Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

access_token on URL causes half-authenticated users #547

Open
sybrenstuvel opened this issue Jan 25, 2018 · 1 comment
Open

access_token on URL causes half-authenticated users #547

sybrenstuvel opened this issue Jan 25, 2018 · 1 comment

Comments

@sybrenstuvel
Copy link

Testing with Django 1.11.9 and django-oauth-toolkit 1.1.0, I get strange results when passing access_token=xxxx as query string on a GET request. This is my view:

from django.http import JsonResponse
from oauth2_provider.decorators import protected_resource


@protected_resource()
def demo_view(request):
    return JsonResponse({'user': str(request.user)})

Taking a valid access token, I can GET the URL, get through the protected_resource() decorator, but it doesn't properly set request.user:

$ curl  http://localhost:8000/api/demo?access_token=ByEMH9CNNW0Tq8nONBaNcQATdh2u9v 
{"user": "AnonymousUser"}

So then we have a strange hybrid of having properly authenticated a user, but still the view code not knowing anything about this.

This may be related to #533.
Vengarioth pushed a commit to genesiscloud/Blender-ID that referenced this issue Jan 30, 2019
@sybrenstuvel
Test passing access_token=xxx on URL.
5f5d9b7 
This is currently not working, and causes the strange case where the token
is validated (so invalid tokens are still rejected, which is good) but
`request.user` is still set to an AnonymousUser instance.

This is [reported upstream as bug 547](jazzband/django-oauth-toolkit#547)
@ljluestc
Copy link

To address this issue, you can manually authenticate the user using the provided access token inside your view function. Here's how you can do it:

from django.http import JsonResponse
from oauth2_provider.views.decorators import protected_resource

@protected_resource()
def demo_view(request):
    if request.user.is_anonymous:
        # Attempt to authenticate the user using the access token
        if request.GET.get("access_token"):
            from oauthlib.oauth2.rfc6749.tokens import BearerToken
            token = request.GET.get("access_token")
            auth_server, token = BearerToken().authenticate_token(token)
            if auth_server and auth_server.is_usable_token(token):
                request.user = auth_server.get_user_for_token(token)

    return JsonResponse({'user': str(request.user)})

By manually checking for the presence of the access_token in the query string and authenticating the user using BearerToken().authenticate_token(token), you ensure that the request.user is correctly set based on the access token provided.

Please note that manually handling token authentication may not be the most elegant solution, but it should work as a workaround until the issue is addressed in a future version of django-oauth-toolkit.

Additionally, you might want to consider upgrading to the latest version of Django and django-oauth-toolkit if possible, as newer versions might have addressed this issue or provided a more straightforward solution for token authentication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sybrenstuvel @ljluestc