PB-1366: make new auth work for write requests. #502
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
adk-swisstopo
force-pushed
the
fix-PB-1366-auth-write
branch
from
d1108d8 to
09ac94a
Compare
Django is configured to use CSRF mitigation tokens. This only works for clients that are web browsers. Typical API clients are not web browsers, do not keep track of cookies and fail CSRF mitigation checks. The old token authentication method works around that by disabling CSRF mitigation when that authentication method is used. With this change, we do the same for the new token authentication method. In PB-1009 we implemented the new authentication method for the Admin UI. This change does the same for the API endpoints and add tests exercising it. The API endpoints are rest_framework views that rely on authentication methods defined by the REST framework which is different from the Admin UI authentication plumbing. To support both, we need to have modules for both even though they basically do the same thing. Specifically: * create `api_gateway_authentication` as `rest_framework` authentication module * create `api_gateway_middleware` as generic Django authentication module (for Admin UI) * abstract the common parts into a new `api_gateway` module * configure both authentication modules in the debug build * add tests exercising a PUT API endpoint for both v0.9 and v1, including CSRF checks This is all flag-guarded behind FEATURE_AUTH_ENABLE_APIGW.
adk-swisstopo
force-pushed
the
fix-PB-1366-auth-write
branch
from
09ac94a to
d90b71f
Compare
benschs
approved these changes
Jan 27, 2025
msom
approved these changes
Jan 27, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Django is configured to use CSRF mitigation tokens. This only works for clients that are web browsers. Typical API clients are not web browsers, do not keep track of cookies and fail CSRF mitigation checks. The old token authentication method works around that by disabling CSRF mitigation when that authentication method is used. With this change, we do the same for the new token authentication method.
In PB-1009 we implemented the new authentication method for the Admin UI. This change does the same for the API endpoints and add tests exercising it.
The API endpoints are rest_framework views that rely on authentication methods defined by the REST framework which is different from the Admin UI authentication plumbing. To support both, we need to have modules for both even though they basically do the same thing.
Specifically:
api_gateway_authenticationasrest_frameworkauthentication moduleapi_gateway_middlewareas generic Django authentication module (for Admin UI)api_gatewaymoduleThis is all flag-guarded behind FEATURE_AUTH_ENABLE_APIGW.