HTTP basic auth decorator

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
from functools import wraps

def http_basic_auth(func):
    @wraps(func)
    def _decorator(request, *args, **kwargs):
        from django.contrib.auth import authenticate, login
        if request.META.has_key('HTTP_AUTHORIZATION'):
            authmeth, auth = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
            if authmeth.lower() == 'basic':
                auth = auth.strip().decode('base64')
                username, password = auth.split(':', 1)
                user = authenticate(username=username, password=password)
                if user:
                    login(request, user)
        return func(request, *args, **kwargs)
    return _decorator

More like this

  1. HTTP (basic) auth enabled (new-style) syndication framework feed class by hupf 3 years, 4 months ago
  2. Require Login Middleware by mattgrayson 5 years, 4 months ago
  3. xmlrpc basic auth by jackherer 6 years, 6 months ago
  4. view by view basic authentication decorator by Scanner 6 years, 11 months ago
  5. SWFUpload auth decorator by debrice 5 years, 1 month ago

Comments

peterbe (on February 2, 2009):

?? So if you fail the basic auth popup, it redirects to the web based login? How are REST apps going to like that?

What's wrong with snippet 243?

#

bthomas (on February 5, 2009):

Snippet 243 should definitely be used for REST-only views, there's nothing wrong with it.

The views I am applying this to will be mainly serving HTML to users, and XML/JSON to REST apps if they request it. I don't want normal users getting a 401 (and browser requesting credentials) if they navigate to a page while not logged in. REST apps probably won't like the redirect either, but I'm just more concerned about the experience for humans in this case.

#

babbbrak_poradny (on November 7, 2013):

If there is no such entry: request.META['HTTP_AUTHORIZATION'] and you use Django on Apache, READ THIS: http://stackoverflow.com/questions/13387516/authorization-header-missing-in-django-rest-framework-is-apache-to-blame Apache in default deletes HTTP_AUTHORIZATION header for CGI.

#

(Forgotten your password?)