Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login View Requing Authenticated User #9

Closed
blaklites opened this issue Jan 21, 2016 · 5 comments
Closed

Login View Requing Authenticated User #9

blaklites opened this issue Jan 21, 2016 · 5 comments

Comments

@blaklites
Copy link
Contributor

I have seen this been discussed in
#7

I would like to share my point of view and an alternative solution here :) :).

The LoginView we have right now requires the user to be authenticated in the first place. This means, first the user has to pass a valid Token (somehow obtained earlier) in the HTTP Authorization Header or have a Valid Session, etc in order to pass permission classes in https://github.com/James1345/django-rest-knox/blob/master/knox/views.py#L16.

Is this the desired behavior for a Login View or API? Shouldn't we allow users, who are not authenticated yet, to pass credentials, authentic the credentials and finally login the user. So the LoginView will take in credentials like username, password etc, authenticate the credentials, and finally create an AuthToken and return response.
@mogverse
Copy link

True! I have overriden the view for my application and removed the permission.

@James1345
Copy link
Member

No.

I must emphasize, that this is a Stateless system. It is designed for use with single page applications and mobile apps.

The LoginView is the POST endpoint for the user's credentials (e.g. username and password). The page that the user enters these into can be accessed without any form of login, as it should be static content.

When these credentials are authenticated by the auth system (e.g. BasicAuth), the LoginView returns a token that can be used as the auth from that device for all other views.

Removing the permission from LoginView would allow anyone to aquire an AuthToken whether they had authenticated or not.

If this is still unclear let me know. Please do not remove authentication from loginview in your apps though, I'd hate for security problems to happen due to a misunderstanding.

@blaklites
Copy link
Contributor Author

@James1345 Ok I just analyzed how you implemented this, now I get it :)

@mogverse
Copy link

@James1345 In my case I had a CAS SSO login, so I just verify a service ticket and then generate the token like you have done in the view and return the token in response. Mine is a custom implementation.

@screwt
Copy link

screwt commented Feb 21, 2016

It's not clear to my mind.
Could you provide a sequencial exemple fallowing this scheme or a sequence graph ?
(Sequance graph exemple : https://upload.wikimedia.org/wikipedia/commons/9/9b/CheckEmail.svg)

UnAuthed User --> POST user/pass --> Which endPoint should be used?
Returns token if auth ok <--

Thank you for your help.

@brycekellogg brycekellogg mentioned this issue Feb 7, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@James1345 @screwt @mogverse @blaklites