def authenticate(self, request=None, **kwargs):
if request is None:
try:
username = kwargs.get('username')
group = kwargs.get('group')
if group.searh_user(username):
return User(username=username)
return None
except:
return None
token = get_credentials(request, **kwargs)
if token is not None:
payload = get_payload(token, request)
return get_user_by_payload(payload)
try:
username = kwargs[get_user_model().USERNAME_FIELD]
password = kwargs["password"]
auth = AuthenticationDB.objects.get(name='AuthenticationDB')
if auth.validate_user(username=username, password=password):
return User(username=username)
return None
except:
return None
def test_argument_allowed(self):
kwargs = {
jwt_settings.JWT_ARGUMENT_NAME: self.token,
}
request = self.request_factory.get('/')
credentials = utils.get_credentials(request, **kwargs)
self.assertEqual(credentials, self.token)
def test_input_argument(self):
kwargs = {
"input": {
jwt_settings.JWT_ARGUMENT_NAME: self.token,
},
}
request = self.request_factory.get("/")
credentials = utils.get_credentials(request, **kwargs)
self.assertEqual(credentials, self.token)
def authenticate(self, request=None, **kwargs):
if request is None or getattr(request, "_jwt_token_auth", False):
return None
token = get_credentials(request, **kwargs)
try: # +++
if token is not None:
return get_user_by_token(token, request)
except JSONWebTokenError: # +++
pass # +++
return None
def authenticate(self,
request=None,
username=None,
password=None,
**kwargs):
if request is None:
try:
group = kwargs.get('group')
if group.searh_user(username):
return User(username=username)
return None
except:
return None
token = get_credentials(request, **kwargs)
if token is not None:
payload = get_payload(token, request)
username = jwt_settings.JWT_PAYLOAD_GET_USERNAME_HANDLER(payload)
ldap_user = _LDAPUser(self,
username=username.strip(),
request=request)
if self.settings.USER_SEARCH is not None:
user_dn = ldap_user._search_for_user_dn()
elif self.settings.USER_DN_TEMPLATE is not None:
user_dn = ldap_user._construct_simple_user_dn()
else:
user_dn = None
if user_dn is not None:
try:
result_search = ldap_user.connection.search_s(user_dn, 0)
if len(result_search) == 1 and result_search is not None:
return User(username=username)
return None
except:
return None
if password or self.settings.PERMIT_EMPTY_PASSWORD:
ldap_user = _LDAPUser(self,
username=username.strip(),
request=request)
user = self.authenticate_ldap_user(ldap_user, password)
else:
logger.debug('Rejecting empty password for {}'.format(username))
user = None
return user
def test_missing_argument(self):
request = self.request_factory.get('/')
credentials = utils.get_credentials(request)
self.assertIsNone(credentials)
def __call__(self, request):
session_created = False
has_token = False
# add user
request.user = SimpleLazyObject(lambda: get_user(request))
token = get_credentials(request)
if token is not None and token != '' and token != 'None' and \
not token_is_expired(token):
user = get_user_by_token(token, request)
request.user = user
has_token = True
# add session
if not hasattr(request, 'session'):
session_engine = import_module(settings.SESSION_ENGINE)
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
# if the session cannot be saved, start with an empty session
try:
request.session = session_engine.SessionStore(session_key)
request.session.save()
session_created = True
except UpdateError:
response = redirect(request.get_full_path())
response.delete_cookie(
settings.SESSION_COOKIE_NAME,
path=settings.SESSION_COOKIE_PATH,
domain=settings.SESSION_COOKIE_DOMAIN,
)
response.delete_cookie(jwt_settings.JWT_COOKIE_NAME)
patch_vary_headers(response, ('Cookie',))
return response
max_age = request.session.get_expiry_age()
expires_time = time.time() + max_age
anti_expires_time = cookie_date(time.time() - max_age)
cookie_expires = cookie_date(expires_time)
if request.session.get_expire_at_browser_close():
max_age = None
cookie_expires = None
if token and token_is_expired(token):
cookie_token = request.COOKIES.get(jwt_settings.JWT_COOKIE_NAME)
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
if cookie_token and cookie_token != '""':
try:
user = get_user_from_session_key(session_key)
request.user = user
refresh_token_lazy(request.user)
token = get_token(request.user)
refresh_token_rotated.send(
sender=SRIJWTAuthMiddleware,
request=request,
refresh_token=self,
)
signals.token_issued.send(
sender=SRIJWTAuthMiddleware, request=request, user=request.user)
except ObjectDoesNotExist:
## fallback solution
response = redirect(request.get_full_path())
delete_jwt_cookie(request, response)
patch_vary_headers(response, ('Cookie',))
return response
# process response with inner middleware
response = self.get_response(request)
if request.user.is_authenticated and not has_token:
token = get_token(request.user)
signals.token_issued.send(
sender=SRIJWTAuthMiddleware, request=request, user=request.user)
# if token is expired, refresh it
if token_is_expired(token):
refresh_token_lazy(request.user)
token = get_token(request.user)
refresh_token_rotated.send(
sender=SRIJWTAuthMiddleware,
request=request,
refresh_token=self,
)
signals.token_issued.send(
sender=SRIJWTAuthMiddleware, request=request, user=request.user)
#expires = datetime.utcnow() + jwt_settings.JWT_EXPIRATION_DELTA
response.set_cookie(
jwt_settings.JWT_COOKIE_NAME,
token,
domain=settings.COOKIE_DOMAIN,
max_age=max_age,
expires=cookie_expires,
secure=settings.JWT_COOKIE_SECURE or None,
httponly=settings.JWT_COOKIE_HTTPONLY or None,
samesite='Lax',
)
patch_vary_headers(response, ('Cookie',))
accessed = request.session.accessed
modified = request.session.modified
empty = request.session.is_empty()
# we'll force the session cookie creation if:
# * we have a valid token but we didn't have a session for the user
# * the session was not created because the user is logged in
create_session_cookie = token and session_created \
or token and not request.user.is_authenticated
if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
response.delete_cookie(
settings.SESSION_COOKIE_NAME,
path=settings.SESSION_COOKIE_PATH,
domain=settings.SESSION_COOKIE_DOMAIN,
)
response.delete_cookie(jwt_settings.JWT_COOKIE_NAME)
patch_vary_headers(response, ('Cookie',))
else:
if accessed:
patch_vary_headers(response, ('Cookie',))
try:
SESSION_SAVE_EVERY_REQUEST = settings.SESSION_SAVE_EVERY_REQUEST
except AttributeError:
SESSION_SAVE_EVERY_REQUEST = None
if (modified or SESSION_SAVE_EVERY_REQUEST) and not empty or create_session_cookie:
# Save the session data and refresh the client cookie.
# Skip session save for 500 responses, refs #3881.
if response.status_code != 500:
try:
request.session.save()
except UpdateError:
raise SuspiciousOperation(
"The request's session was deleted before the "
"request completed. The user may have logged "
"out in a concurrent request, for example."
)
response.set_cookie(
settings.SESSION_COOKIE_NAME,
request.session.session_key, max_age=max_age,
expires=cookie_expires, domain=settings.SESSION_COOKIE_DOMAIN,
path=settings.SESSION_COOKIE_PATH,
secure=settings.SESSION_COOKIE_SECURE or None,
httponly=settings.SESSION_COOKIE_HTTPONLY or None,
samesite='Strict',
)
return response
