Login

HTTP basic auth decorator

Author:
bthomas
Posted:
February 2, 2009
Language:
Python
Version:
1.0
Tags:
basic authentication decorator auth
Score:
0 (after 0 ratings)

This is a somewhat simpler alternative to http://www.djangosnippets.org/snippets/243/ that does not return a 401 response. It's meant to be used along with the login_required decorator as an alternative way to authenticate to REST-enabled views.

Usage:

@http_basic_auth
@login_required
def my_view(request):
    ...

If an HTTP basic auth header is provided, the request will be authenticated before the login_required check happens. Otherwise, the normal redirect to login page occurs.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
from functools import wraps

def http_basic_auth(func):
    @wraps(func)
    def _decorator(request, *args, **kwargs):
        from django.contrib.auth import authenticate, login
        if request.META.has_key('HTTP_AUTHORIZATION'):
            authmeth, auth = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
            if authmeth.lower() == 'basic':
                auth = auth.strip().decode('base64')
                username, password = auth.split(':', 1)
                user = authenticate(username=username, password=password)
                if user:
                    login(request, user)
        return func(request, *args, **kwargs)
    return _decorator

More like this

  1. HTTP (basic) auth enabled (new-style) syndication framework feed class by hupf 4 years, 5 months ago
  2. Require Login Middleware by mattgrayson 6 years, 6 months ago
  3. xmlrpc basic auth by jackherer 7 years, 7 months ago
  4. view by view basic authentication decorator by Scanner 8 years ago
  5. SWFUpload auth decorator by debrice 6 years, 3 months ago

Comments

peterbe (on February 2, 2009):

?? So if you fail the basic auth popup, it redirects to the web based login? How are REST apps going to like that?

What's wrong with snippet 243?

#

bthomas (on February 5, 2009):

Snippet 243 should definitely be used for REST-only views, there's nothing wrong with it.

The views I am applying this to will be mainly serving HTML to users, and XML/JSON to REST apps if they request it. I don't want normal users getting a 401 (and browser requesting credentials) if they navigate to a page while not logged in. REST apps probably won't like the redirect either, but I'm just more concerned about the experience for humans in this case.

#

babbbrak_poradny (on November 7, 2013):

If there is no such entry: request.META['HTTP_AUTHORIZATION'] and you use Django on Apache, READ THIS: http://stackoverflow.com/questions/13387516/authorization-header-missing-in-django-rest-framework-is-apache-to-blame Apache in default deletes HTTP_AUTHORIZATION header for CGI.

#

Please login first before commenting.