def process_request(self, request):
"""
Parse the session id from the 'Session-Id: ' header when using the api.
"""
if self.is_api_request(request):
try:
parsed_session_uri = parse_session_id(request)
if parsed_session_uri is not None:
domain = get_domain(request)
if parsed_session_uri['realm'] != domain:
raise exceptions.PermissionDenied(
_('Can not accept cookie with realm %s on realm %s') % (
parsed_session_uri['realm'],
domain
)
)
session_id = session_id_from_parsed_session_uri(
parsed_session_uri)
request.session = start_or_resume(
session_id, session_type=parsed_session_uri['type'])
request.parsed_session_uri = parsed_session_uri
# since the session id is assigned by the CLIENT, there is
# no point in having csrf_protection. Session id's read
# from cookies, still need csrf!
request.csrf_processing_done = True
return None
except exceptions.APIException as e:
response = HttpResponse('{"reason": "%s"}' % e.detail,
content_type='application/json')
response.status_code = e.status_code
return response
return super(HeaderSessionMiddleware, self).process_request(request)
def process_request(self, request):
"""
Parse the session id from the 'Session-Id: ' header when using the api.
"""
if self.is_api_request(request):
try:
parsed_session_uri = parse_session_id(request)
if parsed_session_uri is not None:
domain = get_domain(request)
if parsed_session_uri['realm'] != domain:
raise exceptions.PermissionDenied(
_('Can not accept cookie with realm %s on realm %s'
) % (parsed_session_uri['realm'], domain))
session_id = session_id_from_parsed_session_uri(
parsed_session_uri)
request.session = start_or_resume(
session_id, session_type=parsed_session_uri['type'])
request.parsed_session_uri = parsed_session_uri
# since the session id is assigned by the CLIENT, there is
# no point in having csrf_protection. Session id's read
# from cookies, still need csrf!
request.csrf_processing_done = True
return None
except exceptions.APIException as e:
response = HttpResponse('{"reason": "%s"}' % e.detail,
content_type='application/json')
response.status_code = e.status_code
return response
return super(HeaderSessionMiddleware, self).process_request(request)
def test_logging_out_with_header(self):
"After logging out, a user can not use the session id to authenticate anymore"
with self.settings(DEBUG=True):
engine = import_module(settings.SESSION_ENGINE)
session = engine.SessionStore()
self.test_login_with_header()
parsed_session_uri = {
'realm': 'testserver',
'type': 'AUTH',
'session_id': 'koe'
}
session_id = session_id_from_parsed_session_uri(parsed_session_uri)
self.assertTrue(session.exists(session_id))
response = self.delete('api-login',
session_id='koe',
authenticated=True)
self.assertFalse(session.exists(session_id))
self.assertNotIn('Session-Id', response)
response = self.get('api-login',
session_id='koe',
authenticated=True)
self.assertEqual(response.status_code, 401)
def process_response(self, request, response):
"""
Add the 'Session-Id: ' header when using the api.
"""
if self.is_api_request(request) \
and getattr(request, 'session', None) is not None \
and hasattr(request, 'parsed_session_uri'):
session_key = request.session.session_key
parsed_session_key = session_id_from_parsed_session_uri(
request.parsed_session_uri)
assert(session_key == parsed_session_key), \
'%s is not equal to %s' % (session_key, parsed_session_key)
response['Session-Id'] = \
'SID:%(type)s:%(realm)s:%(session_id)s' % (
request.parsed_session_uri)
return super(HeaderSessionMiddleware, self).process_response(
request, response)
def process_response(self, request, response):
"""
Add the 'Session-Id: ' header when using the api.
"""
if self.is_api_request(request) \
and getattr(request, 'session', None) is not None \
and hasattr(request, 'parsed_session_uri'):
session_key = request.session.session_key
parsed_session_key = session_id_from_parsed_session_uri(
request.parsed_session_uri)
assert(session_key == parsed_session_key), \
'%s is not equal to %s' % (session_key, parsed_session_key)
response['Session-Id'] = \
'SID:%(type)s:%(realm)s:%(session_id)s' % (
request.parsed_session_uri)
return super(HeaderSessionMiddleware,
self).process_response(request, response)
def test_logging_out_with_header(self):
"After logging out, a user can not use the session id to authenticate anymore"
with self.settings(DEBUG=True):
engine = import_module(settings.SESSION_ENGINE)
session = engine.SessionStore()
self.test_login_with_header()
parsed_session_uri = {
'realm': 'testserver',
'type': 'AUTH',
'session_id': 'koe'
}
session_id = session_id_from_parsed_session_uri(parsed_session_uri)
self.assertTrue(session.exists(session_id))
response = self.delete('api-login', session_id='koe', authenticated=True)
self.assertFalse(session.exists(session_id))
self.assertNotIn('Session-Id', response)
response = self.get('api-login', session_id='koe', authenticated=True)
self.assertEqual(response.status_code, 401)
def test_logging_out_anonymous(self):
"After logging out, an anonymous user can not use the session id to authenticate anymore"
with self.settings(DEBUG=True, SESSION_SAVE_EVERY_REQUEST=True):
engine = import_module(settings.SESSION_ENGINE)
session = engine.SessionStore()
# get a session running
response = self.get('api-login', session_id='koe')
parsed_session_uri = {
'realm': 'testserver',
'type': 'ANON',
'session_id': 'koe'
}
session_id = session_id_from_parsed_session_uri(parsed_session_uri)
self.assertTrue(session.exists(session_id))
self.assertEqual(response.status_code, 204)
# delete the session
response = self.delete('api-login', session_id='koe')
self.assertEqual(response.status_code, 200)
self.assertFalse(session.exists(session_id))
self.assertNotIn('Session-Id', response)
def test_logging_out_anonymous(self):
"After logging out, an anonymous user can not use the session id to authenticate anymore"
with self.settings(DEBUG=True, SESSION_SAVE_EVERY_REQUEST=True):
engine = import_module(settings.SESSION_ENGINE)
session = engine.SessionStore()
# get a session running
response = self.get('api-login', session_id='koe')
parsed_session_uri = {
'realm': 'testserver',
'type': 'ANON',
'session_id': 'koe'
}
session_id = session_id_from_parsed_session_uri(parsed_session_uri)
self.assertTrue(session.exists(session_id))
self.assertEqual(response.status_code, 204)
# delete the session
response = self.delete('api-login', session_id='koe')
self.assertEqual(response.status_code, 200)
self.assertFalse(session.exists(session_id))
self.assertNotIn('Session-Id', response)
