jpulgarin / django-tokenapi Goto Github PK

View Code? Open in Web Editor NEW

221.0 221.0 64.0 87 KB

Add an API to your Django app using token-based authentication.

License: Other

Python 100.00%

django-tokenapi's People

Contributors

Stargazers

Watchers

Forkers

mariuz nycholas utek mainframe-archive juri parkt htcpro andreipak numegil raghulj kapwrestling peppelorum dealstruck alexiskattan ssweens tonyzhu jgruca anas-aldrees oldpatricka matheussl starou masterdubs gitllermopalafox nsmgr8 philippeowagner flourishing akroushan ianzapolsky simalytics swamig andrew-bulogics omidraha yeswanth angel-fund muke5hy liamlin brianyan uh-ci jhmcstanton runforever hl2055 hayesdata sparrowu93 aniketmaithani arpanpal010 onionisi vahgar bulogics jkimbo lablazer ghjan wwbird jbiason chatoffside gabrielnes-azion mingmlu qq854051086 tomszhou nirupam2016 wahello najamrehman tenkunkyab vallemrv seanpm2001 njiti

django-tokenapi's Issues

Don't allow inactive users to authenticate

Currently, if the is_active flag on the User is set to false, the token API still let's them in like normal.

200 response code when invalid request is made

If I make a request without a username or password, the returned status code is 200, while it should be 400. As a result, an incorrect request is treated as a correct one in the frontend.

URL's should return a response even if not accessed correctly

Ie /new.json should not 500 if you go directly to the URL.

default token_required decorator does not work when applied to functions that are members of class based views

Validate user before accessing attributes

ERROR Internal Server Error: /api/check
Traceback (most recent call last):
  File "/home/chillaranand/.virtualenvs/bar/lib/python3.5/site-packages/django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "/home/chillaranand/.virtualenvs/bar/lib/python3.5/site-packages/django/core/handlers/base.py", line 249, in _legacy_get_response
    response = self._get_response(request)
  File "/home/chillaranand/.virtualenvs/bar/lib/python3.5/site-packages/django/core/handlers/base.py", line 187, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/home/chillaranand/.virtualenvs/bar/lib/python3.5/site-packages/django/core/handlers/base.py", line 185, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/chillaranand/.virtualenvs/bar/lib/python3.5/site-packages/django/views/decorators/csrf.py", line 58, in wrapped_view
    return view_func(*args, **kwargs)
  File "/home/chillaranand/projects/foo/views.py", line 150, in check
    if token_generator.check_token(user, token) and user.is_active:
  File "/home/chillaranand/.virtualenvs/bar/lib/python3.5/site-packages/tokenapi/tokens.py", line 38, in check_token
    if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
  File "/home/chillaranand/.virtualenvs/bar/lib/python3.5/site-packages/tokenapi/tokens.py", line 54, in _make_token_with_timestamp
    value = (six.text_type(user.pk) + user.password + six.text_type(timestamp))
AttributeError: 'NoneType' object has no attribute 'pk'

JSONResponse should have a JSONSuccess subclass

right now, the only way to add a 'success' field is to manually add it to each response. JSONResponse should either have a success field by default, or there should be a JSONSuccess implementation.

Multiple authentication methods

I have a server that has HTTP Auth for non-production purposes, but I want the presence of the "user" and "token" params to take precedence over HTTP Auth in token_required().

I will end up changing token_required temporarily for my needs, but my suggestion here is to allow the developer to specify a preferred method if both HTTP Auth and Token auth is present.

TOKEN_TIMEOUT_DAYS

My tokens seem to expire after a couple days, despite having this set to a much larger number in settings.py

I looked through the code, but didn't find any references to TOKEN_TIMEOUT_DAYS.

Can tokens last for more than the specified TOKEN_TIMEOUT_DAYS

Is there a way a token can last longer than TOKEN_TIMEOUT_DAYS perhaps forever? After reading the code, I couldn't find a function that didn't perform the date checking.

A new session is created for every request

Whenever a new request is made to the server using a token, a new Django session is created. It shouldn't matter because sessions are not used here, but it could overwhelm the session store whether that is a database or an in-memory cache. This could be fixed by not calling the login() function in the decorator and setting request.user directly

Allow per-token timeout

Hi.

I'll need some tokens to have arbitrary timeout, like some minutes for ones and "until revoked" for others. Any tip on how to implement this?

My plan is to use this with https://github.com/tomchristie/django-rest-framework, as said in encode/django-rest-framework#9

Add language classifiers to make PyPI reflect Python 3 support

This package works with Python 3, but the caniusepython3 utility flags it as needing to be upgraded. That tool looks at the classifiers in setup.py, which this doesn't have. It should have some, especially 'Programming Language :: Python :: 2.7' and 'Programming Language :: Python :: 3'.

add suport to django 1.5 custom user

missing imports in http.py

#
from django.http import HttpResponse
try:
    import simplejson as json
except ImportError:
    import json
#

# JSON helper functions

def JSONResponse(data, dump=True):
    return HttpResponse(
        json.dumps(data) if dump else data,
        mimetype='application/json',
    )

def JSONError(error_string):
    data = {
        'success': False,
        'errors': error_string,
    }
    return JSONResponse(data)

Non-functional @token_required ?

I'm trying to user the @token_required on an otherwise un-noteworthy view, but wasn't able to get it to work (would only return 403s). I ended up making my own decorator that users token_generator.check_token to verify the request.

Is anyone else using this successfully? Am I missing some step or was there some change recently?

My relevant code is https://gist.github.com/stickwithjosh/5f622336adefe24de17f

Change token_required decorator so that it returns JsonResponses instead of HttpResponses.

New release needed for Django 1.6

django-tokenapi 0.1.7 is broken in 1.6 because a deprecated API is used. The fix is actually already checked-in to master in commit d5cd7c1 but a new version needs to be pushed to PyPI. Can this be done?

will @token_requied decorator intercept session based authentication?

I have a app both on Mobile and Web ,will @token_requied decorator intercept session based authentication? does tokenapi support web app?

URL pattern should allow for non blank root

currently, only '' is permitted in (r'', include('tokenapi.urls')), as the urls in tokenapi.urls all begin with ^. This should be changed to allow non blank root urls.

200 response code when checking invalid token

In the same vein as #36, I should not get a 200 status code if I a token is invalid. As a rule of thumb, { success: false } should almost invariably return a non 2XX status code; after all, the request was not successful.

To support my case, I make requests to my API on the client side using axios, which returns ES6 promises. If I call Api.validateToken().then(success).catch(failure), I expect failure to be called if I supply an invalid token. At the moment, I have to check for response.data.success===false in the success callback since a 200 status is returned in any case.

I believe this is a major improvement to an otherwise straightforward Django module.