Skip to main content

Temporary Django REST Framework permission-scoped token

Project description

Build Status Requirements Status

rest_framework_tmp_scoped_token provides a Django REST Framework-compatible system to generate and validate signed authorization tokens. Generated tokens contain the ID of a user on whose behalf the token bearer authenticates, a white-list of HTTP verbs and API endpoints that the bearer is permitted to access, an max-lifespan of the token, and a note about the intended recipient.

Usage

Authorization

Add rest_framework_tmp_scoped_token.TokenAuth to the DEFAULT_AUTHENTICATION_CLASSES section of your REST_FRAMEWORK settings in settings.py:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        # ... Your other forms of auth
        'rest_framework_tmp_scoped_token.TokenAuth',
    )
}

To authenticate with an temporary permissions token, make a request with the token included in either:

  • the Authorization HTTP header with a TmpToken keyword:

    Authorization: TmpToken eyJzb21ldGhpbmctc2VjcmV0IjoiaG9wZSBub2JvZHkgc2VlcyB0aGlzIn0:1d47N6:woJG0EgLNDb0OjYQmCbsjniP-2Y
  • a TOKEN GET query parameter:

    /api/?TOKEN=eyJzb21ldGhpbmctc2VjcmV0IjoiaG9wZSBub2JvZHkgc2VlcyB0aGlzIn0:1d47N6:woJG0EgLNDb0OjYQmCbsjniP-2Y

If you would like to customize either the Authorization header keyword or the GET query parameter used, you can subclass the rest_framework_tmp_scoped_token.TokenAuth class and override the keyword or get_param values.

Token

To generate a token, use the rest_framework_tmp_scoped_token.TokenManager class. The token encompasses the following information:

  • user: User that will be authenticated by token.

  • endpoints: key:value pairs of HTTP methods and endpoint roots that token is authorized to access. The following values would authorize the token to make GET requests to any endpoints that begin with ‘api/v1/foo:

    {'GET': ['/api/v1/foo']}

    NOTE: This this token will not override any existing permissions for its associatted User within the system. It only adds further restrictions to the endpoints that can be accessed.

  • max_age: How long, in seconds, the token will be valid. By default, tokens will be valid for 1 hour. Non-expiring tokens are not supported.

  • recipient: (Optional) A textual description of the recipient for which this token was intended. No validation is done with this data, however it is appended to the request as a X-API-Token-Recipient header by the accompanying DRF authentication scheme. This is for tracking purposes

NOTE: The tokens are signed via Django’s `signing <https://docs.djangoproject.com/en/dev/topics/signing/>`__ facility. It is important to know that the tokens are not encrypted, they are simply signed. For this reason, you should not include any sensitive/secret information in the tokens. For an example, notice how easy it is to view the contents of a signed string:

In [1]: from django.core import signing

In [2]: t = signing.dumps({'something-secret': 'hope nobody sees this'})

In [3]: print(t)
eyJzb21ldGhpbmctc2VjcmV0IjoiaG9wZSBub2JvZHkgc2VlcyB0aGlzIn0:1d47N6:woJG0EgLNDb0OjYQmCbsjniP-2Y

In [4]: import base64

In [5]: print(base64.urlsafe_b64decode(t.encode('utf8')))
b'{"something-secret":"hope nobody sees this"}5w\x8e\xcd\xeb\n\t\x1bA ,\xd0\xdb\xd0\xe8\xd8B`\x9b\xb29\xe2?\xed\x98'

Contributing

Testing

pip install -r requirements-test.txt
./runtests

Deploying

pip install -r requirements-deploy.txt
python setup.py test clean build tag publish

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

drf-tmp-scoped-token-0.2.1.tar.gz (7.5 kB view details)

Uploaded Source

Built Distribution

drf_tmp_scoped_token-0.2.1-py3-none-any.whl (11.7 kB view details)

Uploaded Python 3

File details

Details for the file drf-tmp-scoped-token-0.2.1.tar.gz.

File metadata

File hashes

Hashes for drf-tmp-scoped-token-0.2.1.tar.gz
Algorithm Hash digest
SHA256 173f9bde36928d71d41d007345e29c9d3c10feafd36e58411a056faafeb97a76
MD5 904348910f8c0ad6abbf7b25bb30c064
BLAKE2b-256 b2862a03971a7b0393e014f84d26e286624e0fa7fb06ab51f9e0f7b644e2607d

See more details on using hashes here.

File details

Details for the file drf_tmp_scoped_token-0.2.1-py3-none-any.whl.

File metadata

File hashes

Hashes for drf_tmp_scoped_token-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 b8b38ad127fee4844f097575d68e20a121dce7cd87176ba14dcc097a595d8ddc
MD5 bfd6045f8d1b9fcf8f96f4f4d2d5741f
BLAKE2b-256 f08f03de9b6fa34f2451bd46c66c5902ee069853f7eaee466cdffa96a7334615

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page