def authenticate(self, request=None, **kwargs): if request is None: try: username = kwargs.get('username') group = kwargs.get('group') if group.searh_user(username): return User(username=username) return None except: return None token = get_credentials(request, **kwargs) if token is not None: payload = get_payload(token, request) return get_user_by_payload(payload) try: username = kwargs[get_user_model().USERNAME_FIELD] password = kwargs["password"] auth = AuthenticationDB.objects.get(name='AuthenticationDB') if auth.validate_user(username=username, password=password): return User(username=username) return None except: return None
def test_argument_allowed(self): kwargs = { jwt_settings.JWT_ARGUMENT_NAME: self.token, } request = self.request_factory.get('/') credentials = utils.get_credentials(request, **kwargs) self.assertEqual(credentials, self.token)
def test_input_argument(self): kwargs = { "input": { jwt_settings.JWT_ARGUMENT_NAME: self.token, }, } request = self.request_factory.get("/") credentials = utils.get_credentials(request, **kwargs) self.assertEqual(credentials, self.token)
def authenticate(self, request=None, **kwargs): if request is None or getattr(request, "_jwt_token_auth", False): return None token = get_credentials(request, **kwargs) try: # +++ if token is not None: return get_user_by_token(token, request) except JSONWebTokenError: # +++ pass # +++ return None
def authenticate(self, request=None, username=None, password=None, **kwargs): if request is None: try: group = kwargs.get('group') if group.searh_user(username): return User(username=username) return None except: return None token = get_credentials(request, **kwargs) if token is not None: payload = get_payload(token, request) username = jwt_settings.JWT_PAYLOAD_GET_USERNAME_HANDLER(payload) ldap_user = _LDAPUser(self, username=username.strip(), request=request) if self.settings.USER_SEARCH is not None: user_dn = ldap_user._search_for_user_dn() elif self.settings.USER_DN_TEMPLATE is not None: user_dn = ldap_user._construct_simple_user_dn() else: user_dn = None if user_dn is not None: try: result_search = ldap_user.connection.search_s(user_dn, 0) if len(result_search) == 1 and result_search is not None: return User(username=username) return None except: return None if password or self.settings.PERMIT_EMPTY_PASSWORD: ldap_user = _LDAPUser(self, username=username.strip(), request=request) user = self.authenticate_ldap_user(ldap_user, password) else: logger.debug('Rejecting empty password for {}'.format(username)) user = None return user
def test_missing_argument(self): request = self.request_factory.get('/') credentials = utils.get_credentials(request) self.assertIsNone(credentials)
def __call__(self, request): session_created = False has_token = False # add user request.user = SimpleLazyObject(lambda: get_user(request)) token = get_credentials(request) if token is not None and token != '' and token != 'None' and \ not token_is_expired(token): user = get_user_by_token(token, request) request.user = user has_token = True # add session if not hasattr(request, 'session'): session_engine = import_module(settings.SESSION_ENGINE) session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME) # if the session cannot be saved, start with an empty session try: request.session = session_engine.SessionStore(session_key) request.session.save() session_created = True except UpdateError: response = redirect(request.get_full_path()) response.delete_cookie( settings.SESSION_COOKIE_NAME, path=settings.SESSION_COOKIE_PATH, domain=settings.SESSION_COOKIE_DOMAIN, ) response.delete_cookie(jwt_settings.JWT_COOKIE_NAME) patch_vary_headers(response, ('Cookie',)) return response max_age = request.session.get_expiry_age() expires_time = time.time() + max_age anti_expires_time = cookie_date(time.time() - max_age) cookie_expires = cookie_date(expires_time) if request.session.get_expire_at_browser_close(): max_age = None cookie_expires = None if token and token_is_expired(token): cookie_token = request.COOKIES.get(jwt_settings.JWT_COOKIE_NAME) session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME) if cookie_token and cookie_token != '""': try: user = get_user_from_session_key(session_key) request.user = user refresh_token_lazy(request.user) token = get_token(request.user) refresh_token_rotated.send( sender=SRIJWTAuthMiddleware, request=request, refresh_token=self, ) signals.token_issued.send( sender=SRIJWTAuthMiddleware, request=request, user=request.user) except ObjectDoesNotExist: ## fallback solution response = redirect(request.get_full_path()) delete_jwt_cookie(request, response) patch_vary_headers(response, ('Cookie',)) return response # process response with inner middleware response = self.get_response(request) if request.user.is_authenticated and not has_token: token = get_token(request.user) signals.token_issued.send( sender=SRIJWTAuthMiddleware, request=request, user=request.user) # if token is expired, refresh it if token_is_expired(token): refresh_token_lazy(request.user) token = get_token(request.user) refresh_token_rotated.send( sender=SRIJWTAuthMiddleware, request=request, refresh_token=self, ) signals.token_issued.send( sender=SRIJWTAuthMiddleware, request=request, user=request.user) #expires = datetime.utcnow() + jwt_settings.JWT_EXPIRATION_DELTA response.set_cookie( jwt_settings.JWT_COOKIE_NAME, token, domain=settings.COOKIE_DOMAIN, max_age=max_age, expires=cookie_expires, secure=settings.JWT_COOKIE_SECURE or None, httponly=settings.JWT_COOKIE_HTTPONLY or None, samesite='Lax', ) patch_vary_headers(response, ('Cookie',)) accessed = request.session.accessed modified = request.session.modified empty = request.session.is_empty() # we'll force the session cookie creation if: # * we have a valid token but we didn't have a session for the user # * the session was not created because the user is logged in create_session_cookie = token and session_created \ or token and not request.user.is_authenticated if settings.SESSION_COOKIE_NAME in request.COOKIES and empty: response.delete_cookie( settings.SESSION_COOKIE_NAME, path=settings.SESSION_COOKIE_PATH, domain=settings.SESSION_COOKIE_DOMAIN, ) response.delete_cookie(jwt_settings.JWT_COOKIE_NAME) patch_vary_headers(response, ('Cookie',)) else: if accessed: patch_vary_headers(response, ('Cookie',)) try: SESSION_SAVE_EVERY_REQUEST = settings.SESSION_SAVE_EVERY_REQUEST except AttributeError: SESSION_SAVE_EVERY_REQUEST = None if (modified or SESSION_SAVE_EVERY_REQUEST) and not empty or create_session_cookie: # Save the session data and refresh the client cookie. # Skip session save for 500 responses, refs #3881. if response.status_code != 500: try: request.session.save() except UpdateError: raise SuspiciousOperation( "The request's session was deleted before the " "request completed. The user may have logged " "out in a concurrent request, for example." ) response.set_cookie( settings.SESSION_COOKIE_NAME, request.session.session_key, max_age=max_age, expires=cookie_expires, domain=settings.SESSION_COOKIE_DOMAIN, path=settings.SESSION_COOKIE_PATH, secure=settings.SESSION_COOKIE_SECURE or None, httponly=settings.SESSION_COOKIE_HTTPONLY or None, samesite='Strict', ) return response