def process_request(self, request): """ Parse the session id from the 'Session-Id: ' header when using the api. """ if self.is_api_request(request): try: parsed_session_uri = parse_session_id(request) if parsed_session_uri is not None: domain = get_domain(request) if parsed_session_uri['realm'] != domain: raise exceptions.PermissionDenied( _('Can not accept cookie with realm %s on realm %s') % ( parsed_session_uri['realm'], domain ) ) session_id = session_id_from_parsed_session_uri( parsed_session_uri) request.session = start_or_resume( session_id, session_type=parsed_session_uri['type']) request.parsed_session_uri = parsed_session_uri # since the session id is assigned by the CLIENT, there is # no point in having csrf_protection. Session id's read # from cookies, still need csrf! request.csrf_processing_done = True return None except exceptions.APIException as e: response = HttpResponse('{"reason": "%s"}' % e.detail, content_type='application/json') response.status_code = e.status_code return response return super(HeaderSessionMiddleware, self).process_request(request)
def process_request(self, request): """ Parse the session id from the 'Session-Id: ' header when using the api. """ if self.is_api_request(request): try: parsed_session_uri = parse_session_id(request) if parsed_session_uri is not None: domain = get_domain(request) if parsed_session_uri['realm'] != domain: raise exceptions.PermissionDenied( _('Can not accept cookie with realm %s on realm %s' ) % (parsed_session_uri['realm'], domain)) session_id = session_id_from_parsed_session_uri( parsed_session_uri) request.session = start_or_resume( session_id, session_type=parsed_session_uri['type']) request.parsed_session_uri = parsed_session_uri # since the session id is assigned by the CLIENT, there is # no point in having csrf_protection. Session id's read # from cookies, still need csrf! request.csrf_processing_done = True return None except exceptions.APIException as e: response = HttpResponse('{"reason": "%s"}' % e.detail, content_type='application/json') response.status_code = e.status_code return response return super(HeaderSessionMiddleware, self).process_request(request)
def test_logging_out_with_header(self): "After logging out, a user can not use the session id to authenticate anymore" with self.settings(DEBUG=True): engine = import_module(settings.SESSION_ENGINE) session = engine.SessionStore() self.test_login_with_header() parsed_session_uri = { 'realm': 'testserver', 'type': 'AUTH', 'session_id': 'koe' } session_id = session_id_from_parsed_session_uri(parsed_session_uri) self.assertTrue(session.exists(session_id)) response = self.delete('api-login', session_id='koe', authenticated=True) self.assertFalse(session.exists(session_id)) self.assertNotIn('Session-Id', response) response = self.get('api-login', session_id='koe', authenticated=True) self.assertEqual(response.status_code, 401)
def process_response(self, request, response): """ Add the 'Session-Id: ' header when using the api. """ if self.is_api_request(request) \ and getattr(request, 'session', None) is not None \ and hasattr(request, 'parsed_session_uri'): session_key = request.session.session_key parsed_session_key = session_id_from_parsed_session_uri( request.parsed_session_uri) assert(session_key == parsed_session_key), \ '%s is not equal to %s' % (session_key, parsed_session_key) response['Session-Id'] = \ 'SID:%(type)s:%(realm)s:%(session_id)s' % ( request.parsed_session_uri) return super(HeaderSessionMiddleware, self).process_response( request, response)
def process_response(self, request, response): """ Add the 'Session-Id: ' header when using the api. """ if self.is_api_request(request) \ and getattr(request, 'session', None) is not None \ and hasattr(request, 'parsed_session_uri'): session_key = request.session.session_key parsed_session_key = session_id_from_parsed_session_uri( request.parsed_session_uri) assert(session_key == parsed_session_key), \ '%s is not equal to %s' % (session_key, parsed_session_key) response['Session-Id'] = \ 'SID:%(type)s:%(realm)s:%(session_id)s' % ( request.parsed_session_uri) return super(HeaderSessionMiddleware, self).process_response(request, response)
def test_logging_out_anonymous(self): "After logging out, an anonymous user can not use the session id to authenticate anymore" with self.settings(DEBUG=True, SESSION_SAVE_EVERY_REQUEST=True): engine = import_module(settings.SESSION_ENGINE) session = engine.SessionStore() # get a session running response = self.get('api-login', session_id='koe') parsed_session_uri = { 'realm': 'testserver', 'type': 'ANON', 'session_id': 'koe' } session_id = session_id_from_parsed_session_uri(parsed_session_uri) self.assertTrue(session.exists(session_id)) self.assertEqual(response.status_code, 204) # delete the session response = self.delete('api-login', session_id='koe') self.assertEqual(response.status_code, 200) self.assertFalse(session.exists(session_id)) self.assertNotIn('Session-Id', response)