Taha_Shahid
Reputation: 1
ByPass Django Basic Auth
I am trying to bypass django basic auth as I want to use firebase auth on Frontend and I am only getting the id_token on Backend.
The Middleware is as follows:
class FireBaseAuth(MiddlewareMixin):
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
modified_request = self.process_request(request)
response = self.get_response(modified_request)
response = self.process_response(response)
return response
def process_request(self, request):
middleware = "[FireBase Auth]"
logger.info(f"{middleware} Request path: {request.path}")
if request.path.rstrip('/').split('/')[-1] in EXCLUDE_AUTH_ENDPOINTS:
logger.info(
f"{middleware} Skipping auth check for: {request.path}")
return request
token = request.META.get("HTTP_FB_ACCESS_TOKEN")
if not token:
logger.info(f"{middleware} No token found")
return HttpResponse("Unauthorized",
status=status.HTTP_401_UNAUTHORIZED)
# check if token is valid
try:
fb_user = auth.verify_id_token(token)
if not fb_user:
logger.info(f"{middleware} No info found against token")
return HttpResponse("Unauthorized",
status=status.HTTP_401_UNAUTHORIZED)
if fb_user:
# Fetch user Data
fb_user = auth.get_user_by_email(fb_user['email'])
if not fb_user.email_verified:
logger.info(f"{middleware} User email not verified")
return HttpResponse("User email not verified",
status=status.HTTP_401_UNAUTHORIZED)
logger.info(
f"{middleware} Got user[{fb_user.email}] from firebase")
# Check if user exists in current region
user = User.objects.filter(email=fb_user.email).first()
# Create user if not exists
if not user:
logger.info(f"{middleware} User not Found")
return HttpResponse("User email not Found",status=status.HTTP_400_BAD_REQUEST)
logger.info(f"{middleware} User Found. {user.id}")
request.user = user
setattr(request, 'user', user)
logger.info(f"{middleware} Updated request user")
return request
except Exception as e:
exec_type, exce_value, exec_traceback = sys.exc_info()
logging.error(
repr(traceback.format_exception(exec_type,exce_value,exec_traceback)))
return HttpResponse(f"Unauthorized. "f"{'Token Expired' if 'expired' in str(e) else 'Invalid Token' }",status=status.HTTP_401_UNAUTHORIZED)
The settings File is as follows:
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
# 'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.security.SecurityMiddleware',
'ts.middleware.AddSecurityHeadersMiddleware',
'ts.middleware.FireBaseAuth',
]
And the view goes like:
class GetUserAPIView(APIView):
"""
Get user data
"""
# authentication_classes = [JWTAuthentication]
# permission_classes = [IsAuthenticated]
def get(self, request):
"""
Return data of user
:param request: get request
"""
api_name = " [GET: user/get_user_data] "
try:
# device_token = request.query_params.get('device_token', "")
# device_type = request.query_params.get('device_type', "")
user = request.user
............. and goes on
The issue is that I'm getting request.user an Anonymous User object and the custom headers are also missing in request.
How do I bypass the auth middlewares that do not alter the request ?
I tried rearranging middlewares but it did not work. Also, removing auth middleware is not an option. I am using django admin as well.
Upvotes: 0
Views: 64
Answers (0)
Related Questions
- What is the difference between null=True and blank=True in Django?
- How to combine multiple QuerySets in Django?
- What's the best way to extend the User model in Django?
- What is a "slug" in Django?
- How do I do a not equal in Django queryset filtering?
- Is there any way to edit the request user in django middleware?
- Django change request.path in middleware (to authenticate by token in url)