async def login(self, user: RemoteUser):
"""
Persist a user id and a backend in the request. This way a user doesn't
have to reauthenticate on every request. Note that data set during
the anonymous session is retained when the user logs in.
"""
session_auth_hash = ''
if user is None:
user = self.current_user
if hasattr(user, 'get_session_auth_hash'):
session_auth_hash = user.get_session_auth_hash()
if SESSION_KEY in self.session:
if _get_user_session_key(self) != user.id or (
session_auth_hash and not constant_time_compare(
self.session.get(HASH_SESSION_KEY, ''),
session_auth_hash)):
# To avoid reusing another user's session, create a new, empty
# session if the existing session corresponds to a different
# authenticated user.
self.session.flush()
else:
self.session.cycle_key()
self.session[SESSION_KEY] = user.id
self.session[HASH_SESSION_KEY] = session_auth_hash
# noinspection PyAttributeOutsideInit
self.current_user = user
async def get_user(self):
"""
Return the user model instance associated with the given session.
If no user is retrieved, return an instance of `AnonymousUser`.
"""
user = None
try:
user_id = _get_user_session_key(self)
backend_path = self.session[BACKEND_SESSION_KEY]
except KeyError:
pass
else:
if backend_path in settings.AUTHENTICATION_BACKENDS:
backend = load_backend(backend_path)
user = await backend.get_user(user_id)
# Verify the session
if hasattr(user, 'get_session_auth_hash'):
session_hash = self.session.get(HASH_SESSION_KEY)
session_hash_verified = session_hash and constant_time_compare(
session_hash, user.get_session_auth_hash())
if not session_hash_verified:
self.session.flush()
user = None
return user or AnonymousUser()
def login(self, user, backend=None):
"""
Persist a user id and a backend in the request. This way a user doesn't
have to reauthenticate on every request. Note that data set during
the anonymous session is retained when the user logs in.
"""
session_auth_hash = ''
if user is None:
user = self.current_user
if hasattr(user, 'get_session_auth_hash'):
session_auth_hash = user.get_session_auth_hash()
if SESSION_KEY in self.session:
if _get_user_session_key(self) != user.id or (
session_auth_hash and not constant_time_compare(
self.session.get(HASH_SESSION_KEY, ''),
session_auth_hash)):
# To avoid reusing another user's session, create a new, empty
# session if the existing session corresponds to a different
# authenticated user.
self.session.flush()
else:
self.session.cycle_key()
try:
backend = backend or user.backend
except AttributeError:
backends = _get_backends(return_tuples=True)
if len(backends) == 1:
_, backend = backends[0]
else:
raise ValueError(
'You have multiple authentication backends configured and '
'therefore must provide the `backend` argument or set the '
'`backend` attribute on the user.')
else:
if not isinstance(backend, str):
raise TypeError(
'backend must be a dotted import path string (got %r).' %
backend)
self.session[SESSION_KEY] = user.id
self.session[BACKEND_SESSION_KEY] = backend
self.session[HASH_SESSION_KEY] = session_auth_hash
self.current_user = user
async def get_user(self):
"""
Return the user model instance associated with the given session.
If no user is retrieved, return an instance of `AnonymousUser`.
"""
user = None
try:
user_id = _get_user_session_key(self)
except KeyError:
pass
else:
user = await RemoteUser(id=user_id).get()
# Verify the session
if hasattr(user, 'get_session_auth_hash'):
session_hash = self.session.get(HASH_SESSION_KEY)
session_hash_verified = session_hash and constant_time_compare(
session_hash, user.get_session_auth_hash())
if not session_hash_verified:
self.session.flush()
user = None
return user or AnonymousUser()
