Restore session id (#905)

* Restore session id when we use token authorization.
6 years ago · c0f1854f79
parent 72517557d3
commit c0f1854f79
3 changed files with 16 additions and 4 deletions
--- a/cvat/apps/authentication/auth.py
+++ b/cvat/apps/authentication/auth.py
@ -2,7 +2,6 @@
 #
 # SPDX-License-Identifier: MIT

-import os
 from django.conf import settings
 from django.db.models import Q
 import rules
@ -11,6 +10,20 @@ from . import signature
 from rest_framework.permissions import BasePermission
 from django.core import signing
 from rest_framework import authentication, exceptions
+from rest_framework.authentication import TokenAuthentication as _TokenAuthentication
+from django.contrib.auth import login
+
+# Even with token authorization it is very important to have a valid session id
+# in cookies because in some cases we cannot use token authorization (e.g. when
+# we redirect to the server in UI using just URL). To overkill that we override
+# the class to call `login` method which restores the session id in cookies.
+class TokenAuthentication(_TokenAuthentication):
+    def authenticate(self, request):
+        auth = super().authenticate(request)
+        session = getattr(request, 'session')
+        if auth is not None and session.session_key is None:
+            login(request, auth[0], 'django.contrib.auth.backends.ModelBackend')
+        return auth

 def register_signals():
    from django.db.models.signals import post_migrate, post_save
--- a/cvat/apps/authentication/decorators.py
+++ b/cvat/apps/authentication/decorators.py
@ -8,7 +8,7 @@ from django.views.generic import RedirectView
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.http import JsonResponse
 from django.conf import settings
-from rest_framework.authentication import TokenAuthentication
+from cvat.apps.authentication.auth import TokenAuthentication

 def login_required(function=None, redirect_field_name=REDIRECT_FIELD_NAME,
    login_url=None, redirect_methods=['GET']):
@ -21,7 +21,6 @@ def login_required(function=None, redirect_field_name=REDIRECT_FIELD_NAME,
                tokenAuth = TokenAuthentication()
                auth = tokenAuth.authenticate(request)
                if auth is not None:
-                    request.user = auth[0]
                    return view_func(request, *args, **kwargs)

                login_url = '{}/login'.format(settings.UI_URL)
--- a/cvat/settings/base.py
+++ b/cvat/settings/base.py
@ -124,7 +124,7 @@ REST_FRAMEWORK = {
        'rest_framework.permissions.IsAuthenticated',
    ],
    'DEFAULT_AUTHENTICATION_CLASSES': [
-        'rest_framework.authentication.TokenAuthentication',
+        'cvat.apps.authentication.auth.TokenAuthentication',
        'cvat.apps.authentication.auth.SignatureAuthentication',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.BasicAuthentication'