djblets.webapi.auth.backends.base¶
The base class for an API authentication backend.
- class WebAPIAuthBackend[source]¶
Handles a form of authentication for the web API.
This can be overridden to provide custom forms of authentication, or to support multiple types of authentication.
More than one authentication backend can be used with the web API. In that case, the client can make the determination about which to use.
Auth backends generally need to only override the
get_credentials()
method, though more specialized ones may override other methods as well.They must also provide
www_auth_scheme
which is aWWW-Authenticate
scheme value.- SENSITIVE_CREDENTIALS_RE = re.compile('api|token|key|secret|password|signature', re.IGNORECASE)[source]¶
A regex of sensitive entries in the credentials dictionary.
By default, this excludes keys containing “api”, “token”, “key”, “secret”, “password”, or “signature” anywhere in the name, in any casing.
This can be extended for other sensitive information.
- get_auth_headers(request)[source]¶
Return extra authentication headers for the response.
- Parameters
request (django.http.HttpRequest) – The HTTP request from the client.
- Returns
The authentication headers (defaults to empty).
- Return type
- authenticate(request)[source]¶
Authenticate a request against this auth backend.
This will fetch the credentials and attempt an authentication against those credentials.
This function must return
None
to indicate it should be skipped and another backend should be tried, or a tuple indicating the success/failure and additional details for the client.- Parameters
request (django.http.HttpRequest) – The HTTP request from the client.
- Returns
The tuple is in the form of:
(is_successful, error_message, headers)
The error message and headers can be None to use the default error message and headers from the
LOGIN_FAILED
error. In most cases, they should beNone
, unless there are more specific instructions needed for authenticating.If the backend should be skipped, this will return
None
.- Return type
- get_credentials(request)[source]¶
Return credentials provided in the request.
This returns a dictionary of all credentials necessary for this auth backend. By default, this expects
username
andpassword
, though more specialized auth backends may provide other information. These credentials will be passed tologin_with_credentials()
.This function must be implemented by the subclass.
- Parameters
request (django.http.HttpRequest) – The HTTP request from the client.
- Returns
A dictionary of credential information.
- Return type
- login_with_credentials(request, **credentials)[source]¶
Log in against the main authentication backends.
This takes the provided credentials from the request (as returned by
get_credentials()
) and attempts a login against the main authentication backends used by Django.- Parameters
request (django.http.HttpRequest) – The HTTP request from the client.
credentials (dict) – All credentials provided by
get_credentials()
.
- Returns
See the return type in
authenticate()
.- Return type
- validate_credentials(request, **credentials)[source]¶
Validate that credentials are valid.
This is called before we attempt to authenticate with the credentials, and can short-circuit the rest of the authentication process, returning a result tuple if desired. If
None
is returned, authentication proceeds as normal.By default, this will attempt to bypass authentication if the current user is already logged in and matches the authenticated user (if and only if
username
appears in the credentials).Subclasses can override this to provide more specific behavior for their sets of credentials, or to disable this entirely.
- Parameters
request (django.http.HttpRequest) – The HTTP request from the client.
credentials (dict) – All credentials provided by
get_credentials()
.
- Returns
See the return type in
authenticate()
.- Return type