Commit d350c42a authored by Sofia Papagiannaki's avatar Sofia Papagiannaki

astakos: api calls authenticated via X-Auth-Token shall not affect cookie

CookieAuthenticationMiddleware.process_request() synchronizes
the astakos cookie with the request user.
If an astakos cookie is set but there is no logged in user,
the middleware deletes the cookie.
Respectively, if there is a logged in user but the astakos cookie
is not set, the middleware setis the cookie.
In order to set/delete the cookie, redirects to the request path.

For checking whether the user is logged in or not,
utilized the django.contrib.auth.models.User.is_authenticated() method.
This returns always True for django.contrib.auth.models.User instances
(request.user for non authenticated requests is
 django.contrib.auth.models.AnonymousUser instance)

Some astakos api calls are decorated by
astakos.api.utils.user_for_token()
which checks the X-Auth-Token request header and if its valid
sets the request.user to the respective AstakosUser instance.

Therefore, the above check succeeded for these calls
and the middleware used to set the cookie.
Subsequent requests read the cookie and
if it did not comform with the request.user
(no authentication info supplied)
redirected to request path for deleting it.

In order to resolve this undesired behavior
the cookie fix() method has been changed
and if it is actually an api call request
it returns immediately without affecting the cookie.
parent 023cab33
......@@ -36,7 +36,6 @@ import logging
from urllib import quote, unquote
from django.contrib.auth.models import AnonymousUser
from django.http import HttpRequest
from django.utils.translation import ugettext as _
from astakos.im.settings import (
......@@ -46,6 +45,7 @@ import astakos.im.messages as astakos_messages
logger = logging.getLogger(__name__)
class Cookie():
def __init__(self, request, response=None):
cookies = getattr(request, 'COOKIES', {})
......@@ -81,7 +81,8 @@ class Cookie():
if not self.response:
raise ValueError(_(astakos_messages.NO_RESPONSE))
user = self.user
expire_fmt = user.auth_token_expires.strftime('%a, %d-%b-%Y %H:%M:%S %Z')
expire_fmt = user.auth_token_expires.strftime(
'%a, %d-%b-%Y %H:%M:%S %Z')
if TRANSLATE_UUIDS:
cookie_value = quote(user.username + '|' + user.auth_token)
else:
......
......@@ -31,13 +31,9 @@
# interpreted as representing official policies, either expressed
# or implied, of GRNET S.A.
from urlparse import urlunsplit, urlsplit
from django.http import HttpResponse
from django.utils.http import urlencode
from astakos.im.cookie import Cookie
from astakos.im.util import get_query
class CookieAuthenticationMiddleware(object):
......@@ -45,18 +41,16 @@ class CookieAuthenticationMiddleware(object):
cookie = Cookie(request)
if cookie.is_valid:
return
response = HttpResponse(status=302)
parts = list(urlsplit(request.path))
params = get_query(request)
parts[3] = urlencode(params)
url = urlunsplit(parts)
response['Location'] = url
response['Location'] = request.get_full_path()
cookie.fix(response)
return response
def process_response(self, request, response):
Cookie(request, response).fix()
return response
\ No newline at end of file
cookie = Cookie(request, response)
# if the user authentication status has changed during the processing
# set/delete the cookie appropriately
if not cookie.is_valid:
cookie.fix()
return response
......@@ -97,6 +97,9 @@ def api_method(http_method=None, token_required=True, user_required=True,
request.user_uniq = user_info["uuid"]
request.user = user_info
# Mark request as api call
request.api_call = True
# Get the response object
response = func(request, *args, **kwargs)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment