-
-
-
Can we just pass this inline in the logging call?
logging.debug( 'Attempting authentication on API: %s', ', '.join([ '%s=%s' % pair for pair in six.iteritems(cleaned_credentials) ]), extra={'request': request})
-
This could probably be simplified, because the username won't be None:
if (request.user.is_authenticated() and request.user.username == credentials.get('username')):
-
Fix some bad assumptions for web API auth backends.
Review Request #6077 — Created July 7, 2014 and submitted
The web API auth backend support made a couple bad assumptions that
made it hard to write additional backends.If the Basic Auth backend was first, and it encountered something that
wasn't a Basic Auth authorization header, it would log failures, even
though it wasn't the target backend. We now perform the realm check
first before trying to parse it.The base
WebAPIAuthBackend
class itself was assuming in some places that
backends would want a username and a password. Working around that
assumption meant overridinglogin_with_credentials()
. Now, that function
no longer cares about the specific contents of credentials, and farms
out to the Django auth backends and to a newvalidate_credentials()
for
any specifics, making it easier to override.Along with this, we now log all credential information passed to the
API, being careful to mask any sensitive information.
Tested this with a new auth backend that didn't deal in usernames and
passwords, and also didn't replace the Basic Auth backend. No longer saw
extra log messages, and didn't have to replacelogin_with_credentials()
.
Description | From | Last Updated |
---|---|---|
Care to add _RE to the end of this name? |
david | |
Can we just pass this inline in the logging call? logging.debug( 'Attempting authentication on API: %s', ', '.join([ '%s=%s' % … |
david | |
This could probably be simplified, because the username won't be None: if (request.user.is_authenticated() and request.user.username == credentials.get('username')): |
david | |
Can we move all of this into the try? |
david |
- Change Summary:
-
Fixed some code that didn't get removed.
- Commit:
-
a53844c9aaa090cf8a8c25e986b201e07d8b96f8bad1fea70fe9d46fa343a5fa3d2040a83f7e8c7b
- Diff:
-
Revision 2 (+72 -22)
- Change Summary:
-
- Added a
_RE
suffix to the sensitive strings regex. - Simplified a conditional.
- Added a
- Commit:
-
bad1fea70fe9d46fa343a5fa3d2040a83f7e8c7bfaaa074e50c47a917eb5d6c19154cc9b6ca51982
- Diff:
-
Revision 3 (+71 -19)
-
Tool: Pyflakes Processed Files: djblets/webapi/auth.py Tool: PEP8 Style Checker Processed Files: djblets/webapi/auth.py Tool: Pyflakes Processed Files: djblets/webapi/auth.py Tool: PEP8 Style Checker Processed Files: djblets/webapi/auth.py