2

Currently I have the following code to handle an incoming GET request:

#view.py
def handle_request(request):

    if request.method == 'GET':
        <do something>
        return response

this code can handle a simple GET request the form:

curl http://some_url/

But now I want to add basic http authentication:

curl --user username:password http://some_url/

I want to modify my views.py code to look like:

def handle_request(request):

    if request.method == 'GET':
        if username == some_hard_coded_approved_username and password == corresponding_password:
            <do something>
            return response
        else:
            response = HttpResponse("")
            response.status_code = 401
            return response

How do I implement this line to parse username and password from http request:

if username == some_hard_coded_approved_username and password == corresponding_password:
D_M
  • 87
  • 10
  • try request.META['username'] and check – Exprator Mar 20 '18 at 05:58
  • I added print(request.META['username']) to my views.ppy but this just led to a 500 error – D_M Mar 20 '18 at 06:16
  • you need to put it after the request.method=GET line – Exprator Mar 20 '18 at 06:19
  • No progress @Exprator, I put it after the method == GET line. This is the curl command I am using: curl --user dusername:dpassword http://some_url/ – D_M Mar 20 '18 at 06:23
  • you need to use username=username and password=password in the curl – Exprator Mar 20 '18 at 06:25
  • @Exprator I have now sent the following curl request and I'm still getting the same error: curl -u username=duser:password=dpass http://some_url. I have also sent a GET request with basic HTTP auth using Postman but even then I'm getting a 500 error. – D_M Mar 20 '18 at 06:37
  • I printed request.META -- there's no username field, in fact there's no field where the username I have entered in the curl command is given @Exprator – D_M Mar 20 '18 at 06:45

2 Answers2

0

You should assign the user a certain permission. Check if the user is authenticated and he have the permission or not. If the above condition holds true then you should execute the block of code.

Something like this:

def handle_request(request):

if request.method == 'GET':
    if request.user.is_authenticated and user.has_perm('custom_permission'):
        <do something>
        return response
    else:
        response = HttpResponse("")
        response.status_code = 401
        return response

You should avoid using username and password directly in code because if you put it in any vcs, anyone can see your user's password and hack in to your system.

For django permissions please go here

subha.py
  • 463
  • 3
  • 18
  • This is not the solution I am looking for. I want the user to be able to use a single command line instruction to access my server and I want to be able to authenticate the user using the information in the one-line command instruction – D_M Mar 20 '18 at 06:43
  • If I were to use this solution then first the user would have to log in on my website and then use information from cookies to authenticate himself/herself when making a GET request in the command line. – D_M Mar 20 '18 at 06:44
0

Solved:

for the following command:

curl -H "Authorization: username_in_curl_cmd password_in_curl_cmd" http_url

The following code handles basic http auth:

#views.py
def handle_request(request):

    if 'HTTP_AUTHORIZATION' in request.META:
        [user, password] = request.META['HTTP_AUTHORIZATION'].split(" ")
        # user = username_in_curl_cmd
        # password = password_in_curl_cmd

        if user == some_enivorment_variable and password == some_enivorment_variable
    and request.method == 'GET':
            <do something>
            return response

    return 401 response

@Exprator's comments pointed me in the right direction. The challenge was figuring out that 'HTTP_' is prepended to the header and that the header is converted to uppercase.

D_M
  • 87
  • 10