Fix some bad assumptions for web API auth backends.
Review Request #6077 — Created July 7, 2014 and submitted — Latest diff uploaded
The web API auth backend support made a couple bad assumptions that
made it hard to write additional backends.If the Basic Auth backend was first, and it encountered something that
wasn't a Basic Auth authorization header, it would log failures, even
though it wasn't the target backend. We now perform the realm check
first before trying to parse it.The base
WebAPIAuthBackend
class itself was assuming in some places that
backends would want a username and a password. Working around that
assumption meant overridinglogin_with_credentials()
. Now, that function
no longer cares about the specific contents of credentials, and farms
out to the Django auth backends and to a newvalidate_credentials()
for
any specifics, making it easier to override.Along with this, we now log all credential information passed to the
API, being careful to mask any sensitive information.
Tested this with a new auth backend that didn't deal in usernames and
passwords, and also didn't replace the Basic Auth backend. No longer saw
extra log messages, and didn't have to replacelogin_with_credentials()
.