1 files changed, 6 insertions, 4 deletions

diff --git a/rest_framework/request.py b/rest_framework/request.py
index 8248cbd4..cfbbdecc 100644
--- a/rest_framework/request.py
+++ b/rest_framework/request.py
@@ -278,7 +278,8 @@ class Request(object):
         compatibility with django.contrib.auth where the user property is
         set in the login and logout functions.
 
-        Sets the user on the wrapped original request as well.
+        Note that we also set the user on Django's underlying `HttpRequest`
+        instance, ensuring that it is available to any middleware in the stack.
         """
         self._user = value
         self._request.user = value
@@ -300,6 +301,7 @@ class Request(object):
         request, such as an authentication token.
         """
         self._auth = value
+        self._request.auth = value
 
     @property
     def successful_authenticator(self):
@@ -459,7 +461,7 @@ class Request(object):
 
             if user_auth_tuple is not None:
                 self._authenticator = authenticator
-                self.user, self._auth = user_auth_tuple
+                self.user, self.auth = user_auth_tuple
                 return
 
         self._not_authenticated()
@@ -479,9 +481,9 @@ class Request(object):
             self.user = None
 
         if api_settings.UNAUTHENTICATED_TOKEN:
-            self._auth = api_settings.UNAUTHENTICATED_TOKEN()
+            self.auth = api_settings.UNAUTHENTICATED_TOKEN()
         else:
-            self._auth = None
+            self.auth = None
 
     def __getattr__(self, attr):
         """