def _get_user(request):
"""
Return the user model instance associated with the given request session.
If no user is retrieved, return an instance of `AnonymousUser`.
"""
logger.debug("Start to retrieve the user data from usercache")
now = timezone.now()
user = None
try:
userid = auth._get_user_session_key(request)
userkey = settings.GET_USER_KEY(userid)
user = usercache.get(userkey)
if not user:
user = User.objects.get(pk=userid)
usercache.set(userkey, user, settings.USER_CACHE_TIMEOUT)
diff = timezone.now() - now
logger.debug(
"Spend {} milliseconds to cache the user({}) data from database to usercache"
.format(
round((diff.seconds * 1000 + diff.microseconds) /
1000), user.email))
else:
diff = timezone.now() - now
logger.debug(
"Spend {} milliseconds to get the user({}) data from usercache"
.format(
round((diff.seconds * 1000 + diff.microseconds) /
1000), user.email))
except KeyError:
pass
except ObjectDoesNotExist as ex:
pass
return user or anonymoususer
def _get_user(request):
"""
Return the user model instance associated with the given request session.
If no user is retrieved, return an instance of `AnonymousUser`.
"""
logger.debug("Start to retrieve the user data from database")
now = timezone.now()
user = None
try:
userid = auth._get_user_session_key(request)
user = User.objects.get(pk=userid)
except KeyError:
pass
except ObjectDoesNotExist as ex:
pass
finally:
diff = timezone.now() - now
logger.debug(
"Spend {} milliseconds to retrieve the user({}) data from database"
.format(
round(
(diff.seconds * 1000 + diff.microseconds) / 1000),
user.email if user else "AnonymousUser"))
return user or anonymoususer
def monkey_patched_get_user(request):
"""
Return the user model instance associated with the given request session.
If no user is retrieved, return an instance of `AnonymousUser`.
"""
from django.contrib.auth.models import AnonymousUser
user = None
try:
user_id = auth._get_user_session_key(request)
backend_path = request.session[auth.BACKEND_SESSION_KEY]
except KeyError:
pass
else:
if backend_path in AUTHENTICATION_BACKENDS:
backend = auth.load_backend(backend_path)
user = backend.get_user(user_id)
session_hash = request.session.get(auth.HASH_SESSION_KEY)
logging.debug(
request, " ---> Ignoring session hash: %s vs %s" %
(user.get_session_auth_hash() if user else "[no user]",
session_hash))
# # Verify the session
# if hasattr(user, 'get_session_auth_hash'):
# session_hash = request.session.get(HASH_SESSION_KEY)
# session_hash_verified = session_hash and constant_time_compare(
# session_hash,
# user.get_session_auth_hash()
# )
# if not session_hash_verified:
# request.session.flush()
# user = None
return user or AnonymousUser()
def get_user_object(request):
"""
Return the user model instance associated with the given request session.
If no user is retrieved, return an instance of `AnonymousUser`.
"""
from .models import AnonymousUser
user = None
try:
user_id = _get_user_session_key(request)
backend_path = request.session[BACKEND_SESSION_KEY]
except KeyError:
pass
else:
if backend_path in settings.AUTHENTICATION_BACKENDS:
backend = load_backend(backend_path)
user = backend.get_user(user_id)
# Verify the session
if hasattr(user, 'get_session_auth_hash'):
session_hash = request.session.get(HASH_SESSION_KEY)
session_hash_verified = session_hash and constant_time_compare(
session_hash, user.get_session_auth_hash())
if not session_hash_verified:
request.session.flush()
user = None
return user or AnonymousUser()
def process_request(self, request):
assert hasattr(request, 'session'), (
"The Django authentication middleware requires session middleware "
"to be installed. Edit your MIDDLEWARE_CLASSES setting to insert "
"'django.contrib.sessions.middleware.SessionMiddleware' before "
"'django.contrib.auth.middleware.AuthenticationMiddleware'."
)
request.user = SimpleLazyObject(lambda: get_user(_get_user_session_key(request)))
def get_user(request):
"""
Return the user model instance associated with the given request session.
If no user is retrieved, return an instance of `AnonymousUser`.
"""
from django.contrib.auth.models import AnonymousUser
user = None
try:
user_id = _get_user_session_key(request)
backend_path = request.session[BACKEND_SESSION_KEY]
except KeyError:
pass
else:
if backend_path in settings.AUTHENTICATION_BACKENDS:
backend = load_backend(backend_path)
user = backend.get_user(user_id)
# Verify the session
if hasattr(user, 'get_session_auth_hash'):
session_hash = request.session.get(HASH_SESSION_KEY)
session_hash_verified = (session_hash
and constant_time_compare(
session_hash,
user.get_session_auth_hash()))
if not session_hash_verified:
session_hash_verified = (
session_hash
and hasattr(user, '_legacy_get_session_auth_hash')
and constant_time_compare(
session_hash,
user._legacy_get_session_auth_hash(),
))
if not session_hash_verified and hasattr(
settings, 'OLD_SECRET_KEY'): # noqa
key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash" # noqa
compare_kwargs = {}
if django.VERSION >= (3, 1):
compare_kwargs['algorithm'] = (
settings.DEFAULT_HASHING_ALGORITHM
if django.VERSION < (4, 0) else "sha256")
session_hash_verified = session_hash and constant_time_compare( # noqa
session_hash,
salted_hmac(key_salt,
user.password,
secret=settings.OLD_SECRET_KEY,
**compare_kwargs).hexdigest())
request.session.cycle_key()
request.session[
HASH_SESSION_KEY] = user.get_session_auth_hash(
) # noqa
if not session_hash_verified:
request.session.flush()
user = None
return user or AnonymousUser()
def get_user_id_from_session(request):
"""
Return the user_id stored in the session of the request.
"""
from django.contrib.auth import _get_user_session_key
try:
# Django call to get the user id which is serialized in the session.
return _get_user_session_key(request)
except KeyError:
return None
def _get_user(request):
"""
Return the user associated to the request session;
Return anonymoususer if no user is associated
"""
try:
userid = auth._get_user_session_key(request)
except:
return anonymoususer
return load_user(userid)
def get_profile_id(request):
profile_id = None
try:
user_id = _get_user_session_key(request)
except KeyError:
pass
else:
from bookshelf import models
profile_id = (
models.Profile.objects.filter(user_id=user_id)
.values_list("pk", flat=True)
.first()
)
return profile_id
def _get_user(request):
"""
Return the user model instance associated with the given request session.
If no user is retrieved, return an instance of `AnonymousUser`.
"""
user = None
try:
userid = auth._get_user_session_key(request)
user = User.objects.get(pk=userid)
except KeyError:
pass
except ObjectDoesNotExist as ex:
pass
return user or anonymoususer
def get_user_id_from_session(request):
"""
Return the user_id stored in the session of the request.
"""
# Starting in django 1.8, the user_id is now serialized
# as a string in the session. Before, it was stored
# directly as an integer. If back-porting to prior to
# django 1.8, replace the implementation of this method
# with:
# return request.session[SESSION_KEY]
from django.contrib.auth import _get_user_session_key
try:
return _get_user_session_key(request)
except KeyError:
return None
def get_user_id_from_session(request):
"""
Return the user_id stored in the session of the request.
"""
# Starting in django 1.8, the user_id is now serialized
# as a string in the session. Before, it was stored
# directly as an integer. If back-porting to prior to
# django 1.8, replace the implementation of this method
# with:
# return request.session[SESSION_KEY]
from django.contrib.auth import _get_user_session_key
try:
return _get_user_session_key(request)
except KeyError:
return None
def _get_user(request):
if not hasattr(request, "_cached_user"):
try:
user_id = _get_user_session_key(request)
USER_CACHE_KEY = "USER_BY_SESSION_CACHE_{}".format(user_id)
user = cache.get(USER_CACHE_KEY)
if not user:
user = get_user(request)
cache.set(USER_CACHE_KEY, user)
except KeyError:
user = get_user(request)
if user.is_anonymous():
AnonymousUser = get_anonymous_user_model()
user = AnonymousUser()
request._cached_user = user
return request._cached_user
def _get_user(request):
"""
Return the user model instance associated with the given request session.
If no user is retrieved, return an instance of `AnonymousUser`.
"""
user = None
try:
userid = auth._get_user_session_key(request)
userkey = settings.GET_USER_KEY(userid)
user = usercache.get(userkey)
if not user:
user = User.objects.get(pk=userid)
usercache.set(userkey, user, settings.USER_CACHE_TIMEOUT)
except KeyError:
pass
except ObjectDoesNotExist as ex:
pass
return user or anonymoususer
def monkey_patched_get_user(request):
"""
Return the user model instance associated with the given request session.
If no user is retrieved, return an instance of `AnonymousUser`.
Monkey patched for the django 2.0 upgrade because session authentication,
added in 1.7 and required in 1.10, invalidates all existing 1.5 session auth
tokens. These tokens need to be refreshed as users login over the year, so
until then, leave this moneky patch running until we're ready to invalidate
any user who hasn't logged in during the window between the django 2.0 launch
and when this monkey patch is removed.
"""
from django.contrib.auth.models import AnonymousUser
user = None
try:
user_id = auth._get_user_session_key(request)
backend_path = request.session[auth.BACKEND_SESSION_KEY]
except KeyError:
pass
else:
if backend_path in AUTHENTICATION_BACKENDS:
backend = auth.load_backend(backend_path)
user = backend.get_user(user_id)
session_hash = request.session.get(auth.HASH_SESSION_KEY)
logging.debug(
request, " ---> Ignoring session hash: %s vs %s" %
(user.get_session_auth_hash() if user else "[no user]",
session_hash))
# # Verify the session
# if hasattr(user, 'get_session_auth_hash'):
# session_hash = request.session.get(HASH_SESSION_KEY)
# session_hash_verified = session_hash and constant_time_compare(
# session_hash,
# user.get_session_auth_hash()
# )
# if not session_hash_verified:
# request.session.flush()
# user = None
return user or AnonymousUser()
def login(request, user):
session_auth_hash = ''
if user is None:
user = request.user
if hasattr(user, 'get_session_auth_hash'):
session_auth_hash = user.get_session_auth_hash()
if SESSION_KEY in request.session:
if _get_user_session_key(request) != user.pk or (
session_auth_hash and
request.session.get(HASH_SESSION_KEY) != session_auth_hash):
request.session.flush()
else:
request.session.cycle_key()
request.session[SESSION_KEY] = user.pk
request.session[BACKEND_SESSION_KEY] = user.backend
request.session[HASH_SESSION_KEY] = session_auth_hash
if hasattr(request, 'user'):
request.user = user
rotate_token(request)
user_logged_in.send(sender=user.__class__, request=request, user=user)
def get_user(request):
"""
Return the user model instance associated with the given request session.
If no user is retrieved, return an instance of `AnonymousUser`.
"""
from django.contrib.auth.models import AnonymousUser
user = None
try:
user_id = _get_user_session_key(request)
backend_path = request.session[BACKEND_SESSION_KEY]
except KeyError:
pass
else:
if backend_path in settings.AUTHENTICATION_BACKENDS:
backend = load_backend(backend_path)
user = backend.get_user(user_id)
# Verify the session
if hasattr(user, 'get_session_auth_hash'):
session_hash = request.session.get(HASH_SESSION_KEY)
session_hash_verified = session_hash and constant_time_compare(
session_hash,
user.get_session_auth_hash()
)
if not session_hash_verified and hasattr(settings, 'OLD_SECRET_KEY'):
key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash"
session_hash_verified = session_hash and constant_time_compare(
session_hash,
salted_hmac(key_salt, user.password, secret=settings.OLD_SECRET_KEY).hexdigest()
)
request.session.cycle_key()
request.session[HASH_SESSION_KEY] = user.get_session_auth_hash()
if not session_hash_verified:
request.session.flush()
user = None
return user or AnonymousUser()
def get_user(request):
"""
Returns the user model instance associated with the given request session.
If no user is retrieved an instance of `AnonymousUser` is returned.
"""
user = None
try:
payload = jwt_decode_handler(request.token)
user_id = payload.get('user_id', None)
except (DecodeError, ExpiredSignatureError):
return AnonymousUser()
try:
backend_path = request.session[BACKEND_SESSION_KEY]
user_id_in_session = _get_user_session_key(request)
except KeyError:
user = User.objects.get(pk=user_id)
login(request, user)
backend_path = request.session[BACKEND_SESSION_KEY]
else:
if user_id_in_session != user_id:
user = User.objects.get(pk=user_id)
login(request, user)
backend_path = request.session[BACKEND_SESSION_KEY]
if backend_path in settings.AUTHENTICATION_BACKENDS:
backend = load_backend(backend_path)
user = backend.get_user(user_id)
# Verify the session
if hasattr(user, 'get_session_auth_hash'):
session_hash = request.session.get(HASH_SESSION_KEY)
session_hash_verified = session_hash and constant_time_compare(
session_hash, user.get_session_auth_hash())
if not session_hash_verified:
request.session.flush()
user = None
return user or AnonymousUser()
def index(request):
print(auth.get_user(request),auth._get_user_session_key(request))
logging.info(request)
return render(request, 'index.html')
def process_request(self, request):
assert hasattr(request, 'session'), (
"The djangae.contrib.googleauth middleware requires session middleware "
"to be installed. Edit your MIDDLEWARE%s setting to insert "
"'django.contrib.sessions.middleware.SessionMiddleware' before "
"'djangae.contrib.googleauth.middleware.AuthenticationMiddleware'."
) % ("_CLASSES" if settings.MIDDLEWARE is None else "")
request.user = SimpleLazyObject(lambda: get_user(request))
# See if the handling view is marked with the auth_middleware_exempt
# decorator, and return if so.
if request.resolver_match:
func = request.resolver_match.func
exempt = getattr(func, "_auth_middleware_exempt", False)
if exempt:
return None
backend_str = request.session.get(BACKEND_SESSION_KEY)
if request.user.is_authenticated:
if backend_str and isinstance(load_backend(backend_str),
OAuthBackend):
# Should we link the Django session to the OAuth session? In most cases we shouldn't
# as oauth would've been used for identification at login only.
expire_session = getattr(settings, _OAUTH_LINK_EXPIRY_SETTING,
False)
if expire_session:
# The user is authenticated with Django, and they use the OAuth backend, so they
# should have a valid oauth session
oauth_session = OAuthUserSession.objects.filter(
pk=request.user.google_oauth_id).first()
# Their oauth session does not exist, so let's log them out
if not oauth_session:
logout(request)
return None
# Their oauth session expired but we still have an active user session
if not oauth_session.is_valid:
return redirect(
reverse("googleauth_oauth2login") + '?' +
urlencode(dict(next=request.path)))
elif backend_str and isinstance(load_backend(backend_str),
IAPBackend):
if not IAPBackend.can_authenticate(request):
logout(request)
else:
backends = get_backends()
try:
iap_backend = next(
filter(lambda be: isinstance(be, IAPBackend), backends))
except StopIteration:
iap_backend = None
# Try to authenticate with IAP if the headers
# are available
if iap_backend and IAPBackend.can_authenticate(request):
# Calling login() cycles the csrf token which causes POST request
# to break. We only call login if authenticating with IAP changed
# the user ID in the session, or the user ID was not in the session
# at all.
user = iap_backend.authenticate(request)
if user and user.is_authenticated:
should_login = (SESSION_KEY not in request.session or
_get_user_session_key(request) != user.pk)
# We always set the backend to IAP so that it truely reflects what was the last
# backend to authenticate this user
user.backend = 'djangae.contrib.googleauth.backends.iap.%s' % IAPBackend.__name__
if should_login:
# Setting the backend is needed for the call to login
login(request, user)
else:
# If we don't call login, we need to set request.user ourselves
# and update the backend string in the session
request.user = user
request.session[BACKEND_SESSION_KEY] = user.backend
def get_user_id(self):
serialized = self.request.session.get('_auth_user_id')
if serialized is None:
return None
return _get_user_session_key(self.request)
