Commit Graph

50 Commits

Author SHA1 Message Date
Danilo Bargen
b187f53453 Changed return status for CSRF failures to HTTP 403
By default, Django returns "HTTP 403 Forbidden" responses when CSRF
validation failed[1]. CSRF is a case of authorization, not of
authentication. Therefore `PermissionDenied` should be raised instead
of `AuthenticationFailed`.

[1] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#rejected-requests
2014-09-23 14:16:08 +02:00
dpanesso
1ab782a430 Using user.get_username() instead of user.username.
This solves an error when using a auth model that does not have a username field.
2014-09-03 23:38:03 -05:00
Tom Christie
bf09c32de8 Code linting and added runtests.py 2014-08-19 13:28:07 +01:00
Tom Christie
e385a7b8eb Merge master 2014-08-19 10:11:10 +01:00
Ron Cohen
05882cc599 Sending "Bearer" and "Bearer " resulted in a 500. 2014-07-25 10:55:53 +00:00
Xavier Ordoquy
d08536ad9d Merge remote-tracking branch 'origin/master' into 2.4.0
Conflicts:
	.travis.yml
	docs/api-guide/fields.md
	docs/api-guide/routers.md
	docs/topics/release-notes.md
	rest_framework/authentication.py
	rest_framework/serializers.py
	rest_framework/templatetags/rest_framework.py
	rest_framework/tests/test_authentication.py
	rest_framework/tests/test_filters.py
	rest_framework/tests/test_hyperlinkedserializers.py
	rest_framework/tests/test_serializer.py
	rest_framework/tests/test_testing.py
	rest_framework/utils/encoders.py
	tox.ini
2014-04-13 00:05:57 +02:00
Benjamin Dauvergne
1909472aa2 authentication: allow all transport modes of access token in OAuth2Authentication
RFC6750 describe three transport modes for access tokens when accessing a
protected resource:
- Auhthorization header with the Bearer authentication type
- form-encoded body parameter
- URI query parameter

This patch add support for last two transport modes.
2014-03-19 12:43:45 +01:00
Eric Buehl
e0682e9298 don't implicitly import provider.oauth2 2014-03-05 17:15:52 +00:00
Tom Christie
52686420f4 Merge branch 'bennbollay-patch-1' into 2.4.0
Conflicts:
	.travis.yml
	docs/api-guide/routers.md
	rest_framework/compat.py
	tox.ini
2013-12-23 09:48:59 +00:00
Tom Christie
a87c55a93a Compat fixes for django-oauth-plus versions 2.0-2.2.1 2013-12-13 21:57:07 +00:00
Philip Forget
5239362951 pass oauth_timestamp to oauth_provider 2013-11-14 18:02:07 -05:00
Tom Christie
e441f85109 Drop 1.3 support 2013-09-25 10:30:04 +01:00
Tom Christie
ab799ccc3e Simplify APIClient implementation 2013-06-29 21:34:47 +01:00
Tom Christie
35022ca921 Refactor SessionAuthentication slightly 2013-06-29 08:14:05 +01:00
Tom Christie
69e5e3cc0d Use timezone aware datetimes with oauth2 provider, when supported. Closes #947. 2013-06-26 21:18:13 +01:00
Alex Burgel
ecb8a460c9 Fix serialization exception when using non-existent consumer 2013-06-05 17:02:44 -04:00
Tom Christie
95abe6e844 Cleanup docstrings 2013-04-25 12:47:34 +01:00
Atle Frenvik Sveen
80d28de034 Fix the fact that InvalidConsumerError and InvalidTokenError wasn't imported correctly from oauth_provider 2013-04-03 13:10:41 +02:00
Tom Christie
74fbd5ccc5 Fix bug with inactive user accessing OAuth 2013-04-03 09:20:36 +01:00
Fernando Rocha
b2cea84fae Complete remove of client checks from oauth2
Signed-off-by: Fernando Rocha <fernandogrd@gmail.com>
2013-03-27 19:00:36 -03:00
Fernando Rocha
f1b8fee4f1 client credentials should be optional (fix #759)
client credentials should only be required on token
request

Signed-off-by: Fernando Rocha <fernandogrd@gmail.com>
2013-03-27 14:05:46 -03:00
Tom Christie
4055129662 If oauth is not attempted don't throw an error. Fixes #748. 2013-03-22 21:31:50 +00:00
Tom Christie
2596c12a21 Fixes for auth header checking. 2013-03-08 22:56:24 +00:00
Tom Christie
650d8e6a8e More bits of cleanup 2013-03-08 20:23:25 +00:00
Tom Christie
a4b33992a5 Merge OAuth2 work. 2013-03-07 17:43:13 +00:00
Tom Christie
1d62594fa9 Clean ups. 2013-03-07 15:44:36 +00:00
Tom Christie
44930f3091 Fix Py3k syntax errors 2013-03-07 09:15:05 +00:00
Tom Christie
d4e3610e71 Merge & clean OAuth support 2013-03-07 09:01:53 +00:00
Pierre Dulac
c449dd4f4d Properly fail to wrong Authorization token type 2013-03-02 20:17:14 +01:00
Pierre Dulac
d4c2267187 Clean up some print and comments 2013-03-01 12:08:28 +01:00
Pierre Dulac
9d5c306038 Improve the django-oauth2-provider import block
to avoid naming collision with `oauth2` used for OAuth 1
2013-03-01 11:53:30 +01:00
Pierre Dulac
da9d7fb8ec Add the OAuth2Authentication class 2013-03-01 02:08:58 +01:00
swistakm
59a6f5f463 Move oauth2 and django-oauth-plus imports to compat and fix some minor issues
- alias oauth2 as oauth
- remove rouge print
- remove docstring markups
- OAuthAuthentication.authenticate() now returns (user, token) two-tuple on success
- don't set request.user because it's already set
2013-02-26 11:22:21 +01:00
swistakm
1aed9c1604 add OAuthAuthentication class 2013-02-25 16:58:16 +01:00
Tom Christie
b052c92ac3 Cleanup imports
Mostly adding `from __future__ import unicode_literals` everywhere.
2013-02-04 20:55:35 +00:00
Tom Christie
f4f237e3ee 3.2, 3.3 compat 2013-02-01 14:03:28 +00:00
Tom Christie
d9c7b1c585 Merge branch 'p3k' of https://github.com/linovia/django-rest-framework into working
Conflicts:
	rest_framework/authentication.py
	rest_framework/relations.py
	rest_framework/serializers.py
	rest_framework/settings.py
	rest_framework/tests/authentication.py
	rest_framework/tests/genericrelations.py
	rest_framework/tests/generics.py
	rest_framework/tests/relations_hyperlink.py
	rest_framework/tests/relations_nested.py
	rest_framework/tests/relations_pk.py
	rest_framework/tests/serializer.py
2013-02-01 11:58:55 +00:00
Tom Christie
65b62d64ec WWW-Authenticate responses 2013-01-21 21:29:49 +00:00
Xavier Ordoquy
510d6a3c55 Introduced HTTP_HEADER_ENCODING. 2013-01-07 23:26:14 +01:00
Xavier Ordoquy
06ae47752f Also use the compat module in that file. 2013-01-03 12:49:57 +01:00
Xavier Ordoquy
b68263fb65 Default encoding should probably be latin-1 as some RFC seems to imply it. 2012-11-23 01:11:09 +01:00
Xavier Ordoquy
606c20f012 6 first tests passes under python 3.2 2012-11-22 02:08:00 +01:00
Xavier Ordoquy
b3698acb6c First passing test under p3k \o/ 2012-11-22 00:20:49 +01:00
Tom Christie
873a142af2 Implementing 401 vs 403 responses 2012-11-13 11:27:09 +00:00
Tom Christie
5ae49a4ec4 Add docs for 401 vs 403 responses 2012-10-17 14:59:53 +01:00
Tom Christie
3c8f01b985 Explicit CSRF failure message. Fixes #60. 2012-10-15 14:03:36 +01:00
Tom Christie
9c1fba3483 Tweak parsers to take parser_context 2012-10-15 13:27:50 +01:00
Tom Christie
221ecd2182 Fix session auth 2012-10-10 16:36:25 +01:00
Tom Christie
5c17a60176 Tweak authtoken 2012-10-09 09:57:31 +01:00
Tom Christie
4b691c4027 Change package name: djangorestframework -> rest_framework 2012-09-20 13:06:27 +01:00