Authentication and Permissions with Django REST framework

Transcript

1. Django REST framework Authentification Permissions Xavier Ordoquy

2. Mainteneur Django REST framework Freelance irc: linovia twitter: linovia_net

3. Django

4. DJANGO @login_required() def someview(request): ... ?

5. DJANGO MIDDLEWARE = [ "django...SessionMiddleware", "django...AuthenticationMiddleware", ] @login_required() def someview(request):

   ... !

6. Auth =/= Perm

7. Django REST framework

8. CLASSE VUE class ExampleView(APIView): authentication_classes = [SessionAuthentication] permission_classes = [IsAuthenticated]

9. FONCTION @api_view(['GET']) @authentication_classes([SessionAuthentication]) @permission_classes([IsAuthenticated]) def example_view(request, format=None): return Response({})

10. SETTINGS REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'rest_framework.authentication.SessionAuthentication', ), 'DEFAULT_PERMISSION_CLASSES': (

    'rest_framework.permissions.IsAuthenticated', ) }

11. vue >> settings

12. Pourquoi ne pas réutiliser Django ?

13. DJANGO MIDDLEWARE = [ "django...SessionMiddleware", "django...AuthenticationMiddleware", ] @login_required() def someview(request):

    ...

14. Problème: authentifications différentes

15. Problème: trop lié à l’utilisateur

16. Problème: Middleware pour tout le site

17. SITE vs API { "count": 2, "next": null, "previous": null,

    "results": [ { "email": "[email protected]", "groups": [], "url": "http://127.0.0.1:8000/users/1/", "username": "admin" }, { "email": "[email protected]", "groups": [ ], "url": "http://127.0.0.1:8000/users/2/", "username": "tom" } ] }

18. Inclus: Basic

19. Inclus: Session

20. Inclus: Token

21. 3RD PARTIES • Django OAuth2 Consumer • JSON Web Token

    Authentication • Hawk HTTP Authentication • HTTP Signature Authentication • django-rest-framework-social-oauth2 • Digest
 Authentication • Djoser • django-rest-auth • django-rest-knox

22. 401 / 403

23. 403 Forbidden The request was successfully authenticated, but permission was

    denied.

24. 401 Unauthorized The request was not successfully authenticated, and the

    highest priority authentication class does use "WWW-Authenticate" headers

25. 403 Forbidden The request was not successfully authenticated, and the

    highest priority authentication class does not use "WWW-Authenticate" headers. > SessionAuthentication <

26. pas de header pas de 401 401 Unauthorized

27. CSRF

28. CSRF @csrf_exempt

29. CSRF Géré par SessionAuth…

30. PERMISSIONS

31. • AllowAny • IsAuthenticated • IsAdminUser • IsAuthenticatedOrReadOnly • DjangoModelPermissions

    • DjangoModelPermissionsOrAnonReadOnly • DjangoObjectPermissions INCLUS

32. DjangoModel Permissions Permissions par Model de django.contrib.auth

33. PERSONALISATION GET OPTIONS HEAD POST…………………….. PUT………………….. PATCH………………. DELETE……………….. <app label>.add_<model

    name> <app label>.change_<model name> <app label>.change_<model name> <app label>.delete_<model name> perms_map

34. DjangoObject Permissions Permissions par objet de django.contrib.auth (django-guardian ou autre)

35. PERMISSIONS PAR OBJET SUR LISTE ?

36. class CustomObjectPermissions(DjangoObjectPermissions): perms_map = { 'GET': ['%(app_label)s.view_%(model_name)s'], 'OPTIONS': ['%(app_label)s.view_%(model_name)s'], 'HEAD':

    ['%(app_label)s.view_%(model_name)s'], 'POST': ['%(app_label)s.add_%(model_name)s'], 'PUT': ['%(app_label)s.change_%(model_name)s'], 'PATCH': ['%(app_label)s.change_%(model_name)s'], 'DELETE': ['%(app_label)s.delete_%(model_name)s'], } class EventViewSet(viewsets.ModelViewSet): queryset = Event.objects.all() serializer_class = EventSerializer filter_backends = [filters.DjangoObjectPermissionsFilter] permission_classes = [CustomObjectPermissions]

37. WTF ?!? mes permissions sont appelées 6 x ?

38. COUPABLE

39. Pas de permissions sur mon get_object !!

40. SURCHAGE view.get_object def get_object(self): queryset = self.filter_queryset(self.get_queryset()) filter_kwargs = ###

    obj = get_object_or_404(queryset, **filter_kwargs) self.check_object_permissions(self.request, obj) return obj

41. CACHE GLOBAL (MIDDLEWARE) Pas de gestion de permissions

42. Permissions complexes ?

43. Et si j’avais besoin de lire la requête ?

44. from rest_framework.exceptions import PermissionDenied raise PermissionDenied( 'Some permission failed’ )

45. Ecrire son auth

46. from django.contrib.auth.models import User from rest_framework import authentication from rest_framework

    import exceptions class ExampleAuthentication(authentication.BaseAuthentication): def authenticate(self, request): username = request.META.get('X_USERNAME') if not username: return None try: user = User.objects.get(username=username) except User.DoesNotExist: raise exceptions.AuthenticationFailed('No such user') return (user, None)

47. Ecrire ses perms

48. from rest_framework import permissions class BlacklistPermission(permissions.BasePermission): def has_permission(self, request, view):

    ip_addr = request.META['REMOTE_ADDR'] blacklisted = Blacklist.objects.filter( ip_addr=ip_addr).exists() return not blacklisted

49. class IsOwnerOrReadOnly(permissions.BasePermission): def has_object_permission(self, request, view, obj): if request.method in

    permissions.SAFE_METHODS: return True return obj.owner == request.user

50. One more thing

51. Pérennité http://www.django-rest- framework.org/topics/funding/

52. As a direct result of a successful Mozilla grant application,

    I will be leaving my current role at DabApps, and attempting to secure a sustainable business model for REST framework development. I need your help in order to make this work. -Tom Christie

53. MERCI @linovia_net