30 lines
1.3 KiB
Python
30 lines
1.3 KiB
Python
"""Django Rest Framework Authentication classes for cross-domain end-points."""
|
|
from rest_framework import authentication
|
|
from cors_csrf.helpers import is_cross_domain_request_allowed, skip_cross_domain_referer_check
|
|
|
|
|
|
class SessionAuthenticationCrossDomainCsrf(authentication.SessionAuthentication):
|
|
"""Session authentication that skips the referer check over secure connections.
|
|
|
|
Django Rest Framework's `SessionAuthentication` class calls Django's
|
|
CSRF middleware implementation directly, which bypasses the middleware
|
|
stack.
|
|
|
|
This version of `SessionAuthentication` performs the same workaround
|
|
as `CorsCSRFMiddleware` to skip the referer check for whitelisted
|
|
domains over a secure connection. See `cors_csrf.middleware` for
|
|
more information.
|
|
|
|
Since this subclass overrides only the `enforce_csrf()` method,
|
|
it can be mixed in with other `SessionAuthentication` subclasses.
|
|
|
|
"""
|
|
|
|
def enforce_csrf(self, request):
|
|
"""Skip the referer check if the cross-domain request is allowed. """
|
|
if is_cross_domain_request_allowed(request):
|
|
with skip_cross_domain_referer_check(request):
|
|
return super(SessionAuthenticationCrossDomainCsrf, self).enforce_csrf(request)
|
|
else:
|
|
return super(SessionAuthenticationCrossDomainCsrf, self).enforce_csrf(request)
|