Closed marcelkornblum closed 9 years ago
Exactly what I were looking for. I think that's impossible for now retrieving who's the user performs the request via the jwt header, beacause you need to use the "authentication_classes" attribute in the ApiView/ViewSet extended class to retrieve the user.
This should be the same behavior with any Authentication class for DRF, since it doesn't happen at a Middleware layer, but at the view layer. An idea would be to perhaps create a custom DRF authentication class or even a view mixin to do whatever you're already doing in your AuditMiddleware
.
Closing this for now.
This happens because the AuthenticationMiddleware
, which sets the user
on the request
expects to use the session store: https://github.com/django/django/blob/0f7f5bc9e7a94ab91c2b3db29ef7cf000eff593f/django/contrib/auth/__init__.py#L159.
This is how I fixed it. I created a new middleware:
from rest_framework.request import Request
from django.utils.functional import SimpleLazyObject
from django.contrib.auth.middleware import get_user
def get_user_jwt(request):
user = get_user(request)
if user.is_authenticated():
return user
try:
user_jwt = JSONWebTokenAuthentication().authenticate(Request(request))
if user_jwt is not None:
return user_jwt[0]
except:
pass
return user
class AuthenticationMiddlewareJWT(object):
def process_request(self, request):
assert hasattr(request, 'session'), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'."
request.user = SimpleLazyObject(lambda: get_user_jwt(request))
@cancan101 interesting, thanks for sharing
I think you missed this import:
from rest_framework_jwt.authentication import JSONWebTokenAuthentication
Hi,
I know this post is old, I had same problem using django-audit-log and I applied @cancan101 patch to django-audit-log If you are interested here is the issue I reported: https://github.com/Atomidata/django-audit-log/issues/28
i used @cancan101 solution. Thanks
Django-audit-log already added a fix. So you dont need to monkey patch.
Thanks @klahnen - but im not using the audit_log, i need the request.user in a prprietary middleware
landed here.. still can't get it working.. I noticed that when making a raw $.ajax POST request from my ember app that requires the user being authenticated, despite my jwt token being passed in the AuthorizationHeader, on the backend request.user == AnonymousUser.. I can't figure out how to populate it or why! ugh
@cancan101 thank you for your clean solution, it's working great with the missing import pointed out by @klahnen
:+1: thanks @cancan101, i needed this too
Thanks @cancan101
Thanks @cancan101 and everyone else :+1: However my situation was a little different since we had no use for the session store or django.contrib.auth
-- we are using a lightweight version of django as a microservice for managing user authentication. However, we had 2 views that were non-api that depended on the @login_required
decorator and they would fail obviously due to the AnonymousUser
issue mentioned above. FYI we are also using django for all the other services but using builtin authorization so the service doesn't need to reach out to the users/auth service each time.
Ergo, I borrowed some of @cancan101 's code and made some tweaks.
from django.utils.functional import SimpleLazyObject
from django.contrib.auth.models import AnonymousUser
from rest_framework.request import Request
from rest_framework_jwt.authentication import JSONWebTokenAuthentication
def get_user_jwt(request):
"""
Replacement for django session auth get_user & auth.get_user
JSON Web Token authentication. Inspects the token for the user_id,
attempts to get that user from the DB & assigns the user on the
request object. Otherwise it defaults to AnonymousUser.
This will work with existing decorators like LoginRequired ;)
Returns: instance of user object or AnonymousUser object
"""
user = None
try:
user_jwt = JSONWebTokenAuthentication().authenticate(Request(request))
if user_jwt is not None:
# store the first part from the tuple (user, obj)
user = user_jwt[0]
except:
pass
return user or AnonymousUser()
class JWTAuthenticationMiddleware(object):
""" Middleware for authenticating JSON Web Tokens in Authorize Header """
def process_request(self, request):
request.user = SimpleLazyObject(lambda : get_user_jwt(request))
This forces all requests to have a valid JWT before they can access any of the DRF api resources with the added benefit of still functioning properly with the @login_required
decorator. Ergo, this makes adding something like django-oauth-toolkit a cinch (with a little customization to make it return JWT instead of a stored standard token).
We have actually built a very lightweight version of django skeleton
that we have used for many microservices - each using separate datastores - to much success. I'm actually very impressed with the performance.
If anyone has any questions, suggestions, or improvements I'd love to hear them.
Thanks.
P.S. @jpadilla Is there a chance we can get something like this added into the core package as an option for those users who depend on request.user
to an actual User
instance vs AnonymousUser
- I know its not relative to all cases but it would be very useful. I'd be happy to write the docs and answer any questions about how we're using django for microservices very successfully.
should this be added to the package as an optional include?
@AndrewJHart does it matter where in the middleware ordering this goes?
Django 1.10 style without suppressing exceptions.
# -*- coding: utf-8 -*-
from django.contrib.auth.middleware import get_user
from django.utils.functional import SimpleLazyObject
from rest_framework_jwt.authentication import JSONWebTokenAuthentication
class AuthenticationMiddlewareJWT(object):
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
request.user = SimpleLazyObject(lambda: self.__class__.get_jwt_user(request))
return self.get_response(request)
@staticmethod
def get_jwt_user(request):
user = get_user(request)
if user.is_authenticated:
return user
jwt_authentication = JSONWebTokenAuthentication()
if jwt_authentication.get_jwt_value(request):
user, jwt = jwt_authentication.authenticate(request)
return user
so this will authenticate twice in a request ?
Hi everyone, i have this code:
from django.contrib.auth.middleware import get_user
from django.utils.functional import SimpleLazyObject
from rest_framework_jwt.authentication import JSONWebTokenAuthentication
class AuthenticationMiddlewareJWT(MiddlewareMixin):
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
request.user = SimpleLazyObject(lambda: self.__class__.get_jwt_user(request))
return self.get_response(request)
@staticmethod
def get_jwt_user(request):
user = get_user(request)
if user.is_authenticated:
return user
jwt_authentication = JSONWebTokenAuthentication()
if jwt_authentication.get_jwt_value(request):
user, jwt = jwt_authentication.authenticate(request)
return user
And this jwt_authentication.get_jwt_value(request) always return None.
My configurations is:
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.BasicAuthentication',
),
What can be wrong?. Thanks!
@mapeveri You should create a new issue.
It is so cool@cancan101
Hi Folks. I'm having this issue too. I'm new to django-rest-framework-jwt, and somewhat new to DRF. Two questions:
Thank you!
@matthewcornell It doesn't. Which is shit, because with the authentication snippet of @cancan101 above you'll still need two database calls, because the user is authenticated twice instead of once. But I also just did it like this, because the authentication is fast and it felt like a premature optimization. But still, it does not feel very elegant for something as simple as authentication.
Also please note the root cause of this issue is DRF, and not Django itself.
By the way, the following is the same snippet. But then for djangorestframework-simple-jwt:
class AuthenticationMiddlewareJWT(object):
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
request.user = SimpleLazyObject(lambda: self.__class__.get_jwt_user(request))
return self.get_response(request)
@staticmethod
def get_jwt_user(request):
from rest_framework_simplejwt.authentication import JWTAuthentication
user = get_user(request)
if user.is_authenticated:
return user
try:
user_jwt = JWTAuthentication().authenticate(Request(request))
if user_jwt is not None:
return user_jwt[0]
except:
pass
return user # AnonymousUser
Following up on @rserro 's solution, I get a rest_framework.exceptions.AuthenticationFailed
error when the token is expired - at the line user, jwt = jwt_authentication.authenticate(request)
. Has anyone encountered this problem? I can catch the error and return user
(AnonymousUser), but I'd prefer to return a response that indicates the root problem - expiration. Thank you.
@gabn88 Thank you. Question: In your code, you use djangorestframework-simple-jwt's JWTAuthentication
. What does that get you?
This is how I fixed it. I created a new middleware:
from rest_framework.request import Request from django.utils.functional import SimpleLazyObject from django.contrib.auth.middleware import get_user def get_user_jwt(request): user = get_user(request) if user.is_authenticated(): return user try: user_jwt = JSONWebTokenAuthentication().authenticate(Request(request)) if user_jwt is not None: return user_jwt[0] except: pass return user class AuthenticationMiddlewareJWT(object): def process_request(self, request): assert hasattr(request, 'session'), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'." request.user = SimpleLazyObject(lambda: get_user_jwt(request))
Not working. It doesn't work and I gets still AnonymousUser. How can I get request.user?
@yerycs
This is how I fixed it. I created a new middleware:
from rest_framework.request import Request from django.utils.functional import SimpleLazyObject from django.contrib.auth.middleware import get_user def get_user_jwt(request): user = get_user(request) if user.is_authenticated(): return user try: user_jwt = JSONWebTokenAuthentication().authenticate(Request(request)) if user_jwt is not None: return user_jwt[0] except: pass return user class AuthenticationMiddlewareJWT(object): def process_request(self, request): assert hasattr(request, 'session'), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'." request.user = SimpleLazyObject(lambda: get_user_jwt(request))
Thanks i just customize your idea. It helps thank you
I'm not sure if this is an issue or just because of the implementation, but I was using middleware to log user_id against records being edited, and I couldn't get request.user at the middleware level (and so of course request.user.is_authorized() returned False).
The middleware was the last one on the list, and authorization was working (I would get a 403 requesting assets without my token header). I tried putting
'rest_framework_jwt.authentication.JSONWebTokenAuthentication'
at the top ofDEFAULT_AUTHENTICATION_CLASSES
, and also making it the only item in the tuple; neither worked.I've managed to work around my issue by accessing the header and using the tools directly in the app to retrieve the user; essentially I copied chunks of your code into my middleware, but I thought you should know :)
If you're interested, here's the middleware: