def get_auth_from_request(request): """Authenticate from a cookie or an API key in basic auth. """ user = None if request.line.uri.startswith('/assets/'): pass elif 'Authorization' in request.headers: header = request.headers['authorization'] if header.startswith('Basic '): creds = header[len('Basic '):].decode('base64') token, ignored = creds.split(':') user = User.from_api_key(token) # We don't require CSRF if they basically authenticated. csrf_token = csrf._get_new_csrf_key() request.headers.cookie['csrf_token'] = csrf_token request.headers['X-CSRF-TOKEN'] = csrf_token if 'Referer' not in request.headers: request.headers['Referer'] = \ 'https://%s/' % csrf._get_host(request) elif SESSION in request.headers.cookie: token = request.headers.cookie[SESSION].value user = User.from_session_token(token) request.context['user'] = user or User()
def test_user_from_None_api_key_is_anonymous(self): self.make_participant('alice') self.make_participant('bob') user = User.from_api_key(None) assert user.ANON
def test_user_can_be_loaded_from_api_key(self): alice = self.make_participant('alice') api_key = alice.recreate_api_key() actual = User.from_api_key(api_key).participant.username assert actual == 'alice'
def test_user_from_bad_api_key_is_anonymous(self): user = User.from_api_key('deadbeef') assert user.ANON