diff options
| -rw-r--r-- | djangorestframework/runtests/settings.py | 1 | ||||
| -rw-r--r-- | djangorestframework/tests/authentication.py | 42 | ||||
| -rw-r--r-- | djangorestframework/tokenauth/__init__.py | 0 | ||||
| -rw-r--r-- | djangorestframework/tokenauth/authentication.py | 33 | ||||
| -rw-r--r-- | djangorestframework/tokenauth/models.py | 19 |
5 files changed, 95 insertions, 0 deletions
diff --git a/djangorestframework/runtests/settings.py b/djangorestframework/runtests/settings.py index 7cb3e27b..1fc6b47b 100644 --- a/djangorestframework/runtests/settings.py +++ b/djangorestframework/runtests/settings.py @@ -90,6 +90,7 @@ INSTALLED_APPS = ( # Uncomment the next line to enable admin documentation: # 'django.contrib.admindocs', 'djangorestframework', + 'djangorestframework.tokenauth', ) STATIC_URL = '/static/' diff --git a/djangorestframework/tests/authentication.py b/djangorestframework/tests/authentication.py index 79194718..2806da36 100644 --- a/djangorestframework/tests/authentication.py +++ b/djangorestframework/tests/authentication.py @@ -8,6 +8,9 @@ from django.http import HttpResponse from djangorestframework.views import APIView from djangorestframework import permissions +from djangorestframework.tokenauth.models import Token +from djangorestframework.tokenauth.authentication import TokenAuthentication + import base64 @@ -20,6 +23,8 @@ class MockView(APIView): def put(self, request): return HttpResponse({'a': 1, 'b': 2, 'c': 3}) +MockView.authentication += (TokenAuthentication,) + urlpatterns = patterns('', (r'^$', MockView.as_view()), ) @@ -104,3 +109,40 @@ class SessionAuthTests(TestCase): """ response = self.csrf_client.post('/', {'example': 'example'}) self.assertEqual(response.status_code, 403) + + +class TokenAuthTests(TestCase): + """Token authentication""" + urls = 'djangorestframework.tests.authentication' + + def setUp(self): + self.csrf_client = Client(enforce_csrf_checks=True) + self.username = 'john' + self.email = 'lennon@thebeatles.com' + self.password = 'password' + self.user = User.objects.create_user(self.username, self.email, self.password) + + self.key = 'abcd1234' + self.token = Token.objects.create(key=self.key, user=self.user) + + def test_post_form_passing_token_auth(self): + """Ensure POSTing json over token auth with correct credentials passes and does not require CSRF""" + auth = self.key + response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth) + self.assertEqual(response.status_code, 200) + + def test_post_json_passing_token_auth(self): + """Ensure POSTing form over token auth with correct credentials passes and does not require CSRF""" + auth = self.key + response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth) + self.assertEqual(response.status_code, 200) + + def test_post_form_failing_token_auth(self): + """Ensure POSTing form over token auth without correct credentials fails""" + response = self.csrf_client.post('/', {'example': 'example'}) + self.assertEqual(response.status_code, 403) + + def test_post_json_failing_token_auth(self): + """Ensure POSTing json over token auth without correct credentials fails""" + response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json') + self.assertEqual(response.status_code, 403) diff --git a/djangorestframework/tokenauth/__init__.py b/djangorestframework/tokenauth/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/djangorestframework/tokenauth/__init__.py diff --git a/djangorestframework/tokenauth/authentication.py b/djangorestframework/tokenauth/authentication.py new file mode 100644 index 00000000..35d56211 --- /dev/null +++ b/djangorestframework/tokenauth/authentication.py @@ -0,0 +1,33 @@ +from djangorestframework.authentication import BaseAuthentication +from .models import Token + +class TokenAuthentication(BaseAuthentication): + """ + Use a token model for authentication. + + A custom token model may be used here, but must have the following minimum + properties: + + * key -- The string identifying the token + * user -- The user to which the token belongs + * revoked -- The status of the token + + The BaseToken class is available as an abstract model to be derived from. + + The token key should be passed in as a string to the "Authorization" HTTP + header. + """ + model = Token + + def authenticate(self, request): + key = request.META.get('HTTP_AUTHORIZATION', '').strip() + if not key: + return None + + try: + token = self.model.objects.get(key=key) + except self.model.DoesNotExist: + return None + + if token.user.is_active and not token.revoked: + return (token.user, token) diff --git a/djangorestframework/tokenauth/models.py b/djangorestframework/tokenauth/models.py new file mode 100644 index 00000000..3b9a55bc --- /dev/null +++ b/djangorestframework/tokenauth/models.py @@ -0,0 +1,19 @@ +from django.db import models + +class BaseToken(models.Model): + """ + The base abstract authorization token model class. + """ + key = models.CharField(max_length=32, primary_key=True) + user = models.ForeignKey('auth.User') + revoked = models.BooleanField(default=False) + + class Meta: + abstract=True + + +class Token(BaseToken): + """ + The default authorization token model class. + """ + pass |