Skip to content

Commit

Permalink
Restore session id when we use token authorization.
Browse files Browse the repository at this point in the history
  • Loading branch information
Nikita Manovich committed Dec 5, 2019
1 parent 8411d51 commit e46561e
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 4 deletions.
14 changes: 14 additions & 0 deletions cvat/apps/authentication/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,20 @@
from rest_framework.permissions import BasePermission
from django.core import signing
from rest_framework import authentication, exceptions
from rest_framework.authentication import TokenAuthentication as _TokenAuthentication
from django.contrib.auth import login

# Even with token authorization it is very important to have a valid session id
# in cookies because in some cases we cannot use token authorization (e.g. when
# we redirect to the server in UI using just URL). To overkill that we override
# the class to call `login` method which restores the session id in cookies.
class TokenAuthentication(_TokenAuthentication):
def authenticate(self, request):
auth = super().authenticate(request)
session = getattr(request, 'session')
if auth is not None and session.session_key is None:
login(request, auth[0], 'django.contrib.auth.backends.ModelBackend')
return auth

def register_signals():
from django.db.models.signals import post_migrate, post_save
Expand Down
4 changes: 1 addition & 3 deletions cvat/apps/authentication/decorators.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
from django.contrib.auth import REDIRECT_FIELD_NAME
from django.http import JsonResponse
from django.conf import settings
from rest_framework.authentication import TokenAuthentication
from cvat.apps.authentication.auth import TokenAuthentication
from django.contrib.auth import login

def login_required(function=None, redirect_field_name=REDIRECT_FIELD_NAME,
Expand All @@ -22,8 +22,6 @@ def _wrapped_view(request, *args, **kwargs):
tokenAuth = TokenAuthentication()
auth = tokenAuth.authenticate(request)
if auth is not None:
# If only token is available let's restore session id.
login(request, auth[0], 'django.contrib.auth.backends.ModelBackend')
return view_func(request, *args, **kwargs)

login_url = '{}/login'.format(settings.UI_URL)
Expand Down
2 changes: 1 addition & 1 deletion cvat/settings/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ def generate_ssh_keys():
'rest_framework.permissions.IsAuthenticated',
],
'DEFAULT_AUTHENTICATION_CLASSES': [
'rest_framework.authentication.TokenAuthentication',
'cvat.apps.authentication.auth.TokenAuthentication',
'cvat.apps.authentication.auth.SignatureAuthentication',
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.BasicAuthentication'
Expand Down

0 comments on commit e46561e

Please sign in to comment.