Python rest_framework.exceptions.AuthenticationFailed() Examples

The following are 30 code examples of rest_framework.exceptions.AuthenticationFailed(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module rest_framework.exceptions , or try the search function .
Example #1
Source File: authentication.py    From boss with Apache License 2.0 6 votes vote down vote up
def authenticate_credentials(self, key):
        user, token = super(TokenAuthentication, self).authenticate_credentials(key)

        try:
            kc_user = KeycloakModel.objects.get(user = user)

            # DP ???: Should a user's roles be synced?
            if self.user_exist(kc_user.UID):
                return (user, token) # regular return for authenticate_credentials()
            else:
                # Disable the user in Django to shortcut the Keycloak lookup
                user.is_active = False
                user.save()

                raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))
        except KeycloakModel.DoesNotExist:
            # Regular Django user account
            return (user, token) 
Example #2
Source File: authentication.py    From django-oauth-toolkit-jwt with MIT License 6 votes vote down vote up
def _get_jwt_value(self, request):
        auth = get_authorization_header(request).split()
        auth_header_prefix = getattr(settings, 'JWT_AUTH_HEADER_PREFIX', 'JWT')

        if not auth:
            if getattr(settings, 'JWT_AUTH_COOKIE', None):
                return request.COOKIES.get(settings.JWT_AUTH_COOKIE)
            return None

        if smart_str(auth[0]) != auth_header_prefix:
            return None

        if len(auth) == 1:
            msg = 'Invalid Authorization header. No credentials provided.'
            raise exceptions.AuthenticationFailed(msg)
        elif len(auth) > 2:
            msg = ('Invalid Authorization header. Credentials string '
                   'should not contain spaces.')
            raise exceptions.AuthenticationFailed(msg)

        jwt_value = auth[1]
        if type(jwt_value) is bytes:
            jwt_value = jwt_value.decode('utf-8')
        return jwt_value 
Example #3
Source File: views.py    From controller with MIT License 6 votes vote down vote up
def passwd(self, request, **kwargs):
        if not request.data.get('new_password'):
            raise DeisException("new_password is a required field")

        caller_obj = self.get_object()
        target_obj = self.get_object()
        if request.data.get('username'):
            # if you "accidentally" target yourself, that should be fine
            if caller_obj.username == request.data['username'] or caller_obj.is_superuser:
                target_obj = get_object_or_404(User, username=request.data['username'])
            else:
                raise PermissionDenied()

        if not caller_obj.is_superuser:
            if not request.data.get('password'):
                raise DeisException("password is a required field")
            if not target_obj.check_password(request.data['password']):
                raise AuthenticationFailed('Current password does not match')

        target_obj.set_password(request.data['new_password'])
        target_obj.save()
        return Response({'status': 'password set'}) 
Example #4
Source File: authentication.py    From django-oauth-toolkit-jwt with MIT License 6 votes vote down vote up
def authenticate(self, request):
        """
        Returns a two-tuple of `User` and token if a valid signature has been
        supplied using JWT-based authentication.  Otherwise returns `None`.
        """
        jwt_value = self._get_jwt_value(request)
        if jwt_value is None:
            return None

        try:
            payload = decode_jwt(jwt_value)
        except jwt.ExpiredSignatureError:
            msg = 'Signature has expired.'
            raise exceptions.AuthenticationFailed(msg)
        except jwt.DecodeError:
            msg = 'Error decoding signature.'
            raise exceptions.AuthenticationFailed(msg)
        except jwt.InvalidTokenError:
            raise exceptions.AuthenticationFailed()

        self._add_session_details(request, payload)

        user = self.authenticate_credentials(payload)
        return user, JwtToken(payload) 
Example #5
Source File: backends.py    From aws-workshop with MIT License 6 votes vote down vote up
def _authenticate_credentials(self, request, token):
        """
        Try to authenticate the given credentials. If authentication is
        successful, return the user and token. If not, throw an error.
        """
        try:
            payload = jwt.decode(token, settings.SECRET_KEY)
        except:
            msg = 'Invalid authentication. Could not decode token.'
            raise exceptions.AuthenticationFailed(msg)

        try:
            user = User.objects.get(pk=payload['id'])
        except User.DoesNotExist:
            msg = 'No user matching this token was found.'
            raise exceptions.AuthenticationFailed(msg)

        if not user.is_active:
            msg = 'This user has been deactivated.'
            raise exceptions.AuthenticationFailed(msg)

        return (user, token) 
Example #6
Source File: test_authentication.py    From hawkrest with BSD 3-Clause "New" or "Revised" License 6 votes vote down vote up
def test_hawk_post_wrong_sig(self):
        post_data = 'one=1&two=2&three=3'
        content_type = 'application/x-www-form-urlencoded'
        method = 'POST'
        sender = self._sender(content=post_data,
                              content_type=content_type,
                              method=method)

        # This should fail the signature check.
        post_data = '{0}&TAMPERED_WITH=true'.format(post_data)

        req = self._request(sender,
                            content_type=content_type,
                            data=post_data,
                            method=method)

        self.assertRaisesRegexp(AuthenticationFailed,
                                '^Hawk authentication failed$',
                                lambda: self.auth.authenticate(req))
        self.assert_log_regex('warning', '^access denied: MisComputedContentHash: ') 
Example #7
Source File: api.py    From peering-manager with Apache License 2.0 6 votes vote down vote up
def authenticate_credentials(self, key):
        model = self.get_model()

        try:
            token = model.objects.select_related("user").get(key=key)
        except model.DoesNotExist:
            raise exceptions.AuthenticationFailed("Invalid token")

        # Enforce the Token's expiration time
        if token.is_expired:
            raise exceptions.AuthenticationFailed("Token expired")

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed("User inactive")

        return token.user, token 
Example #8
Source File: test_authentication.py    From timed-backend with GNU Affero General Public License v3.0 6 votes vote down vote up
def test_authentication_new_user(
    db, rf, requests_mock, settings, create_user, username, expected_count
):
    settings.OIDC_CREATE_USER = create_user
    user_model = get_user_model()
    assert user_model.objects.filter(username=username).count() == 0

    userinfo = {"preferred_username": username}
    requests_mock.get(settings.OIDC_OP_USER_ENDPOINT, text=json.dumps(userinfo))

    request = rf.get("/openid", HTTP_AUTHORIZATION="Bearer Token")

    try:
        user, _ = OIDCAuthentication().authenticate(request)
    except AuthenticationFailed:
        assert not create_user
    else:
        assert user.username == username

    assert user_model.objects.count() == expected_count 
Example #9
Source File: drf.py    From mozilla-django-oidc with Mozilla Public License 2.0 6 votes vote down vote up
def get_access_token(self, request):
        """
        Get the access token based on a request.

        Returns None if no authentication details were provided. Raises
        AuthenticationFailed if the token is incorrect.
        """
        header = authentication.get_authorization_header(request)
        if not header:
            return None
        header = header.decode(authentication.HTTP_HEADER_ENCODING)

        auth = header.split()

        if auth[0].lower() != 'bearer':
            return None

        if len(auth) == 1:
            msg = 'Invalid "bearer" header: No credentials provided.'
            raise exceptions.AuthenticationFailed(msg)
        elif len(auth) > 2:
            msg = 'Invalid "bearer" header: Credentials string should not contain spaces.'
            raise exceptions.AuthenticationFailed(msg)

        return auth[1] 
Example #10
Source File: jwtAuth.py    From django-RESTfulAPI with MIT License 6 votes vote down vote up
def authenticate(self, request):
        """
        Returns a two-tuple of `User` and token if a valid signature has been
        supplied using JWT-based authentication.  Otherwise returns `None`.
        """
        jwt_value = self.get_jwt_value(request)
        if jwt_value is None:
            return None

        try:
            payload = jwt_decode_handler(jwt_value)
        except jwt.ExpiredSignature:
            msg = 'Token过期'
            raise exceptions.AuthenticationFailed({"message": msg,"errorCode":1,"data":{}})
        except jwt.DecodeError:
            msg = 'Token不合法'
            raise exceptions.AuthenticationFailed({"message": msg,"errorCode":1,"data":{}})
        except jwt.InvalidTokenError:
            raise exceptions.AuthenticationFailed()

        user = self.authenticate_credentials(payload)
        return user, jwt_value 
Example #11
Source File: views.py    From lego with MIT License 6 votes vote down vote up
def token(self, *arg, **kwargs):
        """
        Download the token belonging to a restricted mail. This token has to be attached to
        the restricted mail for authentication.
        """
        instance = get_object_or_404(RestrictedMail.objects.all(), id=kwargs["pk"])
        auth = self.request.GET.get("auth")

        if not instance.token_verify_query_param(auth):
            raise exceptions.AuthenticationFailed

        if not instance.token:
            raise exceptions.NotFound

        file_content = f"{RESTRICTED_TOKEN_PREFIX}{instance.token}"

        response = HttpResponse(file_content)
        response["Content-Disposition"] = 'attachment; filename="token"'
        return response 
Example #12
Source File: views.py    From controller with MIT License 6 votes vote down vote up
def passwd(self, request, **kwargs):
        if not request.data.get('new_password'):
            raise DeisException("new_password is a required field")

        caller_obj = self.get_object()
        target_obj = self.get_object()
        if request.data.get('username'):
            # if you "accidentally" target yourself, that should be fine
            if caller_obj.username == request.data['username'] or caller_obj.is_superuser:
                target_obj = get_object_or_404(User, username=request.data['username'])
            else:
                raise PermissionDenied()

        if not caller_obj.is_superuser:
            if not request.data.get('password'):
                raise DeisException("password is a required field")
            if not target_obj.check_password(request.data['password']):
                raise AuthenticationFailed('Current password does not match')

        target_obj.set_password(request.data['new_password'])
        target_obj.save()
        return Response({'status': 'password set'}) 
Example #13
Source File: hook.py    From permabots with BSD 3-Clause "New" or "Revised" License 5 votes vote down vote up
def get_recipient(self, id, hook, user):
        try:
            obj = self.model.objects.get(id=id, hook=hook)
            if self._user(obj) != user:
                raise exceptions.AuthenticationFailed()
            return obj
        except self.model.DoesNotExist:
            raise Http404 
Example #14
Source File: handler.py    From permabots with BSD 3-Clause "New" or "Revised" License 5 votes vote down vote up
def get_object(self, id, handler, user):
        try:
            obj = self.model.objects.get(id=id, bot=handler.bot)
            if self._user(handler) != user:
                raise exceptions.AuthenticationFailed()
            return obj
        except self.model.DoesNotExist:
            raise Http404 
Example #15
Source File: test_serializers.py    From django-rest-framework-simplejwt with MIT License 5 votes vote down vote up
def test_it_should_not_validate_if_user_not_found(self):
        s = TokenObtainSerializer(context=MagicMock(), data={
            TokenObtainSerializer.username_field: 'missing',
            'password': 'pass',
        })

        with self.assertRaises(drf_exceptions.AuthenticationFailed):
            s.is_valid() 
Example #16
Source File: serializers.py    From django-rest-framework-simplejwt with MIT License 5 votes vote down vote up
def validate(self, attrs):
        authenticate_kwargs = {
            self.username_field: attrs[self.username_field],
            'password': attrs['password'],
        }
        try:
            authenticate_kwargs['request'] = self.context['request']
        except KeyError:
            pass

        self.user = authenticate(**authenticate_kwargs)

        # Prior to Django 1.10, inactive users could be authenticated with the
        # default `ModelBackend`.  As of Django 1.10, the `ModelBackend`
        # prevents inactive users from authenticating.  App designers can still
        # allow inactive users to authenticate by opting for the new
        # `AllowAllUsersModelBackend`.  However, we explicitly prevent inactive
        # users from authenticating to enforce a reasonable policy and provide
        # sensible backwards compatibility with older Django versions.
        if self.user is None or not self.user.is_active:
            raise exceptions.AuthenticationFailed(
                self.error_messages['no_active_account'],
                'no_active_account',
            )

        return {} 
Example #17
Source File: hook.py    From permabots with BSD 3-Clause "New" or "Revised" License 5 votes vote down vote up
def get_hook(self, id, bot, user):
        try:
            hook = Hook.objects.get(id=id, bot=bot)
            if hook.bot.owner != user:
                raise exceptions.AuthenticationFailed()
            return hook
        except Hook.DoesNotExist:
            raise Http404 
Example #18
Source File: user.py    From rssant with BSD 3-Clause "New" or "Revised" License 5 votes vote down vote up
def user_login(
    request,
    account: T.str.optional,
    password: T.str.optional,
) -> UserSchema:
    if not (account or password):
        if request.user.is_authenticated:
            if not request.user.is_active:
                return Response(status=403)
            return serialize_user(request.user)
        return Response(status=401)
    error_message = {'message': '用户名或密码错误'}
    if '@' in account:
        tmp_user = User.objects.filter(email=account).first()
        if tmp_user:
            username = tmp_user.username
        else:
            return Response(error_message, status=401)
    else:
        username = account
    try:
        user = django_auth.authenticate(username=username, password=password)
    except AuthenticationFailed:
        return Response(error_message, status=401)
    if not user or not user.is_authenticated:
        return Response(status=401)
    if not user.is_active:
        return Response(status=403)
    django_auth.login(request, user=user)
    return serialize_user(request.user) 
Example #19
Source File: authentication.py    From django-oauth-toolkit-jwt with MIT License 5 votes vote down vote up
def authenticate_credentials(self, payload):
        """
        Returns an active user that matches the payload's user id and email.
        """
        if getattr(settings, 'JWT_AUTH_DISABLED', False):
            return AnonymousUser()

        User = get_user_model()
        username = payload.get(getattr(settings, 'JWT_ID_ATTRIBUTE'))

        if not username:
            msg = 'Invalid payload.'
            raise exceptions.AuthenticationFailed(msg)

        try:
            kwargs = {
                getattr(settings, 'JWT_ID_ATTRIBUTE'): username
            }
            user = User.objects.get(**kwargs)
        except User.DoesNotExist:
            msg = 'Invalid signature.'
            raise exceptions.AuthenticationFailed(msg)

        if not user.is_active:
            msg = 'User account is disabled.'
            raise exceptions.AuthenticationFailed(msg)

        return user 
Example #20
Source File: test_authentication.py    From tfrs with Apache License 2.0 5 votes vote down vote up
def test_jwt_no_token(self):
        """Test no token"""

        request = self.factory.get('/')

        with self.assertRaises(exceptions.AuthenticationFailed):
            _user, _auth = self.userauth.authenticate(request) 
Example #21
Source File: test_authentication.py    From tfrs with Apache License 2.0 5 votes vote down vote up
def test_jwt_invalid_token(self):
        """Test invalid token"""

        request = self.factory.get('/')
        request.META = {
            'HTTP_AUTHORIZATION': 'garbage'
        }

        with self.assertRaises(exceptions.AuthenticationFailed):
            _user, _auth = self.userauth.authenticate(request) 
Example #22
Source File: views.py    From django-freeradius with GNU General Public License v3.0 5 votes vote down vote up
def authenticate(self, request):
        if request.META.get('HTTP_AUTHORIZATION', False):
            headers = request.META.get('HTTP_AUTHORIZATION').split(',')
            for header in headers:
                try:
                    token = header.split(' ')[1]
                except IndexError:
                    raise ParseError('Invalid token')
                if token == app_settings.API_TOKEN:
                    return (AnonymousUser(), None)
        if request.GET.get('token') == app_settings.API_TOKEN:
            return (AnonymousUser(), None)
        raise AuthenticationFailed('Token authentication failed') 
Example #23
Source File: auth.py    From lego with MIT License 5 votes vote down vote up
def get_jwt_value(self, scope):
        if scope.get("type") != "websocket":
            raise exceptions.AuthenticationFailed("Websocket connection i required")

        query_string = (scope.get("query_string", b"")).decode()
        qs = parse_qs(query_string)
        jwt_param = qs.get("jwt", [])
        if len(jwt_param) != 1:
            raise exceptions.AuthenticationFailed("Invalid JWT query param")
        return jwt_param[0] 
Example #24
Source File: authentication.py    From lego with MIT License 5 votes vote down vote up
def authenticate_credentials(self, key):
        try:
            survey = Survey.objects.get(token=key)
        except Survey.DoesNotExist:
            raise exceptions.AuthenticationFailed("Invalid token")

        return None, survey 
Example #25
Source File: jwtAuth.py    From django-RESTfulAPI with MIT License 5 votes vote down vote up
def get_jwt_value(self, request):
        auth = request.META.get('HTTP_AUTHORIZATION', '').split()
        auth_header_prefix = api_settings.JWT_AUTH_HEADER_PREFIX.lower()

        if not auth or auth[0].lower() != auth_header_prefix:
            return None

        if len(auth) == 1:
            msg = 'Invalid Authorization header. No credentials provided.'
            raise exceptions.AuthenticationFailed({"message": "消息头不合法","errorCode":1,"data":{}})
        elif len(auth) > 2:
            msg = 'Invalid Authorization header. Credentials string should not contain spaces.'
            raise exceptions.AuthenticationFailed({"message": "消息头不合法","errorCode":1,"data":{}})

        return auth[1] 
Example #26
Source File: jwtAuth.py    From django-RESTfulAPI with MIT License 5 votes vote down vote up
def authenticate_credentials(self, payload):
        id = jwt_get_user_id_from_payload_handler(payload)
        if not id:
            raise exceptions.AuthenticationFailed({"message": "没有该用户","errorCode":1,"data":{}})
        try:
            user = User.objects.filter(id=id).first()
        except User.DoesNotExist:
            raise exceptions.AuthenticationFailed({"message": "没有该用户","errorCode":1,"data":{}})
        return user 
Example #27
Source File: authentication.py    From normandy with Mozilla Public License 2.0 5 votes vote down vote up
def authenticate_credentials(self, access_token):
        try:
            user_profile = self.fetch_oidc_user_profile(access_token)
        except (requests.exceptions.RequestException, OIDCEndpointRequestError):
            raise exceptions.AuthenticationFailed("Unable to verify bearer token.")

        email = user_profile.get("email", "").strip().lower()
        if not email:
            # This would happen if someone has requested an access token
            # from their OIDC provider *without the 'email' scope*.
            raise exceptions.AuthenticationFailed("User profile lacks 'email' scope.")

        # Turn this email into a Django User instance.
        user, _ = get_user_model().objects.get_or_create(
            username=email[:150], defaults={"email": email}
        )

        # Sync user data with OIDC profile
        dirty = False
        family_name = user_profile.get("family_name", "").strip()
        given_name = user_profile.get("given_name", "").strip()
        if given_name and given_name != user.first_name:
            user.first_name = given_name
            dirty = True
        if family_name and family_name != user.last_name:
            user.last_name = family_name
            dirty = True
        if user.email != email:
            user.email = email
            dirty = True
        if dirty:
            user.save()

        if not user.is_active:
            raise exceptions.AuthenticationFailed("User inactive.")

        return (user, access_token) 
Example #28
Source File: test_authentication.py    From django-rest-framework-expiring-tokens with BSD 2-Clause "Simplified" License 5 votes vote down vote up
def test_expired_token(self):
        """Check that an expired token cannot authenticate."""
        # Crude, but necessary as auto_now_add field can't be changed.
        with self.settings(EXPIRING_TOKEN_LIFESPAN=timedelta(milliseconds=1)):
            sleep(0.001)

            try:
                self.test_instance.authenticate_credentials(self.key)
            except AuthenticationFailed as e:
                self.assertEqual(e.__str__(), 'Token has expired')
            else:
                self.fail("AuthenticationFailed not raised.") 
Example #29
Source File: authentication.py    From django-oidc-rp with MIT License 5 votes vote down vote up
def authenticate(self, request):
        """ Authenticates users using a provided Bearer token. """
        # First step, retrieves the Bearer token from the authorization header.
        auth = get_authorization_header(request).split()
        if not auth or smart_text(auth[0].lower()) != 'bearer':
            return

        if len(auth) == 1:
            raise AuthenticationFailed('Invalid authorization header; no bearer token provided')
        elif len(auth) > 2:
            raise AuthenticationFailed('Invalid authorization header; many bearer tokens provided')

        bearer_token = smart_text(auth[1])

        # Tries to retrieve user information from the OP.
        try:
            userinfo_response = requests.get(
                oidc_rp_settings.PROVIDER_USERINFO_ENDPOINT,
                headers={'Authorization': 'Bearer {0}'.format(bearer_token)})
            userinfo_response.raise_for_status()
        except HTTPError:
            raise AuthenticationFailed('Bearer token seems invalid or expired.')
        userinfo_response_data = userinfo_response.json()

        # Tries to retrieve a corresponding user in the local database and creates it if applicable.
        try:
            oidc_user = OIDCUser.objects.select_related('user').get(
                sub=userinfo_response_data.get('sub'))
        except OIDCUser.DoesNotExist:
            oidc_user = create_oidc_user_from_claims(userinfo_response_data)
            oidc_user_created.send(sender=self.__class__, request=request, oidc_user=oidc_user)
        else:
            update_oidc_user_from_claims(oidc_user, userinfo_response_data)

        return oidc_user.user, bearer_token 
Example #30
Source File: test_serializers.py    From django-rest-framework-simplejwt with MIT License 5 votes vote down vote up
def test_it_should_raise_if_user_not_active(self):
        self.user.is_active = False
        self.user.save()

        s = TokenObtainSerializer(context=MagicMock(), data={
            TokenObtainSerializer.username_field: self.username,
            'password': self.password,
        })

        with self.assertRaises(drf_exceptions.AuthenticationFailed):
            s.is_valid()