Prevent fallback to session auth when basic auth fails on /auth/ endp…

…oint; upgrade dependencies
USGS-WiM · Feb 13, 2020 · 2be1cea · 2be1cea
1 parent 59f6b46
commit 2be1cea
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 5 deletions.
diff --git a/cbrsservices/authentication.py b/cbrsservices/authentication.py
@@ -0,0 +1,33 @@
+from django.contrib.auth import authenticate, get_user_model
+from rest_framework import authentication
+from rest_framework import exceptions
+from rest_framework import status
+from django.utils.translation import ugettext_lazy as _
+
+
+class CustomBasicAuthentication(authentication.BasicAuthentication):
+
+    def authenticate_credentials(self, userid, password, request=None):
+        """
+        Authenticate the userid and password against username and password
+        with optional request for context.
+        """
+        credentials = {
+            get_user_model().USERNAME_FIELD: userid,
+            'password': password
+        }
+        user = authenticate(request=request, **credentials)
+
+        if user is None:
+            raise AuthenticationFailed(_('Invalid username/password.'))
+
+        if not user.is_active:
+            raise AuthenticationFailed(_('User inactive or deleted.'))
+
+        return (user, None)
+
+
+class AuthenticationFailed(exceptions.APIException):
+    status_code = status.HTTP_403_FORBIDDEN
+    default_detail = _('Incorrect authentication credentials.')
+    default_code = 'authentication_failed'
diff --git a/cbrsservices/views.py b/cbrsservices/views.py
@@ -12,6 +12,7 @@
 from cbrsservices.permissions import *
 from cbrsservices.renderers import *
 from cbrsservices.paginations import *
+from cbrsservices.authentication import *
 from cbrsservices.filters import *
 
 
@@ -854,7 +855,7 @@ def get_queryset(self):
 
 
 class AuthView(views.APIView):
-    authentication_classes = (authentication.BasicAuthentication,)
+    authentication_classes = (CustomBasicAuthentication,)
     serializer_class = UserSerializer
 
     def post(self, request):

diff --git a/requirements.txt b/requirements.txt
@@ -1,17 +1,17 @@
-django==2.2.9
+django==2.2.10
 django-cors-headers==3.2.1
 django-localflavor==2.2
 django-simple-history==2.8.0
 djangorestframework==3.11.0
 django-filter==2.2.0
 djangorestframework-csv==2.1.0
-lxml==4.4.0
+lxml==4.5.0
 psycopg2==2.8.4
 python-docx==0.8.10
 python-magic==0.4.15
-python-stdnum==1.12
+python-stdnum==1.13
 pytz==2019.3
-PyYAML==5.3.0
+PyYAML==5.3
 six==1.14.0
 sqlparse==0.3.0
 unicodecsv==0.14.1