how to retrieve user from token and able to do curl calls only when admin is logged in

[ajay2611]

Hi Philip,
I'm little new to DRF and Oauth2. So, this might be a silly question again.
I need your help to understand this.

I've successfully authenticated user from facebook. But I'm not able to validate the same in application.
Whenever I hit http://localhost:8000/users/user/1/
I get HTTP 401 Unauthorized
Attached views.py for user model. I'm not able to
views.txt

get user from token supplied. So

Can you help me how to get user from token? Thanks in advance!

[ajay2611]

When admin is logged out, I get this issue for all calls.

import requests
url = "http://localhost:8000/users/user/"
headers = {
    'authorization': "Bearer B2U31DBAqlCCfhEztfCTPPiWnIcnWn"
}
response = requests.request("POST", url, headers=headers)
print(response.text)

This gives me attached error.

[ajay2611]

It doesn't show this error when I've logged in as admin. But as soon as I log out, It starts to throw this error for all urls or curl calls

[PhilipGarnero]

I think you are missing the 'oauth2_provider.ext.rest_framework.OAuth2Authentication' authentication class on your views. I see that you've imported it but it isn't used.
Try putting authentication_classes = (SocialAuthentication, OAuth2Authentication, ) on both views.

[ajay2611]

I did that earlier and now again. but still same issue. If I log-in as admin and then go to localhost:8000, It works. But if I logout and then hit localhost:8000, it throws same error as attached above.

[ajay2611]

I'm using django version 1.8.3 with python 3.4. Attaching my settings.py as well.
settings.txt

[PhilipGarnero]

You have 'rest_framework.permissions.IsAuthenticated', in your rest framework authentication classes.
This is a permission class, not an authentication class. This is probably it so remove it.
Considering you're also using session authentication and that it is above in the list, that's probably why it works when you're logged in as an admin.

[ajay2611]

That worked, but I wasn't using session authentication in my views.py. So, I don't know how that was working with admin being logged in.
One more thing, even after doing authentication_classes = (SocialAuthentication, OAuth2Authentication, ) .
I'm getting 401 unauthorized
Do I need to write my views like http://www.django-rest-framework.org/tutorial/3-class-based-views/#rewriting-our-api-using-class-based-views
and use request object to get authenticate and get user object?

[PhilipGarnero]

It was used in your settings.py

About your 401 responses, I'm not sure. I don't have all the elements to help you.

[ajay2611]

What files/code snippets do you need for this? I'll be really grateful to you if you can help me out on this.

I've already shared my settings.py and views.py

[PhilipGarnero]

Could you show me the whole process ?
I mean, the token conversion and the request that isn't working.

By the way, I've noticed that you are restricting your api with the isadmin permission in your settings.py
If the user was created using a facebook token, there is no way that he would end up being an admin without you explicitly setting it.

[ajay2611]

Token conversion is working fine.
Process i'm following is like this:
Get token using js sdk from facebook(FB_TOKEN) -> pass that token to
/auth/convert-token -> User is saved/created and I get access token
(ACCESS_TOKEN) along with refresh_token.
Now, this ACCESS_TOKEN should be used by my angular app for further api
calls.

Current Issue after commenting out isAdminPermission:
If I hit:
http://localhost:8000/users/user/1 with or without ACCESS_TOKEN in my
Authorization Header, I get results.
I've used
authentication_classes = (SocialAuthentication, OAuth2Authentication, ) as attached in my views.py`
I've also attached my settings.py for reference.

What I'm missing?
Thanks in advance.
settings.txt
views.txt

ᐧ

On Tue, Aug 2, 2016 at 10:26 PM, Philip Garnero notifications@github.com
wrote:

Could you show me the whole process ?
I mean, the token conversion and the request that isn't working.

By the way, I've noticed that you are restricting your api with the
isadmin permission in your settings.py
If the user was created using a facebook token, there is no way that he
would end up being an admin without you explicitly setting it.

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
#65 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AKF-yckQuzdpb2GexPFTSnkaHQ5BJWApks5qb3a8gaJpZM4JY2C1
.

Regards,
Ajay

[PhilipGarnero]

Open the file lib/python3.4/site-packages/oauth2_provider/ext/rest_framework/authentication.py in your virtualenv and print something on the first line of the authenticate function.
Then proceed with your request again. If nothing is printed, that means that the authentication backend is not used.

If it is printed, I have no clue and we'll have to investigate by printing the request headers to begin with.

[ajay2611]

valid, r = oauthlib_core.verify_request(request, scopes=[])
returns valid=False in case of no token and flow goes to rest_framework_social_oauth2/authentication.py file which also returns valid=false as expected.
But code returns to my view, which creates an anonymous user and returns data. Ideally, code flow should come to my views only when it's authenticated. One thing I can do is put a check for an anonymous user in my views only and return 401 then.
Is there any other way in which library can directly give back 401 response and not create an anonymous user?

[PhilipGarnero]

Yes, simply add the rest_framework.permissions.IsAuthenticated permission to your view and it should return a 401 directly instead of sending an anonymous user going to your view.

[ajay2611]

It's fixed. You've been of a great help Philip. Integration would have been easy if I had slightly more experience in DRF. Will recommend this library to everyone.
Also, I'll like to contribute to this library also in anyway I can.