From 6e3f60341313784505ee7d067c7811fadf7164f1 Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Sat, 18 Apr 2020 12:06:50 +1000 Subject: [PATCH] Improvements for token authentication - Do not POST username and password data - This is already encoded in the Authorization: Basic headers --- InvenTree/InvenTree/test_api.py | 84 +++++++++++++++------------------ InvenTree/users/views.py | 32 +++++++------ 2 files changed, 56 insertions(+), 60 deletions(-) diff --git a/InvenTree/InvenTree/test_api.py b/InvenTree/InvenTree/test_api.py index e75a111e5d..7068593e6b 100644 --- a/InvenTree/InvenTree/test_api.py +++ b/InvenTree/InvenTree/test_api.py @@ -4,9 +4,10 @@ from rest_framework.test import APITestCase from rest_framework import status from django.urls import reverse - from django.contrib.auth import get_user_model +from base64 import b64encode + class APITests(APITestCase): """ Tests for the InvenTree API """ @@ -21,24 +22,48 @@ class APITests(APITestCase): username = 'test_user' password = 'test_pass' + token = None + def setUp(self): # Create a user (but do not log in!) User = get_user_model() User.objects.create_user(self.username, 'user@email.com', self.password) - def get_token(self): + def basicAuth(self): + # Use basic authentication + + authstring = bytes("{u}:{p}".format(u=self.username, p=self.password), "ascii") + + # Use "basic" auth by default + auth = b64encode(authstring).decode("ascii") + self.client.credentials(HTTP_AUTHORIZATION="Basic {auth}".format(auth=auth)) + + def tokenAuth(self): + + self.basicAuth() token_url = reverse('api-token') + response = self.client.get(token_url, format='json', data={}) + + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertIn('token', response.data) - # POST to retreive a token - response = self.client.post(token_url, format='json', data={'username': self.username, 'password': self.password}) - token = response.data['token'] - - self.client.credentials(HTTP_AUTHORIZATION='Token ' + token) - self.token = token + def token_failure(self): + # Test token endpoint without basic auth + url = reverse('api-token') + response = self.client.get(url, format='json') + + self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) + self.assertIsNone(self.token) + + def token_success(self): + + self.tokenAuth() + self.assertIsNotNone(self.token) + def test_info_view(self): """ Test that we can read the 'info-view' endpoint. @@ -55,51 +80,18 @@ class APITests(APITestCase): self.assertEquals('InvenTree', data['server']) - def test_get_token_fail(self): - """ Ensure that an invalid user cannot get a token """ - - token_url = reverse('api-token') - - response = self.client.post(token_url, format='json', data={'username': 'bad', 'password': 'also_bad'}) - - self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST) - self.assertFalse('token' in response.data) - - def test_get_token_pass(self): - """ Ensure that a valid user can request an API token """ - - token_url = reverse('api-token') - - # POST to retreive a token - response = self.client.post(token_url, format='json', data={'username': self.username, 'password': self.password}) - - self.assertEqual(response.status_code, status.HTTP_200_OK) - self.assertTrue('token' in response.data) - self.assertTrue('pk' in response.data) - self.assertTrue(len(response.data['token']) > 0) - - # Now, use the token to access other data - token = response.data['token'] - - part_url = reverse('api-part-list') - - # Try to access without a token - response = self.client.get(part_url, format='json') + def test_barcode_fail(self): + # Test barcode endpoint without auth + response = self.client.post(reverse('api-barcode-plugin'), format='json') self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) - - # Now, with the token - self.client.credentials(HTTP_AUTHORIZATION='Token ' + token) - response = self.client.get(part_url, format='json') - - self.assertEqual(response.status_code, status.HTTP_200_OK) def test_barcode(self): """ Test the barcode endpoint """ - url = reverse('api-barcode-plugin') + self.tokenAuth() - self.get_token() + url = reverse('api-barcode-plugin') data = { 'barcode': { diff --git a/InvenTree/users/views.py b/InvenTree/users/views.py index 01d9834c69..97e5f48355 100644 --- a/InvenTree/users/views.py +++ b/InvenTree/users/views.py @@ -3,7 +3,7 @@ from django.contrib.auth.models import User from django.core.exceptions import ObjectDoesNotExist from .serializers import UserSerializer -from rest_framework.authtoken.views import ObtainAuthToken +from rest_framework.views import APIView from rest_framework.authtoken.models import Token from rest_framework.response import Response from rest_framework import status @@ -25,28 +25,32 @@ class UserList(generics.ListAPIView): permission_classes = (permissions.IsAuthenticated,) -class GetAuthToken(ObtainAuthToken): +class GetAuthToken(APIView): """ Return authentication token for an authenticated user. """ - def post(self, request, *args, **kwargs): + permission_classes = [ + permissions.IsAuthenticated, + ] + + def get(self, request, *args, **kwargs): return self.login(request) def delete(self, request): return self.logout(request) def login(self, request): - serializer = self.serializer_class(data=request.data, - context={'request': request}) - serializer.is_valid(raise_exception=True) - user = serializer.validated_data['user'] - token, created = Token.objects.get_or_create(user=user) - return Response({ - 'token': token.key, - 'pk': user.pk, - 'username': user.username, - 'email': user.email - }) + if request.user.is_authenticated: + # Get the user token (or create one if it does not exist) + token, created = Token.objects.get_or_create(user=request.user) + return Response({ + 'token': token.key, + }) + + else: + return Response({ + 'error': 'User not authenticated', + }) def logout(self, request): try: