Add a TokenAuthentication class in a sub-application

f3e65eab · Mjumbe Wawatu Poe · 72bdd0fc · f3e65eab · f3e65eab · f3e65eab
Commit f3e65eab authored Sep 07, 2012 by Mjumbe Wawatu Poe
5 changed files
--- a/djangorestframework/runtests/settings.py
+++ b/djangorestframework/runtests/settings.py
@@ -90,6 +90,7 @@ INSTALLED_APPS = (
    # Uncomment the next line to enable admin documentation:
    # 'django.contrib.admindocs',
    'djangorestframework',
+    'djangorestframework.tokenauth',
 )

 STATIC_URL = '/static/'

--- a/djangorestframework/tests/authentication.py
+++ b/djangorestframework/tests/authentication.py
@@ -8,6 +8,9 @@ from django.http import HttpResponse
 from djangorestframework.views import APIView
 from djangorestframework import permissions

+from djangorestframework.tokenauth.models import Token
+from djangorestframework.tokenauth.authentication import TokenAuthentication
+
 import base64


@@ -20,6 +23,8 @@ class MockView(APIView):
    def put(self, request):
        return HttpResponse({'a': 1, 'b': 2, 'c': 3})

+MockView.authentication += (TokenAuthentication,)
+
 urlpatterns = patterns('',
    (r'^$', MockView.as_view()),
 )
@@ -104,3 +109,40 @@ class SessionAuthTests(TestCase):
        """
        response = self.csrf_client.post('/', {'example': 'example'})
        self.assertEqual(response.status_code, 403)
+
+
+class TokenAuthTests(TestCase):
+    """Token authentication"""
+    urls = 'djangorestframework.tests.authentication'
+
+    def setUp(self):
+        self.csrf_client = Client(enforce_csrf_checks=True)
+        self.username = 'john'
+        self.email = 'lennon@thebeatles.com'
+        self.password = 'password'
+        self.user = User.objects.create_user(self.username, self.email, self.password)
+
+        self.key = 'abcd1234'
+        self.token = Token.objects.create(key=self.key, user=self.user)
+
+    def test_post_form_passing_token_auth(self):
+        """Ensure POSTing json over token auth with correct credentials passes and does not require CSRF"""
+        auth = self.key
+        response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 200)
+
+    def test_post_json_passing_token_auth(self):
+        """Ensure POSTing form over token auth with correct credentials passes and does not require CSRF"""
+        auth = self.key
+        response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 200)
+
+    def test_post_form_failing_token_auth(self):
+        """Ensure POSTing form over token auth without correct credentials fails"""
+        response = self.csrf_client.post('/', {'example': 'example'})
+        self.assertEqual(response.status_code, 403)
+
+    def test_post_json_failing_token_auth(self):
+        """Ensure POSTing json over token auth without correct credentials fails"""
+        response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json')
+        self.assertEqual(response.status_code, 403)
--- a/djangorestframework/tokenauth/__init__.py
+++ b/djangorestframework/tokenauth/__init__.py
--- a/djangorestframework/tokenauth/authentication.py
+++ b/djangorestframework/tokenauth/authentication.py
+from djangorestframework.authentication import BaseAuthentication
+from .models import Token
+
+class TokenAuthentication(BaseAuthentication):
+    """
+    Use a token model for authentication.
+
+    A custom token model may be used here, but must have the following minimum
+    properties:
+
+    * key -- The string identifying the token
+    * user -- The user to which the token belongs
+    * revoked -- The status of the token
+
+    The BaseToken class is available as an abstract model to be derived from.
+
+    The token key should be passed in as a string to the "Authorization" HTTP
+    header.
+    """
+    model = Token
+
+    def authenticate(self, request):
+        key = request.META.get('HTTP_AUTHORIZATION', '').strip()
+        if not key:
+            return None
+
+        try:
+             token = self.model.objects.get(key=key)
+        except self.model.DoesNotExist:
+             return None
+
+        if token.user.is_active and not token.revoked:
+            return (token.user, token)
--- a/djangorestframework/tokenauth/models.py
+++ b/djangorestframework/tokenauth/models.py
+from django.db import models
+
+class BaseToken(models.Model):
+    """
+    The base abstract authorization token model class.
+    """
+    key = models.CharField(max_length=32, primary_key=True)
+    user = models.ForeignKey('auth.User')
+    revoked = models.BooleanField(default=False)
+
+    class Meta:
+        abstract=True
+
+
+class Token(BaseToken):
+    """
+    The default authorization token model class.
+    """
+    pass