This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description

Django Fost Authentication

An authentication back-end for Django implementing request signing using strong cryptography. It is based on the request signing mechanism implemented by Amazon for s3.

Both requests and URLs can be signed. Request signing are used where the user agent itself is able to perform the signing (i.e. it knows the API key and secret). URL signing is used where a authentication needs to be delegated to a user agent not capable (or not trusted) to sign the request.

To use in a Django project

Add the git repository to your pip install file and then use:

pip install -r setup.pip

To your settings.py you need to add the middleware. It doesn’t matter where in the middleware list it is added:

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'fost_authn.Middleware',
)

Unless you’ve already added a custom authentication backend your settings.py probably doesn’t already have the authentication backends set on it. The following will enable the normal Django authentication (forms/session based) and the Fost authentication:

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',
    'fost_authn.FostBackend',
)

In order to be able to authenticate requests the authentication backend needs to know how to map API keys to secrets and to users.

Finding a secret from an API key is done by giving a function to the FOST_AUTHN_GET_SECRET setting. If this is not configured then the default implementation will use a SHA1 hash of the user’s password field. This ensures that the secret will change even if the user changes their password to the same as it was due to the change in the salt stored in the field.

The following is an example of what can be put in the settings.py.

def FOST_AUTHN_GET_SECRET(request, key):
    from myapp.models import api_keys
    return api_keys.objects.get(key=key).secret

Changes to existing Django classes

After installing the authentication middleware the Django HttpRequest object is augmented with a new member, SIGNED, which is a dict holding the signed request header members. If the request has not been properly signed this dict will be empty.

Optional settings

FOST_AUTHN_MISSIGNED_SLEEP_TIME

The amount of time to sleep when a FOST Authorization header is incorrect. Defaults to 0.5 seconds.

FOST_AUTHN_MAXIMUM_CLOCK_SKEW

The maximum allowed difference between the time when the request was signed and the time on the server. Defaults to 300 seconds.

Signing requests

In order to authenticate against the back end requests must be properly signed. `fost_auth.signature’ includes two functions for doing this that can be used.

fost_hmac_request_signature(secret, method, path, timestamp, headers = {}, body = '')

The headers are in the form of a dict giving the header name and values. The function returns both the signature and the document that was signed.

It is the responsibility of the caller to correctly place the header values into the request object that is to be used, including the Authorization header.

Running tests

For best results create a virtualenv, then initialise it with test.pip.:

mkvirtualenv django-fost-authn
pip install -r test.pip

Run the tests using:

./runtest
Release History

Release History

0.3.8

This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3.7

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3.6

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3.5

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3.4

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3.3

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3.2

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3.1

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

TODO: Brief introduction on what you do with files - including link to relevant help section.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
django-fost-authn-0.3.8.tar.gz (6.1 kB) Copy SHA256 Checksum SHA256 Source Nov 26, 2013

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS HPE HPE Development Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting