astakos: api calls authenticated via X-Auth-Token shall not affect cookie
CookieAuthenticationMiddleware.process_request() synchronizes the astakos cookie with the request user. If an astakos cookie is set but there is no logged in user, the middleware deletes the cookie. Respectively, if there is a logged in user but the astakos cookie is not set, the middleware setis the cookie. In order to set/delete the cookie, redirects to the request path. For checking whether the user is logged in or not, utilized the django.contrib.auth.models.User.is_authenticated() method. This returns always True for django.contrib.auth.models.User instances (request.user for non authenticated requests is django.contrib.auth.models.AnonymousUser instance) Some astakos api calls are decorated by astakos.api.utils.user_for_token() which checks the X-Auth-Token request header and if its valid sets the request.user to the respective AstakosUser instance. Therefore, the above check succeeded for these calls and the middleware used to set the cookie. Subsequent requests read the cookie and if it did not comform with the request.user (no authentication info supplied) redirected to request path for deleting it. In order to resolve this undesired behavior the cookie fix() method has been changed and if it is actually an api call request it returns immediately without affecting the cookie.
Showing with 15 additions and 17 deletions