django-axes compatibility

[aleksihakli]

A user recently reported an issue with using django-oauth-toolkit with django-axes in jazzband/django-axes#426

The problem is that the request object offered by the django-oauth-toolkit does not seem to be a Django HttpRequest object with the request.META and other necessary HttpRequest attributes. Is there an ideal way to offer a solution for compatibility?

[nickdjones]

So I did manage to get this working in the end, I managed to do it by editing just the custom validator for DOT and it's an extremely dirty hack so this is more if anyone else is having the same issue rather than any sort of permanent fix:

from axes.helpers import get_client_ip_address, get_client_user_agent
from django.contrib.auth import authenticate
from django.http import HttpRequest, QueryDict
from oauth2_provider.oauth2_validators import OAuth2Validator


class MyOAuth2Validator(OAuth2Validator):
    def validate_user(self, username, password, client, request, *args, **kwargs):
        """
        Check username and password correspond to a valid and active User
        """
        old_request = request
        if request and not isinstance(request, HttpRequest):
            request = HttpRequest()
            request.uri = old_request.uri
            request.method = request.http_method = old_request.http_method
            request.META = request.headers = old_request.headers
            request._params = old_request._params
            request.decoded_body = old_request.decoded_body
            request.axes_ip_address = get_client_ip_address(request)
            request.axes_user_agent = get_client_user_agent(request)
            qdbody = QueryDict(str(old_request.body), mutable=True)
            if request.method == 'GET':
                request.GET = qdbody
            elif request.method == 'POST':
                request.POST = qdbody

        u = authenticate(request=request, username=username, password=password)
        if u is not None and u.is_active and hasattr(u, 'profile'):
            request = old_request
            request.user = u
            return True
        return False

OAUTH2_PROVIDER = {
    'OAUTH2_VALIDATOR_CLASS': 'custom.app.MyOAuth2Validator',
    'SCOPES': {'read': 'Read scope', 'write': 'Write scope'},
}

[auvipy]

oAuth is designed to be worked with django rest framework etc.

[aleksihakli]

It would be ideal if the request objects it uses had the standard Django attributes so that other tools and packages could function better with them.

The request=None kwarg was added to the django.contrib.auth.authenticate a while back and people might have custom authentication backends that utilize it.

Would it be possible to add the request kwarg to the default authentication flow and add the standard Django request attributes to it? Specifically request.GET, request.POST, and request.META.

I've added a simple example on how to customize a compatible validator for the OAuth toolkit on the Axes docs, but I think updating the stock OAuth validator in the toolkit project could benefit multiple users in the long run.

[auvipy]

this package is only needed with rest based works i guess. id you need django specific then django all auyh woud be a better choice with core django without drf

[nickdjones]

@auvipy I don't think you understand what @aleksihakli is saying, django-axes is a user login security tool that inspects the request object at various points in the process and because django-oauth-toolkit doesn't use a standard django HttpRequest() it isn't possible to track API logins. It's not about changing the functionality, it's about django-oauth-toolkit and django-axes working together so that API logins can be tracked as well as website logins.

[nickdjones]

Also @aleksihakli your example validators.py doesn't work, the oauthlib.Request() class used by django-oauth-toolkit is hardcoded to error when attributes it doesn't expect are accessed https://github.com/oauthlib/oauthlib/blob/master/oauthlib/common.py#L436 so you can't add arbitrary fields to it. The example I pasted above is the only way I could get it working, by recreating a fake HttpRequest() object.

[aleksihakli]

Oh, sorry about that!

Let's try and get the example in the docs up to date then. Would you like to open a PR for the Axes docs/x_integration.rst? I can also try and update a functioning example, but I don't have a suitable test bench for checking if it works.

Are you talking about the request object when you refer to response by the way? I'm trying to verify that we are talking about the same thing. What is the exact type of the object in the runtime?

[nickdjones]

Sorry yes it is request - wrote that in a rush! OAuthLib returns oauthlib.Request() and my solution fakes a Django HttpRequest() so the attributes can be accessed properly through authenticate(). The correct oauthlib.Request() is then returned from the validator so that django-oauth-toolkit continues to function (edited my comment). I'll try and get a PR sent over today.

[aleksihakli]

Great! You can build the docs in your own environment with cd docs && make html by the way. Just install requirements with pip first, that should setup Sphinx correctly.

RTD builds the docs automatically from each commit to master in upstream so adding examples does not require a new release.

[adamchainz]

#643 should fix one error I'm seeing with axes logging errors due to missing request.

[adamchainz]

#643 is the wrong fix and the cause of this problem, my bad. Broke production for us.

[ShaheedHaque]

We just hit this. Isn't the correct fix for this issue, and also #636, and #808 the patch in #712 (comment)? IIUC:

• The django.contrib.auth.authenticate() function "wants" a request argument, and supplying one will maximise compatibility with django-axes and any other code that needs it. The current signature is:

  def authenticate(request=None, **credentials):
      """
      If the given credentials are valid, return a User object.
      """
  

  Providing the request argument will solve Request object missing from Django authentication #636.
• As @HCNick noted in his patch, we cannot use the DOT version of the request, we must use something that emulates Django's HttpRequest. That will solve AttributeError: get_full_path when running any rest_framework.test.APITestCase #808.

Finally, it seems to me that a patch like the one above (but possibly without the two axes-specific attributes?) could be applied directly to DOT code, and would work to improve the compatibility of DOT. I'd be happy to author a PR if that would help.