« Previous | Next » 

Revision 1439d638

ID1439d6383113b151b6a3316e320a0418fa30d421

Added by Sofia Papagiannaki about 9 years ago

astakos: api calls authenticated via X-Auth-Token shall not affect cookie

CookieAuthenticationMiddleware.process_request() synchronizes
the astakos cookie with the request user.
If an astakos cookie is set but there is no logged in user,
the middleware deletes the cookie.
Respectively, if there is a logged in user but the astakos cookie
is not set, the middleware setis the cookie.
In order to set/delete the cookie, redirects to the request path.

For checking whether the user is logged in or not,
utilized the django.contrib.auth.models.User.is_authenticated() method.
This returns always True for django.contrib.auth.models.User instances
(request.user for non authenticated requests is
django.contrib.auth.models.AnonymousUser instance)

Some astakos api calls are decorated by
astakos.api.utils.user_for_token()
which checks the X-Auth-Token request header and if its valid
sets the request.user to the respective AstakosUser instance.

Therefore, the above check succeeded for these calls
and the middleware used to set the cookie.
Subsequent requests read the cookie and
if it did not comform with the request.user
(no authentication info supplied)
redirected to request path for deleting it.

In order to resolve this undesired behavior
the cookie fix() method has been changed
and if it is actually an api call request
it returns immediately without affecting the cookie.

Files

  • added
  • modified
  • copied
  • renamed
  • deleted

View differences