RemoteUserAuthentication, docs, and tests by alexdutton · Pull Request #5306 · encode/django-rest-framework (original) (raw)

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation6 Commits2 Checks0 Files changed

Conversation

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

alexdutton

Support for delegating authentication to a web server.

This is a little thing, but I thought it would be worth providing an obvious way to do it. The alternative is to use RemoteUserBackend, RemoteUserMiddleware and SessionBasedAuthentication, but then one has to mess with working out how/whether to disable CSRF protection.

@alexdutton

Support for delegating authentication to a web server.

alexdutton added a commit to alexdutton/idm-core that referenced this pull request

Aug 4, 2017

@alexdutton

@alexdutton

@tomchristie

This is great - nice & tidy.

Normally we'd try to push something like this into a third party package. Even tho the implementation is small, there's still the extra overhead of docs and tests that it introduces to the project. I'm somewhat in two minds tho, since it really is a small implementation.

Not sure what the rest of the team think?

@rpkilby

I'm in favor of the change. The PR seems straightforward and exposes builtin behavior. That said, I don't use remote user authentication and can't really review the PR.

@jpadilla

Ah nice, I didn't even know about REMOTE_USER in Django at all. Although simple enough, IMHO I'd rather see this be its own third party package instead. Seems like one of those things that I haven't heard of many people using, so not a big fan of adding to core, but I might be wrong.

@alexdutton

My argument in favour of inclusion 😁: I'll agree it's a bit more "traditional" to use e.g. apache for authentication, but REMOTE_USER support does open up a number of possibilities that don't necessarily have mature implementations in Python or as drf auth classes. It's an enabling thing that mirrors functionality available in Django core. In the team in which I work, API authentication is mostly a configuration management, so pushing it out of the application like this is seen as a Good Thing (though obviously other viewpoints/drivers exist).

@xordoquy

I'm definitively in favor of adding this to prevent some weird workarounds in developer's code base.

@tomchristie