Commit e3565b1d authored by BAIRE Anthony's avatar BAIRE Anthony

split user authentication according to the requset path

- API requests authenticated by token
- UI requests authenticated by cookie

fix #311 and #119
parent c3b036b7
Pipeline #79851 passed with stages
in 4 minutes and 47 seconds
......@@ -179,9 +179,12 @@ def get_base_url(request):
def get_request_user(request):
"""Return the authenticated user from the provided request
The authentication is attempted:
- first with the session cookie
- then with the token provided in the HTTP Authorization header
Depending on the request path, the authentication is attempted on:
- the token provided in the HTTP Authorization header for /api/ urls
- the session cookie for other urls
In case of /auth requests we assume that 'X-Original-URI' is the path of
the current request.
Args:
request
......@@ -189,17 +192,25 @@ def get_request_user(request):
Returns:
a User or None
"""
if request.user.is_authenticated:
return request.user
mo = re.match("Token token=(\S+)",
request.META.get('HTTP_AUTHORIZATION', ''))
if mo:
return getattr(
# FIXME: user token should have a unicity constraint
AllgoUser.objects.filter(token=mo.group(1)).first(),
"user", None)
path = request.path
if path == "/auth":
path = request.META['HTTP_X_ORIGINAL_URI']
if path.startswith("/api/"):
# authenticated by token for API requests
#
# NOTE: we must NOT authenticate by cookie because the CORS
# configuration in the nginx.conf allows all origins
mo = re.match("Token token=(\S+)",
request.META.get('HTTP_AUTHORIZATION', ''))
if mo:
return getattr(
# FIXME: user token should have a unicity constraint
AllgoUser.objects.filter(token=mo.group(1)).first(),
"user", None)
else:
# authenticated by cookie for other requests
if request.user.is_authenticated:
return request.user
def query_webapps_for_user(user):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment