From 3c74bf8bbac2863a229b3b7b53b358ab4d2ec38c Mon Sep 17 00:00:00 2001 From: Piero Toffanin Date: Mon, 10 Apr 2017 17:19:04 -0400 Subject: [PATCH] Added JWT token passing via querystring --- app/api/authentication.py | 6 ++++++ app/tests/test_api.py | 7 ++++++- slate/source/includes/reference/_authentication.md | 11 +++++++++++ slate/source/includes/reference/_task.md | 2 ++ webodm/settings.py | 1 + 5 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 app/api/authentication.py diff --git a/app/api/authentication.py b/app/api/authentication.py new file mode 100644 index 00000000..c95c14ad --- /dev/null +++ b/app/api/authentication.py @@ -0,0 +1,6 @@ +from rest_framework_jwt.authentication import BaseJSONWebTokenAuthentication + + +class JSONWebTokenAuthenticationQS(BaseJSONWebTokenAuthentication): + def get_jwt_value(self, request): + return request.query_params.get('jwt') \ No newline at end of file diff --git a/app/tests/test_api.py b/app/tests/test_api.py index c2ce9b09..ac6a538c 100644 --- a/app/tests/test_api.py +++ b/app/tests/test_api.py @@ -413,8 +413,13 @@ class TestApi(BootTestCase): token = res.data['token'] self.assertTrue(len(token) > 0) - # Can access resources by passing token + # Can access resources by passing token via querystring + res = client.get('/api/processingnodes/?jwt={}'.format(token)) + self.assertEqual(res.status_code, status.HTTP_200_OK) + + # Can access resources by passing token via header client = APIClient(HTTP_AUTHORIZATION="{0} {1}".format(api_settings.JWT_AUTH_HEADER_PREFIX, token)) res = client.get('/api/processingnodes/') self.assertEqual(res.status_code, status.HTTP_200_OK) + diff --git a/slate/source/includes/reference/_authentication.md b/slate/source/includes/reference/_authentication.md index a6fea15d..9e584e91 100644 --- a/slate/source/includes/reference/_authentication.md +++ b/slate/source/includes/reference/_authentication.md @@ -18,6 +18,15 @@ curl -H "Authorization: JWT " http://localhost:8000/api/projects/ {"count":13, ...} ``` +> Use authentication token via querystring (less secure): + +```bash +curl http://localhost:8000/api/projects/?jwt= + +{"count":13, ...} +``` + + `POST /api/token-auth/` Field | Type | Description @@ -34,3 +43,5 @@ Header | Authorization: JWT `your_token` | The token expires after a set amount of time. The expiration time is dependent on WebODM's settings. You will need to request another token when a token expires. + +Since applications sometimes do not allow headers to be modified, you can also authenticate by appending the `jwt` querystring parameter to a protected URL. This is less secure, so pass the token via header if possible. diff --git a/slate/source/includes/reference/_task.md b/slate/source/includes/reference/_task.md index bc23f6fb..bc053cf8 100644 --- a/slate/source/includes/reference/_task.md +++ b/slate/source/includes/reference/_task.md @@ -184,6 +184,8 @@ If a [Task](#task) has been canceled or has failed processing, or has completed After a task has been successfully processed, a TMS layer is made available for inclusion in programs such as [Leaflet](http://leafletjs.com/) or [Cesium](http://cesiumjs.org). + + ### Pending Actions In some circumstances, a [Task](#task) can have a pending action that requires some amount of time to be performed. diff --git a/webodm/settings.py b/webodm/settings.py index 2b5285b1..d9a74c1e 100644 --- a/webodm/settings.py +++ b/webodm/settings.py @@ -230,6 +230,7 @@ REST_FRAMEWORK = { 'rest_framework.authentication.SessionAuthentication', 'rest_framework.authentication.BasicAuthentication', 'rest_framework_jwt.authentication.JSONWebTokenAuthentication', + 'app.api.authentication.JSONWebTokenAuthenticationQS', ), 'PAGE_SIZE': 10, }