- Change Summary:
-
- The WebAPIToken ID is now stored in the session, and the token re-fetched later, instead of storing the Local Site ID itself in the session. That way, changing the Local Site associated with the token will affect existing sessions. We'll also be needing that token in other changes.
- Deleting a token now invalidates existing sessions.
- Description:
-
This introduces new auth and webapi auth backends for performing API
requests using an API token. Users can have zero or more API tokens linked to their account, and any will be valid for authentication. The goal is to allow tokens for different access levels (read/write, read-only) and, down the road, scopes. Clients can use these when talking to the API by passing
~ Authorization: token <token_value\>in the request. This will~ Authorization: token <token_value>in the request. This willauthenticate the owner of that token for the API requests. Tokens cannot be used to authenticate through the website.
For now, tokens must be created through the admin UI. Further changes
are coming to make the usage of tokens more practical. - Commit:
-
a452adc94fe65196c255c3a2cf1b2098f9f02707ebc2333e4220f97e6b5cdf3bb26ed1a27117e32d
Add support for using API tokens for authentication.
Review Request #6079 — Created July 8, 2014 and submitted
This introduces new auth and webapi auth backends for performing API
requests using an API token. Users can have zero or more API tokens
linked to their account, and any will be valid for authentication. The
goal is to allow tokens for different access levels (read/write,
read-only) and, down the road, scopes.Clients can use these when talking to the API by passing
Authorization: token <token_value>in the request. This will
authenticate the owner of that token for the API requests.Tokens cannot be used to authenticate through the website.
For now, tokens must be created through the admin UI. Further changes
are coming to make the usage of tokens more practical.
I tested with 2 LocalSites and the global site.
I created three auth tokens: One unbound to a LocalSite, and one bound to each LocalSite.
Using curl, I attempted to access
/api/session/on the global site and on each LocalSite using each token. Results:
- Global token could reach the global
/api/session/and that of each LocalSite.- LocalSite token 1 could only reach
/s/site1/api/session/, and got a Permission Denied elsewhere.- Same behavior for LocalSite token 2, except it could only reach
/s/site2/api/session/.Specifying an invalid token gave me an authentication error.
Unit tests pass (except that some on master haven't been updated for the function renames, but those are irrelevant to these changes).
| Description | From | Last Updated |
|---|---|---|
|
'from settings_local import *' used; unable to detect undefined names |
 reviewbot
|
|
|
'PIPELINE_CSS' imported but unused |
reviewbot
|
|
|
'PIPELINE_JS' imported but unused |
reviewbot
|
|
|
'from settings_local import *' used; unable to detect undefined names |
reviewbot
|
|
|
'PIPELINE_CSS' imported but unused |
reviewbot
|
|
|
'PIPELINE_JS' imported but unused |
reviewbot
|
|
|
The second line here isn't indented properly (it should be inside the hashlib.sha1() call). You can also get rid of … |
 david
|
|
|
This isn't inside an exception handler so exc_info doesn't mean anything. |
david
|
|
|
Is this meant to be returned via the API, or shown in the UI? If the former, we don't usually … |
david
|
|
|
This could then just be TokenAuthBackend, to make it clear that it's not specifically an API backend. |
david
|
|
|
So I just noticed the inconsistency in the names here. How about naming the second one WebAPITokenAuthBackend? |
david
|
|
|
'from settings_local import *' used; unable to detect undefined names |
reviewbot
|
|
|
'PIPELINE_CSS' imported but unused |
reviewbot
|
|
|
'PIPELINE_JS' imported but unused |
reviewbot
|
|
|
'django_reset' imported but unused |
reviewbot
|
|
|
'from settings_local import *' used; unable to detect undefined names |
reviewbot
|
|
|
'PIPELINE_JS' imported but unused |
reviewbot
|
|
|
'PIPELINE_CSS' imported but unused |
reviewbot
|
|
|
undefined name 'APITokenWebAPIAuthBackend' |
reviewbot
|
|
|
'django_reset' imported but unused |
reviewbot
|
|
|
'from settings_local import *' used; unable to detect undefined names |
reviewbot
|
|
|
'PIPELINE_JS' imported but unused |
reviewbot
|
|
|
'PIPELINE_CSS' imported but unused |
reviewbot
|
-
Tool: Pyflakes Processed Files: reviewboard/admin/siteconfig.py reviewboard/webapi/models.py reviewboard/settings.py reviewboard/webapi/errors.py reviewboard/webapi/auth_backends.py reviewboard/webapi/admin.py reviewboard/webapi/decorators.py reviewboard/webapi/managers.py Tool: PEP8 Style Checker Processed Files: reviewboard/admin/siteconfig.py reviewboard/webapi/models.py reviewboard/settings.py reviewboard/webapi/errors.py reviewboard/webapi/auth_backends.py reviewboard/webapi/admin.py reviewboard/webapi/decorators.py reviewboard/webapi/managers.py -
-
-
- Change Summary:
-
- Fixed indentation when generating a token.
- Removed a
exc_info=1on a logging call where it wasn't needed.
- Commit:
-
ebc2333e4220f97e6b5cdf3bb26ed1a27117e32d4a9e5f0c517be8f200c51d8ffe22bb8eb13273b1
-
Tool: PEP8 Style Checker Processed Files: reviewboard/admin/siteconfig.py reviewboard/webapi/base.py reviewboard/settings.py reviewboard/webapi/models.py reviewboard/webapi/errors.py reviewboard/webapi/auth_backends.py reviewboard/webapi/admin.py reviewboard/webapi/decorators.py reviewboard/webapi/managers.py Tool: Pyflakes Processed Files: reviewboard/admin/siteconfig.py reviewboard/webapi/base.py reviewboard/settings.py reviewboard/webapi/models.py reviewboard/webapi/errors.py reviewboard/webapi/auth_backends.py reviewboard/webapi/admin.py reviewboard/webapi/decorators.py reviewboard/webapi/managers.py -
-
-
- Change Summary:
-
Renamed the classes.
- Commit:
-
4a9e5f0c517be8f200c51d8ffe22bb8eb13273b1f3eef2a895f6613656245cdef25056791e00ef3e
-
Tool: PEP8 Style Checker Processed Files: reviewboard/admin/siteconfig.py reviewboard/webapi/base.py reviewboard/settings.py reviewboard/webapi/models.py reviewboard/webapi/errors.py reviewboard/webapi/auth_backends.py reviewboard/webapi/admin.py reviewboard/webapi/decorators.py reviewboard/webapi/managers.py Tool: Pyflakes Processed Files: reviewboard/admin/siteconfig.py reviewboard/webapi/base.py reviewboard/settings.py reviewboard/webapi/models.py reviewboard/webapi/errors.py reviewboard/webapi/auth_backends.py reviewboard/webapi/admin.py reviewboard/webapi/decorators.py reviewboard/webapi/managers.py -
-
-
-
-
- Change Summary:
-
Fixed the super call.
- Commit:
-
f3eef2a895f6613656245cdef25056791e00ef3edf7d622b553da5720e690b4207581306ca26ff71
-
Tool: Pyflakes Processed Files: reviewboard/admin/siteconfig.py reviewboard/webapi/base.py reviewboard/settings.py reviewboard/webapi/models.py reviewboard/webapi/errors.py reviewboard/webapi/auth_backends.py reviewboard/webapi/admin.py reviewboard/webapi/decorators.py reviewboard/webapi/managers.py Tool: PEP8 Style Checker Processed Files: reviewboard/admin/siteconfig.py reviewboard/webapi/base.py reviewboard/settings.py reviewboard/webapi/models.py reviewboard/webapi/errors.py reviewboard/webapi/auth_backends.py reviewboard/webapi/admin.py reviewboard/webapi/decorators.py reviewboard/webapi/managers.py -
-
-
-
Tool: PEP8 Style Checker Processed Files: reviewboard/admin/siteconfig.py reviewboard/webapi/base.py reviewboard/settings.py reviewboard/webapi/models.py reviewboard/webapi/errors.py reviewboard/webapi/auth_backends.py reviewboard/webapi/admin.py reviewboard/webapi/decorators.py reviewboard/webapi/managers.py Tool: Pyflakes Processed Files: reviewboard/admin/siteconfig.py reviewboard/webapi/base.py reviewboard/settings.py reviewboard/webapi/models.py reviewboard/webapi/errors.py reviewboard/webapi/auth_backends.py reviewboard/webapi/admin.py reviewboard/webapi/decorators.py reviewboard/webapi/managers.py