Skip to content

Update authentication.py Code Simplification #9502

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Update authentication.py Code Simplification #9502

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 10 additions & 22 deletions rest_framework/authentication.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,10 +150,10 @@ def dummy_get_response(request): # pragma: no cover

class TokenAuthentication(BaseAuthentication):
"""
Simple token based authentication.
Simple token-based authentication.

Clients should authenticate by passing the token key in the "Authorization"
HTTP header, prepended with the string "Token ". For example:
HTTP header, prepended with the string "Token ". For example:

Authorization: Token 401f7ac837da42b97f613d789819ff93537bee6a
"""
Expand All @@ -167,31 +167,19 @@ def get_model(self):
from rest_framework.authtoken.models import Token
return Token

"""
A custom token model may be used, but must have the following properties.

* key -- The string identifying the token
* user -- The user to which the token belongs
"""
Comment on lines -170 to -175
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would this need to be removed?


def authenticate(self, request):
auth = get_authorization_header(request).split()

if not auth or auth[0].lower() != self.keyword.lower().encode():
if len(auth) != 2 or auth[0].lower() != self.keyword.lower().encode():
return None

if len(auth) == 1:
msg = _('Invalid token header. No credentials provided.')
raise exceptions.AuthenticationFailed(msg)
elif len(auth) > 2:
msg = _('Invalid token header. Token string should not contain spaces.')
raise exceptions.AuthenticationFailed(msg)
Comment on lines -183 to -188
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happened to these error messages? The idea is to validate the shape of the token header; with your proposed code, an invalid token will go unnoticed.



token = auth[1]
try:
token = auth[1].decode()
token = token.decode()
except UnicodeError:
msg = _('Invalid token header. Token string should not contain invalid characters.')
raise exceptions.AuthenticationFailed(msg)
raise exceptions.AuthenticationFailed(
_('Invalid token header. Token string should not contain invalid characters.')
)
Comment on lines -193 to +182
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this change necessary?


return self.authenticate_credentials(token)

Expand All @@ -205,7 +193,7 @@ def authenticate_credentials(self, key):
if not token.user.is_active:
raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))

return (token.user, token)
return token.user, token

def authenticate_header(self, request):
return self.keyword
Expand Down
Loading