Initial version of Django REST Framework SSO

Author: lnagel

.gitignore

@@ -0,0 +1,10 @@
+# IDE stuff
+.idea/
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so

rest_framework_sso/__init__.py

@@ -0,0 +1,11 @@
+# coding: utf-8
+from __future__ import absolute_import, unicode_literals
+
+__title__ = 'djangorestframework-sso'
+__version__ = '0.0.1'
+__author__ = 'Lenno Nagel'
+__license__ = 'MIT'
+__copyright__ = 'Copyright 2016 Namespace OÜ'
+
+# Version synonym
+VERSION = __version__

rest_framework_sso/authentication.py

@@ -0,0 +1,81 @@
+# coding: utf-8
+from __future__ import absolute_import, unicode_literals
+
+import jwt
+from django.contrib.auth import get_user_model
+from django.utils.translation import ugettext as _
+from rest_framework import exceptions
+from rest_framework.authentication import (
+    BaseAuthentication, get_authorization_header
+)
+
+from rest_framework_sso.settings import api_settings
+
+decode_jwt_token = api_settings.DECODE_JWT_TOKEN
+
+
+class JWTAuthentication(BaseAuthentication):
+    """
+    JWT token based authentication.
+
+    Clients should authenticate by passing the token key in the "Authorization"
+    HTTP header, prepended with the string "JWT ".  For example:
+
+        Authorization: JWT eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJsb2NhbG...
+    """
+
+    def authenticate(self, request):
+        auth = get_authorization_header(request).split()
+
+        if not auth or auth[0].lower() != api_settings.AUTHENTICATE_HEADER.lower().encode('utf-8'):
+            return None
+
+        if len(auth) == 1:
+            msg = _('Invalid token header. No credentials provided.')
+            raise exceptions.AuthenticationFailed(msg)
+        elif len(auth) > 2:
+            msg = _('Invalid token header. Token string should not contain spaces.')
+            raise exceptions.AuthenticationFailed(msg)
+
+        try:
+            token = auth[1].decode()
+        except UnicodeError:
+            msg = _('Invalid token header. Token string should not contain invalid characters.')
+            raise exceptions.AuthenticationFailed(msg)
+
+        try:
+            payload = decode_jwt_token(token=token)
+        except jwt.ExpiredSignature:
+            msg = _('Signature has expired.')
+            raise exceptions.AuthenticationFailed(msg)
+        except jwt.DecodeError:
+            msg = _('Error decoding signature.')
+            raise exceptions.AuthenticationFailed(msg)
+        except jwt.InvalidTokenError:
+            raise exceptions.AuthenticationFailed()
+
+        return self.authenticate_credentials(payload=payload)
+
+    def authenticate_credentials(self, payload):
+        from rest_framework_sso.models import SessionToken
+
+        user_model = get_user_model()
+
+        if not SessionToken._meta.abstract:
+            try:
+                SessionToken.objects.active().get(pk=payload.get('sid'), uid=payload.get('uid'))
+            except SessionToken.DoesNotExist:
+                raise exceptions.AuthenticationFailed(_('Invalid token.'))
+
+        try:
+            user = user_model.objects.get(pk=payload.get('uid'))
+        except user_model.DoesNotExist:
+            raise exceptions.AuthenticationFailed(_('Invalid token.'))
+
+        if not user.is_active:
+            raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))
+
+        return user, payload
+
+    def authenticate_header(self, request):
+        return api_settings.AUTHENTICATE_HEADER

rest_framework_sso/migrations/0001_initial.py

@@ -0,0 +1,36 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.9.4 on 2016-06-20 08:04
+from __future__ import unicode_literals
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='SessionToken',
+            fields=[
+                ('id', models.UUIDField(db_index=True, default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('ip_address', models.GenericIPAddressField(blank=True, db_index=True, null=True)),
+                ('user_agent', models.CharField(blank=True, max_length=1000)),
+                ('created_at', models.DateTimeField(auto_now_add=True, db_index=True)),
+                ('revoked_at', models.DateTimeField(blank=True, db_index=True, null=True)),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='+', to=settings.AUTH_USER_MODEL, verbose_name='user')),
+            ],
+            options={
+                'abstract': False,
+                'verbose_name': 'Session token',
+                'verbose_name_plural': 'Session tokens',
+            },
+        ),
+    ]

rest_framework_sso/migrations/__init__.py

@@ -0,0 +1,62 @@
+# coding: utf-8
+from __future__ import absolute_import, unicode_literals
+
+import uuid
+
+from django.conf import settings
+from django.db import models
+from django.utils import six
+from django.utils.encoding import python_2_unicode_compatible
+from django.utils.translation import ugettext_lazy as _
+
+# Prior to Django 1.5, the AUTH_USER_MODEL setting does not exist.
+# Note that we don't perform this code in the compat module due to
+# bug report #1297
+# See: https://github.com/tomchristie/django-rest-framework/issues/1297
+from rest_framework_sso.querysets import SessionTokenQuerySet
+
+AUTH_USER_MODEL = getattr(settings, 'AUTH_USER_MODEL', 'auth.User')
+
+
+@python_2_unicode_compatible
+class SessionToken(models.Model):
+    """
+    The default session token model.
+    """
+    id = models.UUIDField(
+        primary_key=True,
+        default=uuid.uuid4,
+        editable=False,
+        db_index=True,
+    )
+    user = models.ForeignKey(
+        to=AUTH_USER_MODEL,
+        related_name='+',
+        on_delete=models.CASCADE,
+        verbose_name=_("user"),
+    )
+    ip_address = models.GenericIPAddressField(null=True, blank=True, db_index=True)
+    user_agent = models.CharField(max_length=1000, blank=True)
+    created_at = models.DateTimeField(auto_now_add=True, db_index=True)
+    revoked_at = models.DateTimeField(null=True, blank=True, db_index=True)
+
+    objects = SessionTokenQuerySet.as_manager()
+
+    class Meta:
+        # Work around for a bug in Django:
+        # https://code.djangoproject.com/ticket/19422
+        #
+        # Also see corresponding ticket:
+        # https://github.com/tomchristie/django-rest-framework/issues/705
+        abstract = 'rest_framework_sso' not in settings.INSTALLED_APPS
+        verbose_name = _("Session token")
+        verbose_name_plural = _("Session tokens")
+
+    def __str__(self):
+        return six.text_type(self.id)
+
+    def update_attributes(self, request):
+        self.ip_address = request.META.get('HTTP_X_FORWARDED_FOR') \
+            if request.META.get('HTTP_X_FORWARDED_FOR') \
+            else request.META.get('REMOTE_ADDR')
+        self.user_agent = request.META.get('HTTP_USER_AGENT')[:1000]

rest_framework_sso/models.py

@@ -0,0 +1,27 @@
+# coding: utf-8
+from __future__ import absolute_import, unicode_literals
+
+from django.db.models import QuerySet, Q
+from django.utils import timezone
+
+
+class SessionTokenQuerySet(QuerySet):
+    def active(self):
+        return self.filter(Q(revoked_at__isnull=True) | Q(revoked_at__gt=timezone.now()))
+
+    def first_or_create(self, defaults=None, **kwargs):
+        """
+        Looks up an object with the given kwargs, creating one if necessary.
+        Returns a tuple of (object, created), where created is a boolean
+        specifying whether an object was created.
+        """
+        lookup, params = self._extract_model_params(defaults, **kwargs)
+        # The get() needs to be targeted at the write database in order
+        # to avoid potential transaction consistency problems.
+        self._for_write = True
+
+        obj = self.filter(**lookup).first()
+        if obj:
+            return obj, False
+        else:
+            return self._create_object_from_params(lookup, params)

rest_framework_sso/querysets.py

@@ -0,0 +1,37 @@
+# coding: utf-8
+from __future__ import absolute_import, unicode_literals
+
+from django.contrib.auth import authenticate
+from django.utils.translation import ugettext_lazy as _
+from rest_framework import serializers
+
+from rest_framework_sso.settings import api_settings
+
+create_authorization_payload = api_settings.CREATE_AUTHORIZATION_PAYLOAD
+encode_jwt_token = api_settings.ENCODE_JWT_TOKEN
+
+
+class SessionTokenSerializer(serializers.Serializer):
+    username = serializers.CharField(label=_("Username"))
+    password = serializers.CharField(label=_("Password"), style={'input_type': 'password'})
+
+    def validate(self, attrs):
+        username = attrs.get('username')
+        password = attrs.get('password')
+
+        if username and password:
+            user = authenticate(username=username, password=password)
+
+            if user:
+                if not user.is_active:
+                    msg = _('User account is disabled.')
+                    raise serializers.ValidationError(msg)
+            else:
+                msg = _('Unable to log in with provided credentials.')
+                raise serializers.ValidationError(msg)
+        else:
+            msg = _('Must include "username" and "password".')
+            raise serializers.ValidationError(msg)
+
+        attrs['user'] = user
+        return attrs

rest_framework_sso/serializers.py

@@ -0,0 +1,44 @@
+# coding: utf-8
+from __future__ import absolute_import, unicode_literals
+
+import datetime
+
+from django.conf import settings
+from rest_framework.settings import APISettings
+
+
+USER_SETTINGS = getattr(settings, 'REST_FRAMEWORK_SSO', None)
+
+DEFAULTS = {
+    'CREATE_SESSION_PAYLOAD': 'rest_framework_sso.utils.create_session_payload',
+    'CREATE_AUTHORIZATION_PAYLOAD': 'rest_framework_sso.utils.create_authorization_payload',
+    'ENCODE_JWT_TOKEN': 'rest_framework_sso.utils.encode_jwt_token',
+    'DECODE_JWT_TOKEN': 'rest_framework_sso.utils.decode_jwt_token',
+
+    'ENCODE_ALGORITHM': 'RS256',
+    'DECODE_ALGORITHMS': None,
+    'VERIFY_SIGNATURE': True,
+    'VERIFY_EXPIRATION': True,
+    'EXPIRATION_LEEWAY': 0,
+    'SESSION_EXPIRATION': None,
+    'AUTHORIZATION_EXPIRATION': datetime.timedelta(seconds=300),
+
+    'IDENTITY': None,
+    'SESSION_AUDIENCE': None,
+    'AUTHORIZATION_AUDIENCE': None,
+    'ACCEPTED_ISSUERS': None,
+    'PUBLIC_KEYS': {},
+    'PRIVATE_KEYS': {},
+
+    'AUTHENTICATE_HEADER': 'JWT',
+}
+
+# List of settings that may be in string import notation.
+IMPORT_STRINGS = (
+    'CREATE_SESSION_PAYLOAD',
+    'CREATE_AUTHORIZATION_PAYLOAD',
+    'ENCODE_JWT_TOKEN',
+    'DECODE_JWT_TOKEN',
+)
+
+api_settings = APISettings(USER_SETTINGS, DEFAULTS, IMPORT_STRINGS)