - - def test_token_logout(self): - """Ensure token logout view using JSON POST works.""" - # Use different User and Token as to isolate this test's effects on other unittests in class - username = "ringo" - user = User.objects.create_user(username, "starr@thebeatles.com", "pass") - token = Token.objects.create(user=user) - auth = "Token " + token.key - client = Client(enforce_csrf_checks=True) - response = client.post('/auth-token/logout/', HTTP_AUTHORIZATION=auth) + {'username': self.username, 'password': self.password}) self.assertEqual(response.status_code, 200) - # Ensure token no longer exists - self.assertRaises(Token.DoesNotExist, lambda token: Token.objects.get(key=token.key), token) + self.assertEqual(json.loads(response.content)['token'], self.key) From d3ee5080a0ff3894050442146083f9d4a2327c8f Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Tue, 13 Nov 2012 15:03:42 -0800 Subject: [PATCH 04/12] Added documentation on how to use the token authentication login view. --- docs/api-guide/authentication.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index 3137b9d4c..50d8c0546 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -97,6 +97,22 @@ If successfully authenticated, `TokenAuthentication` provides the following cred **Note:** If you use `TokenAuthentication` in production you must ensure that your API is only available over `https` only. +When using TokenAuthentication, it may be useful to add a login view for clients to retrieve the token. + +REST framework provides a built-in login view. To use it, add a pattern to include the token login view for clients as follows: + + urlpatterns += patterns('', + url(r'^api-token-auth/', include('rest_framework.authtoken.urls', + namespace='rest_framework')) + ) + +The `r'^api-token-auth/'` part of pattern can actually be whatever URL you want to use. The only restriction is that the included urls must use the `'rest_framework'` namespace. + +The authtoken login view will render a JSON response when a valid `username` and `password` fields are POST'ed to the view using forms or JSON: + + { 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' } + + ## OAuthAuthentication This policy uses the [OAuth 2.0][oauth] protocol to authenticate requests. OAuth is appropriate for server-server setups, such as when you want to allow a third-party service to access your API on a user's behalf. From 4fd590f96f77eae433f1d5de281ed95f5a003745 Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Tue, 13 Nov 2012 16:49:13 -0800 Subject: [PATCH 05/12] Renamed AuthTokenView to ObtainAuthToken, added obtain_auth_token var, updated tests & docs. Left authtoken.urls in place as example. --- docs/api-guide/authentication.md | 14 ++++---------- docs/topics/credits.md | 2 ++ docs/topics/release-notes.md | 1 + rest_framework/authtoken/urls.py | 14 +++++++------- rest_framework/authtoken/views.py | 4 +++- rest_framework/tests/authentication.py | 2 +- 6 files changed, 18 insertions(+), 19 deletions(-) diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index 50d8c0546..18620f492 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -97,21 +97,15 @@ If successfully authenticated, `TokenAuthentication` provides the following cred **Note:** If you use `TokenAuthentication` in production you must ensure that your API is only available over `https` only. -When using TokenAuthentication, it may be useful to add a login view for clients to retrieve the token. - -REST framework provides a built-in login view. To use it, add a pattern to include the token login view for clients as follows: +REST framework provides a built-in login view for clients to retrieve the token called `rest_framework.authtoken.obtain_auth_token`. To use it, add a pattern to include the token login view for clients as follows: urlpatterns += patterns('', - url(r'^api-token-auth/', include('rest_framework.authtoken.urls', - namespace='rest_framework')) + url(r'^api-token-auth/', 'rest_framework.authtoken.obtain_auth_token') ) -The `r'^api-token-auth/'` part of pattern can actually be whatever URL you want to use. The only restriction is that the included urls must use the `'rest_framework'` namespace. - -The authtoken login view will render a JSON response when a valid `username` and `password` fields are POST'ed to the view using forms or JSON: - - { 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' } +The `r'^api-token-auth/'` part of pattern can actually be whatever URL you want to use. The authtoken login view will render a JSON response when a valid `username` and `password` fields are POST'ed to the view using forms or JSON: + { 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' } ## OAuthAuthentication diff --git a/docs/topics/credits.md b/docs/topics/credits.md index 22d08df7a..f378a5216 100644 --- a/docs/topics/credits.md +++ b/docs/topics/credits.md @@ -59,6 +59,7 @@ The following people have helped make REST framework great. * Toni Michel - [tonimichel] * Ben Konrath - [benkonrath] * Marc Aymerich - [glic3rinu] +* Rob Romano - [robromano] Many thanks to everyone who's contributed to the project. @@ -153,3 +154,4 @@ To contact the author directly: [tonimichel]: https://github.com/tonimichel [benkonrath]: https://github.com/benkonrath [glic3rinu]: https://github.com/glic3rinu +[robromano]: https://github.com/robromano diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md index 35e8a8b35..daacc76f5 100644 --- a/docs/topics/release-notes.md +++ b/docs/topics/release-notes.md @@ -7,6 +7,7 @@ ## Master * Support for `read_only_fields` on `ModelSerializer` classes. +* Add convenience login view to get tokens when using `TokenAuthentication` ## 2.1.2 diff --git a/rest_framework/authtoken/urls.py b/rest_framework/authtoken/urls.py index 878721367..a3419da60 100644 --- a/rest_framework/authtoken/urls.py +++ b/rest_framework/authtoken/urls.py @@ -1,20 +1,20 @@ """ -Login and logout views for token authentication. +Login view for token authentication. -Add these to your root URLconf if you're using token authentication +Add this to your root URLconf if you're using token authentication your API requires authentication. -The urls must be namespaced as 'rest_framework', and you should make sure -your authentication settings include `TokenAuthentication`. +You should make sure your authentication settings include +`TokenAuthentication`. urlpatterns = patterns('', ... - url(r'^auth-token', include('rest_framework.authtoken.urls', namespace='rest_framework')) + url(r'^auth-token/', 'rest_framework.authtoken.obtain_auth_token') ) """ + from django.conf.urls.defaults import patterns, url -from rest_framework.authtoken.views import AuthTokenView urlpatterns = patterns('rest_framework.authtoken.views', - url(r'^login/$', AuthTokenView.as_view(), name='token_login'), + url(r'^login/$', 'rest_framework.authtoken.views.obtain_auth_token', name='token_login'), ) diff --git a/rest_framework/authtoken/views.py b/rest_framework/authtoken/views.py index e027dff1c..3ac674e28 100644 --- a/rest_framework/authtoken/views.py +++ b/rest_framework/authtoken/views.py @@ -6,7 +6,7 @@ from rest_framework.response import Response from rest_framework.authtoken.models import Token from rest_framework.authtoken.serializers import AuthTokenSerializer -class AuthTokenView(APIView): +class ObtainAuthToken(APIView): throttle_classes = () permission_classes = () parser_classes = (parsers.FormParser, parsers.MultiPartParser, parsers.JSONParser,) @@ -20,3 +20,5 @@ class AuthTokenView(APIView): return Response({'token': token.key}) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + +obtain_auth_token = ObtainAuthToken.as_view() diff --git a/rest_framework/tests/authentication.py b/rest_framework/tests/authentication.py index cb16ef1e8..96ca9f52c 100644 --- a/rest_framework/tests/authentication.py +++ b/rest_framework/tests/authentication.py @@ -27,7 +27,7 @@ MockView.authentication_classes += (TokenAuthentication,) urlpatterns = patterns('', (r'^$', MockView.as_view()), - (r'^auth-token/', include('rest_framework.authtoken.urls')), + (r'^auth-token/', 'rest_framework.authtoken.views.obtain_auth_token'), ) From 8ebbae683bcdb1b70711df8e0cfaad760c4e8fd0 Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Tue, 13 Nov 2012 17:03:10 -0800 Subject: [PATCH 06/12] Removed authtoken/urls.py, not really needed with Tom's simplification --- rest_framework/authtoken/urls.py | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 rest_framework/authtoken/urls.py diff --git a/rest_framework/authtoken/urls.py b/rest_framework/authtoken/urls.py deleted file mode 100644 index a3419da60..000000000 --- a/rest_framework/authtoken/urls.py +++ /dev/null @@ -1,20 +0,0 @@ -""" -Login view for token authentication. - -Add this to your root URLconf if you're using token authentication -your API requires authentication. - -You should make sure your authentication settings include -`TokenAuthentication`. - - urlpatterns = patterns('', - ... - url(r'^auth-token/', 'rest_framework.authtoken.obtain_auth_token') - ) -""" - -from django.conf.urls.defaults import patterns, url - -urlpatterns = patterns('rest_framework.authtoken.views', - url(r'^login/$', 'rest_framework.authtoken.views.obtain_auth_token', name='token_login'), -) From 4a2526bd1e067104a1553a3e158016fe9ad285bb Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Sat, 10 Nov 2012 16:09:14 -0800 Subject: [PATCH 07/12] Added authtoken login/logout urlpatterns and views to support scripted logins and logouts using TokenAuthentication. Added unittests. --- rest_framework/authtoken/serializers.py | 37 +++++++++++++++++++++++++ rest_framework/authtoken/urls.py | 21 ++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 rest_framework/authtoken/serializers.py create mode 100644 rest_framework/authtoken/urls.py diff --git a/rest_framework/authtoken/serializers.py b/rest_framework/authtoken/serializers.py new file mode 100644 index 000000000..8e0128c14 --- /dev/null +++ b/rest_framework/authtoken/serializers.py @@ -0,0 +1,37 @@ +from django.contrib.auth import authenticate + +from rest_framework import serializers +from rest_framework.authtoken.models import Token + + +class AuthTokenSerializer(serializers.Serializer): + token = serializers.Field(source="key") + username = serializers.CharField(max_length=30) + password = serializers.CharField() + + def validate(self, attrs): + username = attrs.get('username') + password = attrs.get('password') + + if username and password: + user = authenticate(username=username, password=password) + + if user: + if not user.is_active: + raise serializers.ValidationError('User account is disabled.') + attrs['user'] = user + return attrs + else: + raise serializers.ValidationError('Unable to login with provided credentials.') + else: + raise serializers.ValidationError('Must include "username" and "password"') + + def convert_object(self, obj): + ret = self._dict_class() + ret['token'] = obj.key + ret['user'] = obj.user.id + return ret + + def restore_object(self, attrs, instance=None): + token, created = Token.objects.get_or_create(user=attrs['user']) + return token diff --git a/rest_framework/authtoken/urls.py b/rest_framework/authtoken/urls.py new file mode 100644 index 000000000..2a3e81150 --- /dev/null +++ b/rest_framework/authtoken/urls.py @@ -0,0 +1,21 @@ +""" +Login and logout views for token authentication. + +Add these to your root URLconf if you're using token authentication +your API requires authentication. + +The urls must be namespaced as 'rest_framework', and you should make sure +your authentication settings include `TokenAuthentication`. + + urlpatterns = patterns('', + ... + url(r'^auth-token', include('rest_framework.authtoken.urls', namespace='rest_framework')) + ) +""" +from django.conf.urls.defaults import patterns, url +from rest_framework.authtoken.views import AuthTokenView + +urlpatterns = patterns('rest_framework.authtoken.views', + url(r'^login/$', AuthTokenView.as_view(), name='token_login'), +# url(r'^logout/$', 'token_logout', name='token_logout'), +) From bd92db3c672137fa68185dbc0f453f7cea7caff3 Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Sat, 10 Nov 2012 16:17:50 -0800 Subject: [PATCH 08/12] Added authtoken login/logout urlpatterns and views --- rest_framework/authtoken/urls.py | 6 ++-- rest_framework/authtoken/views.py | 19 +++++++++++ rest_framework/tests/authentication.py | 46 +++++++++++++++++++++++++- 3 files changed, 67 insertions(+), 4 deletions(-) diff --git a/rest_framework/authtoken/urls.py b/rest_framework/authtoken/urls.py index 2a3e81150..8bea46c00 100644 --- a/rest_framework/authtoken/urls.py +++ b/rest_framework/authtoken/urls.py @@ -13,9 +13,9 @@ your authentication settings include `TokenAuthentication`. ) """ from django.conf.urls.defaults import patterns, url -from rest_framework.authtoken.views import AuthTokenView +from rest_framework.authtoken.views import AuthTokenLoginView, AuthTokenLogoutView urlpatterns = patterns('rest_framework.authtoken.views', - url(r'^login/$', AuthTokenView.as_view(), name='token_login'), -# url(r'^logout/$', 'token_logout', name='token_logout'), + url(r'^login/$', AuthTokenLoginView.as_view(), name='token_login'), + url(r'^logout/$', AuthTokenLogoutView.as_view(), name='token_logout'), ) diff --git a/rest_framework/authtoken/views.py b/rest_framework/authtoken/views.py index e69de29bb..a52f0a77c 100644 --- a/rest_framework/authtoken/views.py +++ b/rest_framework/authtoken/views.py @@ -0,0 +1,19 @@ +from rest_framework.views import APIView +from rest_framework.generics import CreateAPIView +from rest_framework.authtoken.models import Token +from rest_framework.authtoken.serializers import AuthTokenSerializer +from django.http import HttpResponse + +class AuthTokenLoginView(CreateAPIView): + model = Token + serializer_class = AuthTokenSerializer + + +class AuthTokenLogoutView(APIView): + def post(self, request): + if request.user.is_authenticated() and request.auth: + request.auth.delete() + return HttpResponse("logged out") + else: + return HttpResponse("not logged in") + diff --git a/rest_framework/tests/authentication.py b/rest_framework/tests/authentication.py index 8ab4c4e40..d1bc23d9b 100644 --- a/rest_framework/tests/authentication.py +++ b/rest_framework/tests/authentication.py @@ -1,4 +1,4 @@ -from django.conf.urls.defaults import patterns +from django.conf.urls.defaults import patterns, include from django.contrib.auth.models import User from django.test import Client, TestCase @@ -27,6 +27,7 @@ MockView.authentication_classes += (TokenAuthentication,) urlpatterns = patterns('', (r'^$', MockView.as_view()), + (r'^auth-token/', include('rest_framework.authtoken.urls')), ) @@ -152,3 +153,46 @@ class TokenAuthTests(TestCase): self.token.delete() token = Token.objects.create(user=self.user) self.assertTrue(bool(token.key)) + + def test_token_login_json(self): + """Ensure token login view using JSON POST works.""" + client = Client(enforce_csrf_checks=True) + response = client.post('/auth-token/login/', + json.dumps({'username': self.username, 'password': self.password}), 'application/json') + self.assertEqual(response.status_code, 201) + self.assertEqual(json.loads(response.content)['token'], self.key) + + def test_token_login_json_bad_creds(self): + """Ensure token login view using JSON POST fails if bad credentials are used.""" + client = Client(enforce_csrf_checks=True) + response = client.post('/auth-token/login/', + json.dumps({'username': self.username, 'password': "badpass"}), 'application/json') + self.assertEqual(response.status_code, 400) + + def test_token_login_json_missing_fields(self): + """Ensure token login view using JSON POST fails if missing fields.""" + client = Client(enforce_csrf_checks=True) + response = client.post('/auth-token/login/', + json.dumps({'username': self.username}), 'application/json') + self.assertEqual(response.status_code, 400) + + def test_token_login_form(self): + """Ensure token login view using form POST works.""" + client = Client(enforce_csrf_checks=True) + response = client.post('/auth-token/login/', + {'username': self.username, 'password': self.password}) + self.assertEqual(response.status_code, 201) + self.assertEqual(json.loads(response.content)['token'], self.key) + + def test_token_logout(self): + """Ensure token logout view using JSON POST works.""" + # Use different User and Token as to isolate this test's effects on other unittests in class + username = "ringo" + user = User.objects.create_user(username, "starr@thebeatles.com", "pass") + token = Token.objects.create(user=user) + auth = "Token " + token.key + client = Client(enforce_csrf_checks=True) + response = client.post('/auth-token/logout/', HTTP_AUTHORIZATION=auth) + self.assertEqual(response.status_code, 200) + # Ensure token no longer exists + self.assertRaises(Token.DoesNotExist, lambda token: Token.objects.get(key=token.key), token) From ce3ccb91dc2a7aaf8ff41ac24045c558d641839e Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Mon, 12 Nov 2012 15:16:53 -0800 Subject: [PATCH 09/12] Updates to login view for TokenAuthentication from feedback from Tom --- rest_framework/authtoken/serializers.py | 15 +------------- rest_framework/authtoken/urls.py | 5 ++--- rest_framework/authtoken/views.py | 27 ++++++++++++++----------- rest_framework/tests/authentication.py | 25 ++++++----------------- 4 files changed, 24 insertions(+), 48 deletions(-) diff --git a/rest_framework/authtoken/serializers.py b/rest_framework/authtoken/serializers.py index 8e0128c14..a5ed6e6d7 100644 --- a/rest_framework/authtoken/serializers.py +++ b/rest_framework/authtoken/serializers.py @@ -1,12 +1,8 @@ from django.contrib.auth import authenticate - from rest_framework import serializers -from rest_framework.authtoken.models import Token - class AuthTokenSerializer(serializers.Serializer): - token = serializers.Field(source="key") - username = serializers.CharField(max_length=30) + username = serializers.CharField() password = serializers.CharField() def validate(self, attrs): @@ -26,12 +22,3 @@ class AuthTokenSerializer(serializers.Serializer): else: raise serializers.ValidationError('Must include "username" and "password"') - def convert_object(self, obj): - ret = self._dict_class() - ret['token'] = obj.key - ret['user'] = obj.user.id - return ret - - def restore_object(self, attrs, instance=None): - token, created = Token.objects.get_or_create(user=attrs['user']) - return token diff --git a/rest_framework/authtoken/urls.py b/rest_framework/authtoken/urls.py index 8bea46c00..878721367 100644 --- a/rest_framework/authtoken/urls.py +++ b/rest_framework/authtoken/urls.py @@ -13,9 +13,8 @@ your authentication settings include `TokenAuthentication`. ) """ from django.conf.urls.defaults import patterns, url -from rest_framework.authtoken.views import AuthTokenLoginView, AuthTokenLogoutView +from rest_framework.authtoken.views import AuthTokenView urlpatterns = patterns('rest_framework.authtoken.views', - url(r'^login/$', AuthTokenLoginView.as_view(), name='token_login'), - url(r'^logout/$', AuthTokenLogoutView.as_view(), name='token_logout'), + url(r'^login/$', AuthTokenView.as_view(), name='token_login'), ) diff --git a/rest_framework/authtoken/views.py b/rest_framework/authtoken/views.py index a52f0a77c..e027dff1c 100644 --- a/rest_framework/authtoken/views.py +++ b/rest_framework/authtoken/views.py @@ -1,19 +1,22 @@ from rest_framework.views import APIView -from rest_framework.generics import CreateAPIView +from rest_framework import status +from rest_framework import parsers +from rest_framework import renderers +from rest_framework.response import Response from rest_framework.authtoken.models import Token from rest_framework.authtoken.serializers import AuthTokenSerializer -from django.http import HttpResponse -class AuthTokenLoginView(CreateAPIView): +class AuthTokenView(APIView): + throttle_classes = () + permission_classes = () + parser_classes = (parsers.FormParser, parsers.MultiPartParser, parsers.JSONParser,) + renderer_classes = (renderers.JSONRenderer,) model = Token - serializer_class = AuthTokenSerializer - -class AuthTokenLogoutView(APIView): def post(self, request): - if request.user.is_authenticated() and request.auth: - request.auth.delete() - return HttpResponse("logged out") - else: - return HttpResponse("not logged in") - + serializer = AuthTokenSerializer(data=request.DATA) + if serializer.is_valid(): + token, created = Token.objects.get_or_create(user=serializer.object['user']) + return Response({'token': token.key}) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + diff --git a/rest_framework/tests/authentication.py b/rest_framework/tests/authentication.py index d1bc23d9b..cb16ef1e8 100644 --- a/rest_framework/tests/authentication.py +++ b/rest_framework/tests/authentication.py @@ -158,41 +158,28 @@ class TokenAuthTests(TestCase): """Ensure token login view using JSON POST works.""" client = Client(enforce_csrf_checks=True) response = client.post('/auth-token/login/', - json.dumps({'username': self.username, 'password': self.password}), 'application/json') - self.assertEqual(response.status_code, 201) + json.dumps({'username': self.username, 'password': self.password}), 'application/json') + self.assertEqual(response.status_code, 200) self.assertEqual(json.loads(response.content)['token'], self.key) def test_token_login_json_bad_creds(self): """Ensure token login view using JSON POST fails if bad credentials are used.""" client = Client(enforce_csrf_checks=True) response = client.post('/auth-token/login/', - json.dumps({'username': self.username, 'password': "badpass"}), 'application/json') + json.dumps({'username': self.username, 'password': "badpass"}), 'application/json') self.assertEqual(response.status_code, 400) def test_token_login_json_missing_fields(self): """Ensure token login view using JSON POST fails if missing fields.""" client = Client(enforce_csrf_checks=True) response = client.post('/auth-token/login/', - json.dumps({'username': self.username}), 'application/json') + json.dumps({'username': self.username}), 'application/json') self.assertEqual(response.status_code, 400) def test_token_login_form(self): """Ensure token login view using form POST works.""" client = Client(enforce_csrf_checks=True) response = client.post('/auth-token/login/', - {'username': self.username, 'password': self.password}) - self.assertEqual(response.status_code, 201) - self.assertEqual(json.loads(response.content)['token'], self.key) - - def test_token_logout(self): - """Ensure token logout view using JSON POST works.""" - # Use different User and Token as to isolate this test's effects on other unittests in class - username = "ringo" - user = User.objects.create_user(username, "starr@thebeatles.com", "pass") - token = Token.objects.create(user=user) - auth = "Token " + token.key - client = Client(enforce_csrf_checks=True) - response = client.post('/auth-token/logout/', HTTP_AUTHORIZATION=auth) + {'username': self.username, 'password': self.password}) self.assertEqual(response.status_code, 200) - # Ensure token no longer exists - self.assertRaises(Token.DoesNotExist, lambda token: Token.objects.get(key=token.key), token) + self.assertEqual(json.loads(response.content)['token'], self.key) From eb20b5663e68ce01453eeb855922874001f42d0f Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Tue, 13 Nov 2012 15:03:42 -0800 Subject: [PATCH 10/12] Added documentation on how to use the token authentication login view. --- docs/api-guide/authentication.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index cb1e2645b..a55059a85 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -112,6 +112,21 @@ If you've already created some User`'s, you can run a script like this. for user in User.objects.all(): Token.objects.get_or_create(user=user) +When using TokenAuthentication, it may be useful to add a login view for clients to retrieve the token. + +REST framework provides a built-in login view. To use it, add a pattern to include the token login view for clients as follows: + + urlpatterns += patterns('', + url(r'^api-token-auth/', include('rest_framework.authtoken.urls', + namespace='rest_framework')) + ) + +The `r'^api-token-auth/'` part of pattern can actually be whatever URL you want to use. The only restriction is that the included urls must use the `'rest_framework'` namespace. + +The authtoken login view will render a JSON response when a valid `username` and `password` fields are POST'ed to the view using forms or JSON: + + { 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' } + ## OAuthAuthentication This policy uses the [OAuth 2.0][oauth] protocol to authenticate requests. OAuth is appropriate for server-server setups, such as when you want to allow a third-party service to access your API on a user's behalf. From 321ba156ca45da8a4b3328c4aec6a9235f32e5f8 Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Tue, 13 Nov 2012 16:49:13 -0800 Subject: [PATCH 11/12] Renamed AuthTokenView to ObtainAuthToken, added obtain_auth_token var, updated tests & docs. Left authtoken.urls in place as example. --- docs/api-guide/authentication.md | 11 ++++------- docs/topics/credits.md | 3 +++ docs/topics/release-notes.md | 1 + rest_framework/authtoken/urls.py | 14 +++++++------- rest_framework/authtoken/views.py | 4 +++- rest_framework/tests/authentication.py | 2 +- 6 files changed, 19 insertions(+), 16 deletions(-) diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index a55059a85..a30bd22c1 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -114,18 +114,15 @@ If you've already created some User`'s, you can run a script like this. When using TokenAuthentication, it may be useful to add a login view for clients to retrieve the token. -REST framework provides a built-in login view. To use it, add a pattern to include the token login view for clients as follows: +REST framework provides a built-in login view for clients to retrieve the token called `rest_framework.authtoken.obtain_auth_token`. To use it, add a pattern to include the token login view for clients as follows: urlpatterns += patterns('', - url(r'^api-token-auth/', include('rest_framework.authtoken.urls', - namespace='rest_framework')) + url(r'^api-token-auth/', 'rest_framework.authtoken.obtain_auth_token') ) -The `r'^api-token-auth/'` part of pattern can actually be whatever URL you want to use. The only restriction is that the included urls must use the `'rest_framework'` namespace. +The `r'^api-token-auth/'` part of pattern can actually be whatever URL you want to use. The authtoken login view will render a JSON response when a valid `username` and `password` fields are POST'ed to the view using forms or JSON: -The authtoken login view will render a JSON response when a valid `username` and `password` fields are POST'ed to the view using forms or JSON: - - { 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' } + { 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' } ## OAuthAuthentication diff --git a/docs/topics/credits.md b/docs/topics/credits.md index 8e71c937a..939dfc571 100644 --- a/docs/topics/credits.md +++ b/docs/topics/credits.md @@ -60,6 +60,7 @@ The following people have helped make REST framework great. * Ben Konrath - [benkonrath] * Marc Aymerich - [glic3rinu] * Ludwig Kraatz - [ludwigkraatz] +* Rob Romano - [robromano] Many thanks to everyone who's contributed to the project. @@ -155,3 +156,5 @@ To contact the author directly: [benkonrath]: https://github.com/benkonrath [glic3rinu]: https://github.com/glic3rinu [ludwigkraatz]: https://github.com/ludwigkraatz +[robromano]: https://github.com/robromano + diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md index 35e8a8b35..daacc76f5 100644 --- a/docs/topics/release-notes.md +++ b/docs/topics/release-notes.md @@ -7,6 +7,7 @@ ## Master * Support for `read_only_fields` on `ModelSerializer` classes. +* Add convenience login view to get tokens when using `TokenAuthentication` ## 2.1.2 diff --git a/rest_framework/authtoken/urls.py b/rest_framework/authtoken/urls.py index 878721367..a3419da60 100644 --- a/rest_framework/authtoken/urls.py +++ b/rest_framework/authtoken/urls.py @@ -1,20 +1,20 @@ """ -Login and logout views for token authentication. +Login view for token authentication. -Add these to your root URLconf if you're using token authentication +Add this to your root URLconf if you're using token authentication your API requires authentication. -The urls must be namespaced as 'rest_framework', and you should make sure -your authentication settings include `TokenAuthentication`. +You should make sure your authentication settings include +`TokenAuthentication`. urlpatterns = patterns('', ... - url(r'^auth-token', include('rest_framework.authtoken.urls', namespace='rest_framework')) + url(r'^auth-token/', 'rest_framework.authtoken.obtain_auth_token') ) """ + from django.conf.urls.defaults import patterns, url -from rest_framework.authtoken.views import AuthTokenView urlpatterns = patterns('rest_framework.authtoken.views', - url(r'^login/$', AuthTokenView.as_view(), name='token_login'), + url(r'^login/$', 'rest_framework.authtoken.views.obtain_auth_token', name='token_login'), ) diff --git a/rest_framework/authtoken/views.py b/rest_framework/authtoken/views.py index e027dff1c..3ac674e28 100644 --- a/rest_framework/authtoken/views.py +++ b/rest_framework/authtoken/views.py @@ -6,7 +6,7 @@ from rest_framework.response import Response from rest_framework.authtoken.models import Token from rest_framework.authtoken.serializers import AuthTokenSerializer -class AuthTokenView(APIView): +class ObtainAuthToken(APIView): throttle_classes = () permission_classes = () parser_classes = (parsers.FormParser, parsers.MultiPartParser, parsers.JSONParser,) @@ -20,3 +20,5 @@ class AuthTokenView(APIView): return Response({'token': token.key}) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + +obtain_auth_token = ObtainAuthToken.as_view() diff --git a/rest_framework/tests/authentication.py b/rest_framework/tests/authentication.py index cb16ef1e8..96ca9f52c 100644 --- a/rest_framework/tests/authentication.py +++ b/rest_framework/tests/authentication.py @@ -27,7 +27,7 @@ MockView.authentication_classes += (TokenAuthentication,) urlpatterns = patterns('', (r'^$', MockView.as_view()), - (r'^auth-token/', include('rest_framework.authtoken.urls')), + (r'^auth-token/', 'rest_framework.authtoken.views.obtain_auth_token'), ) From 535b65a34862e1dcf6370046a37e9cd0e980f491 Mon Sep 17 00:00:00 2001 From: Rob Romano Date: Tue, 13 Nov 2012 17:03:10 -0800 Subject: [PATCH 12/12] Removed authtoken/urls.py, not really needed with Tom's simplification --- rest_framework/authtoken/urls.py | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 rest_framework/authtoken/urls.py diff --git a/rest_framework/authtoken/urls.py b/rest_framework/authtoken/urls.py deleted file mode 100644 index a3419da60..000000000 --- a/rest_framework/authtoken/urls.py +++ /dev/null @@ -1,20 +0,0 @@ -""" -Login view for token authentication. - -Add this to your root URLconf if you're using token authentication -your API requires authentication. - -You should make sure your authentication settings include -`TokenAuthentication`. - - urlpatterns = patterns('', - ... - url(r'^auth-token/', 'rest_framework.authtoken.obtain_auth_token') - ) -""" - -from django.conf.urls.defaults import patterns, url - -urlpatterns = patterns('rest_framework.authtoken.views', - url(r'^login/$', 'rest_framework.authtoken.views.obtain_auth_token', name='token_login'), -)