def test_apikey_and_authentication_enforce_user(self): session_auth = SessionAuthentication() api_key_auth = ApiKeyAuthentication() auth = MultiAuthentication(api_key_auth, session_auth) john_doe = User.objects.get(username="******") request1 = HttpRequest() request2 = HttpRequest() request3 = HttpRequest() request1.method = "POST" request1.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"} request1.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"} request1.user = john_doe request2.POST["username"] = "******" request2.POST["api_key"] = "invalid key" request3.method = "POST" request3.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"} request3.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"} request3.user = john_doe request3.POST["username"] = "******" request3.POST["api_key"] = "invalid key" # session auth should pass if since john_doe is logged in self.assertEqual(session_auth.is_authenticated(request1), True) # api key auth should fail because of invalid api key self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True) # multi auth shouldn't change users if api key auth fails # multi auth passes since session auth is valid self.assertEqual(request3.user.username, "johndoe") self.assertEqual(auth.is_authenticated(request3), True) self.assertEqual(request3.user.username, "johndoe")
def test_is_authenticated(self): auth = SessionAuthentication() request = HttpRequest() request.method = 'POST' request.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } # No CSRF token. request.META = {} self.assertFalse(auth.is_authenticated(request)) # Invalid CSRF token. request.META = { 'HTTP_X_CSRFTOKEN': 'abc123' } self.assertFalse(auth.is_authenticated(request)) # Not logged in. request.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request.user = AnonymousUser() self.assertFalse(auth.is_authenticated(request)) # Logged in. request.user = User.objects.get(username='******') self.assertTrue(auth.is_authenticated(request)) # Logged in (with GET & no token). request.method = 'GET' request.META = {} request.user = User.objects.get(username='******') self.assertTrue(auth.is_authenticated(request)) # Secure & wrong referrer. class SecureRequest(HttpRequest): def _get_scheme(self): return 'https' request = SecureRequest() request.method = 'POST' request.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } request.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request.META['HTTP_HOST'] = 'example.com' request.META['HTTP_REFERER'] = '' request.user = User.objects.get(username='******') self.assertFalse(auth.is_authenticated(request)) # Secure & correct referrer. request.META['HTTP_REFERER'] = 'https://example.com/' self.assertTrue(auth.is_authenticated(request))
def test_is_authenticated(self): auth = SessionAuthentication() request = HttpRequest() request.method = 'POST' request.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } # No CSRF token. request.META = {} self.assertFalse(auth.is_authenticated(request)) # Invalid CSRF token. request.META = { 'HTTP_X_CSRFTOKEN': 'abc123' } self.assertFalse(auth.is_authenticated(request)) # Not logged in. request.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request.user = AnonymousUser() self.assertFalse(auth.is_authenticated(request)) # Logged in. request.user = User.objects.get(username='******') self.assertTrue(auth.is_authenticated(request)) # Logged in (with GET & no token). request.method = 'GET' request.META = {} request.user = User.objects.get(username='******') self.assertTrue(auth.is_authenticated(request)) # Secure & wrong referrer. class SecureRequest(HttpRequest): def _get_scheme(self): return 'https' request = SecureRequest() request.method = 'POST' request.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } request.META['HTTP_HOST'] = 'example.com' request.META['HTTP_REFERER'] = '' request.user = User.objects.get(username='******') self.assertFalse(auth.is_authenticated(request)) # Secure & correct referrer. request.META['HTTP_REFERER'] = 'https://example.com/' self.assertTrue(auth.is_authenticated(request))
def test_apikey_and_authentication_enforce_user(self): session_auth = SessionAuthentication() api_key_auth = ApiKeyAuthentication() auth = MultiAuthentication(api_key_auth, session_auth) john_doe = User.objects.get(username='******') request1 = HttpRequest() request2 = HttpRequest() request3 = HttpRequest() request1.method = 'POST' request1.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request1.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } request1.user = john_doe request2.POST['username'] = '******' request2.POST['api_key'] = 'invalid key' request3.method = 'POST' request3.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request3.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } request3.user = john_doe request3.POST['username'] = '******' request3.POST['api_key'] = 'invalid key' # session auth should pass if since john_doe is logged in self.assertTrue(session_auth.is_authenticated(request1)) # api key auth should fail because of invalid api key self.assertEqual( isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True) # multi auth shouldn't change users if api key auth fails # multi auth passes since session auth is valid self.assertEqual(request3.user.username, 'johndoe') self.assertTrue(auth.is_authenticated(request3)) self.assertEqual(request3.user.username, 'johndoe')
def test_is_authenticated(self): auth = SessionAuthentication() request = HttpRequest() request.method = "POST" request.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"} # No CSRF token. request.META = {} self.assertFalse(auth.is_authenticated(request)) # Invalid CSRF token. request.META = {"HTTP_X_CSRFTOKEN": "abc123"} self.assertFalse(auth.is_authenticated(request)) # Not logged in. request.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"} request.user = AnonymousUser() self.assertFalse(auth.is_authenticated(request)) # Logged in. request.user = User.objects.get(username="******") self.assertEqual(auth.is_authenticated(request), True) # Logged in (with GET & no token). request.method = "GET" request.META = {} request.user = User.objects.get(username="******") self.assertEqual(auth.is_authenticated(request), True) # Secure & wrong referrer. class SecureRequest(HttpRequest): def _get_scheme(self): return "https" request = SecureRequest() request.method = "POST" request.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"} request.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"} request.META["HTTP_HOST"] = "example.com" request.META["HTTP_REFERER"] = "" request.user = User.objects.get(username="******") self.assertFalse(auth.is_authenticated(request)) # Secure & correct referrer. request.META["HTTP_REFERER"] = "https://example.com/" self.assertEqual(auth.is_authenticated(request), True)
def is_authenticated(self, request, **kwargs): # noqa # too complex ''' handles backends explicitly so that it can return False when credentials are given but wrong and return Anonymous User when credentials are not given or the session has expired (web use). ''' auth_info = request.META.get('HTTP_AUTHORIZATION') if 'HTTP_AUTHORIZATION' not in request.META: if hasattr(request.user, 'allowed_tokens'): tokens = request.user.allowed_tokens session_auth = SessionAuthentication() check = session_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): session_auth_result = False else: request._authentication_backend = session_auth session_auth_result = check else: request.user = AnonymousUser() session_auth_result = True request.user.allowed_tokens = tokens return session_auth_result else: if auth_info.startswith('Basic'): basic_auth = BasicAuthentication() check = basic_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): return False else: request._authentication_backend = basic_auth return check if auth_info.startswith('ApiKey'): apikey_auth = ApiKeyAuthentication() check = apikey_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): return False else: request._authentication_backend = apikey_auth return check
def test_apikey_and_authentication_enforce_user(self): session_auth = SessionAuthentication() api_key_auth = ApiKeyAuthentication() auth = MultiAuthentication(api_key_auth, session_auth) john_doe = User.objects.get(username='******') request1 = HttpRequest() request2 = HttpRequest() request3 = HttpRequest() request1.method = 'POST' request1.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request1.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } request1.user = john_doe request2.POST['username'] = '******' request2.POST['api_key'] = 'invalid key' request3.method = 'POST' request3.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request3.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } request3.user = john_doe request3.POST['username'] = '******' request3.POST['api_key'] = 'invalid key' #session auth should pass if since john_doe is logged in self.assertTrue(session_auth.is_authenticated(request1)) #api key auth should fail because of invalid api key self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True) #multi auth shouldn't change users if api key auth fails #multi auth passes since session auth is valid self.assertEqual(request3.user.username, 'johndoe') self.assertTrue(auth.is_authenticated(request3)) self.assertEqual(request3.user.username, 'johndoe')
def is_authenticated(self, request, **kwargs): ''' handles backends explicitly so that it can return False when credentials are given but wrong and return Anonymous User when credentials are not given or the session has expired (web use). ''' auth_info = request.META.get('HTTP_AUTHORIZATION') if 'HTTP_AUTHORIZATION' not in request.META: session_auth = SessionAuthentication() check = session_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): return(False) else: request._authentication_backend = session_auth return(check) else: request.user = AnonymousUser() return(True) else: if auth_info.startswith('Basic'): basic_auth = BasicAuthentication() check = basic_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): return(False) else: request._authentication_backend = basic_auth return(check) if auth_info.startswith('ApiKey'): apikey_auth = ApiKeyAuthentication() check = apikey_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): return(False) else: request._authentication_backend = apikey_auth return(check)
def test_is_authenticated(self): auth = SessionAuthentication() request = HttpRequest() request.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } # No CSRF token. request.META = {} self.assertFalse(auth.is_authenticated(request)) # Invalid CSRF token. request.META = { 'HTTP_X_CSRFTOKEN': 'abc123' } self.assertFalse(auth.is_authenticated(request)) # Not logged in. request.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request.user = AnonymousUser() self.assertFalse(auth.is_authenticated(request)) # Logged in. request.user = User.objects.get(username='******') self.assertTrue(auth.is_authenticated(request)) # Secure & wrong referrer. os.environ["HTTPS"] = "on" request.META['HTTP_HOST'] = 'example.com' request.META['HTTP_REFERER'] = '' self.assertFalse(auth.is_authenticated(request)) # Secure & correct referrer. request.META['HTTP_REFERER'] = 'https://example.com/' self.assertTrue(auth.is_authenticated(request)) os.environ["HTTPS"] = "off"