From f741cdae44bc455089a5ed7e1dbea4760ca97b85 Mon Sep 17 00:00:00 2001 From: Mjumbe Wawatu Poe Date: Fri, 7 Sep 2012 16:12:33 -0400 Subject: [PATCH] Move TokenAuthentication class into djangorestframework.authentication --- djangorestframework/authentication.py | 36 ++++++++++++++++++- djangorestframework/tests/authentication.py | 6 ++-- .../tokenauth/authentication.py | 36 ------------------- docs/api-guide/authentication.md | 6 ++-- 4 files changed, 41 insertions(+), 43 deletions(-) delete mode 100644 djangorestframework/tokenauth/authentication.py diff --git a/djangorestframework/authentication.py b/djangorestframework/authentication.py index 4d5a7e864..2446fbbdd 100644 --- a/djangorestframework/authentication.py +++ b/djangorestframework/authentication.py @@ -103,4 +103,38 @@ class SessionAuthentication(BaseAuthentication): return (user, None) -# TODO: TokenAuthentication, DigestAuthentication, OAuthAuthentication +class TokenAuthentication(BaseAuthentication): + """ + Use a token model for authentication. + + A custom token model may be used here, but must have the following minimum + properties: + + * key -- The string identifying the token + * user -- The user to which the token belongs + * revoked -- The status of the token + + The token key should be passed in as a string to the "Authorization" HTTP + header. For example: + + Authorization: 0123456789abcdef0123456789abcdef + + """ + model = None + + def authenticate(self, request): + key = request.META.get('HTTP_AUTHORIZATION', '').strip() + + if self.model is None: + from djangorestframework.tokenauth.models import BasicToken + self.model = BasicToken + + try: + token = self.model.objects.get(key=key) + except self.model.DoesNotExist: + return None + + if token.user.is_active and not token.revoked: + return (token.user, token) + +# TODO: DigestAuthentication, OAuthAuthentication diff --git a/djangorestframework/tests/authentication.py b/djangorestframework/tests/authentication.py index dfed2fccc..fcc8f7bad 100644 --- a/djangorestframework/tests/authentication.py +++ b/djangorestframework/tests/authentication.py @@ -9,7 +9,7 @@ from djangorestframework.views import APIView from djangorestframework import permissions from djangorestframework.tokenauth.models import BasicToken -from djangorestframework.tokenauth.authentication import TokenAuthentication +from djangorestframework.authentication import TokenAuthentication import base64 @@ -127,13 +127,13 @@ class TokenAuthTests(TestCase): def test_post_form_passing_token_auth(self): """Ensure POSTing json over token auth with correct credentials passes and does not require CSRF""" - auth = 'Token %s' % self.key + auth = self.key response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth) self.assertEqual(response.status_code, 200) def test_post_json_passing_token_auth(self): """Ensure POSTing form over token auth with correct credentials passes and does not require CSRF""" - auth = 'Token %s' % self.key + auth = self.key response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth) self.assertEqual(response.status_code, 200) diff --git a/djangorestframework/tokenauth/authentication.py b/djangorestframework/tokenauth/authentication.py deleted file mode 100644 index 327a4a09f..000000000 --- a/djangorestframework/tokenauth/authentication.py +++ /dev/null @@ -1,36 +0,0 @@ -from djangorestframework.authentication import BaseAuthentication -from .models import BasicToken - -class TokenAuthentication(BaseAuthentication): - """ - Use a token model for authentication. - - A custom token model may be used here, but must have the following minimum - properties: - - * key -- The string identifying the token - * user -- The user to which the token belongs - * revoked -- The status of the token - - The BaseToken class is available as an abstract model to be derived from. - - The token key should be passed in as a string to the "Authorization" HTTP - header. For example: - - Authorization: Token 0123456789abcdef0123456789abcdef - - """ - model = BasicToken - - def authenticate(self, request): - auth = request.META.get('HTTP_AUTHORIZATION', '').strip().split() - if len(auth) == 2 and auth[0].lower() == "token": - key = auth[1] - - try: - token = self.model.objects.get(key=key) - except self.model.DoesNotExist: - return None - - if token.user.is_active and not token.revoked: - return (token.user, token) diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index c5b7ac9c2..5f176d02d 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -67,9 +67,9 @@ If successfully authenticated, `UserBasicAuthentication` provides the following ## TokenAuthentication -This policy uses [HTTP Authentication][basicauth] with a custom authentication scheme called "Token". Token basic authentication is appropriate for client-server setups, such as native desktop and mobile clients. The token key should be passed in as a string to the "Authorization" HTTP header. For example: +This policy uses [HTTP Authentication][basicauth] with no authentication scheme. Token basic authentication is appropriate for client-server setups, such as native desktop and mobile clients. The token key should be passed in as a string to the "Authorization" HTTP header. For example: - curl http://my.api.org/ -X POST -H "Authorization: Token 0123456789abcdef0123456789abcdef" + curl http://my.api.org/ -X POST -H "Authorization: 0123456789abcdef0123456789abcdef" **Note:** If you run `TokenAuthentication` in production your API must be `https` only, or it will be completely insecure. @@ -78,7 +78,7 @@ If successfully authenticated, `TokenAuthentication` provides the following cred * `request.user` will be a `django.contrib.auth.models.User` instance. * `request.auth` will be a `djangorestframework.tokenauth.models.BasicToken` instance. -To use the `TokenAuthentication` scheme, you must have a token model. Django REST Framework comes with a minimal default token model. To use it, include `djangorestframework.tokenauth` in your installed applications. To use your own token model, subclass the `djangorestframework.tokenauth.authentication.TokenAuthentication` class and specify a `model` attribute that references your custom token model. The token model must provide `user`, `key`, and `revoked` attributes. For convenience, the `djangorestframework.tokenauth.models.BaseToken` abstract model implements this minimum contract, and also randomly populates the key field when none is provided. +To use the `TokenAuthentication` policy, you must have a token model. Django REST Framework comes with a minimal default token model. To use it, include `djangorestframework.tokenauth` in your installed applications and sync your database. To use your own token model, subclass the `djangorestframework.tokenauth.TokenAuthentication` class and specify a `model` attribute that references your custom token model. The token model must provide `user`, `key`, and `revoked` attributes. For convenience, the `djangorestframework.tokenauth.models.BaseToken` abstract model implements this minimum contract, and also randomly populates the key field when none is provided. ## OAuthAuthentication