Add middleware for requiring authentication (#760)

minvws · Apr 19, 2023 · 3bddf98 · 3bddf98
1 parent 44af5ea
commit 3bddf98
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 23 deletions.
diff --git a/rocky/account/mixins.py b/rocky/account/mixins.py
@@ -29,10 +29,6 @@ def __init__(self, *args, **kwargs):
     def setup(self, request, *args, **kwargs):
         super().setup(request, *args, **kwargs)
 
-        # authentication/otp flow happens before setup
-        if not request.user.is_authenticated:
-            return
-
         organization_code = kwargs["organization_code"]
         try:
             self.organization = Organization.objects.get(code=organization_code)

diff --git a/rocky/katalogus/views/mixins.py b/rocky/katalogus/views/mixins.py
@@ -51,9 +51,6 @@ def setup(self, request, *args, **kwargs):
             )
 
     def dispatch(self, request, *args, **kwargs):
-        if request.user.is_anonymous:
-            return redirect(reverse("login"))
-
         if not self.plugin:
             return redirect(reverse("katalogus", kwargs={"organization_code": self.organization.code}))
 

diff --git a/rocky/rocky/middleware/auth_required.py b/rocky/rocky/middleware/auth_required.py
@@ -0,0 +1,36 @@
+from django.shortcuts import redirect
+from django.urls.base import reverse
+
+
+def AuthRequiredMiddleware(get_response):
+    def middleware(request):
+        login_path = reverse("login")
+        email_recovery_path = reverse("recover_email")
+        password_recovery_path = reverse("password_reset")
+        home_path = reverse("landing_page")
+        lang_path = reverse("set_language")
+        privacy_statement = reverse("privacy_statement")
+
+        if not request.user.is_authenticated:
+            if (
+                not request.path.startswith("/account/reset/")
+                # There won't be a request.user if auth tokens are used, but
+                # Django REST framework will make sure that there is an
+                # authenticated user with out DEFAULT_PERMISSION_CLASSES setting
+                and not request.path.startswith("/api/")
+                and request.path
+                not in (
+                    "/",
+                    home_path,
+                    login_path,
+                    lang_path,
+                    email_recovery_path,
+                    password_recovery_path,
+                    privacy_statement,
+                )
+            ):
+                return redirect(login_path)
+
+        return get_response(request)
+
+    return middleware
diff --git a/rocky/rocky/settings.py b/rocky/rocky/settings.py
@@ -106,6 +106,7 @@
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django_otp.middleware.OTPMiddleware",
+    "rocky.middleware.auth_required.AuthRequiredMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "rocky.middleware.onboarding.OnboardingMiddleware",

diff --git a/rocky/tests/account/test_login.py b/rocky/tests/account/test_login.py
@@ -2,7 +2,7 @@
 from django.contrib.auth.middleware import AuthenticationMiddleware
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.test import Client
-from pytest_django.asserts import assertContains, assertNotContains
+from pytest_django.asserts import assertContains
 
 
 def test_login_view(rf, clientuser):
@@ -23,46 +23,46 @@ def test_login(superuser):
     client = Client()
 
     response = client.post(
-        "/account/login/",
-        {"auth-username": "[email protected]", "auth-password": "TestTest123!!", "login_view-current_step": "auth"},
+        "/login/",
+        {
+            "auth-username": "[email protected]",
+            "auth-password": "TestTest123!!",
+            "login_rocky_view-current_step": "auth",
+        },
     )
 
     assert response.status_code == 200
-    assertNotContains(response, "Explanation:")
-    assertContains(response, "Login")
     assertContains(response, "Error")
-    assertContains(response, "Please enter a correct email and password.")
+    assertContains(response, "Please enter a correct email address and password.")
 
     response = client.post(
-        "/account/login/",
-        {"auth-username": "[email protected]", "auth-password": "Test!!", "login_view-current_step": "auth"},
+        "/login/",
+        {"auth-username": "[email protected]", "auth-password": "Test!!", "login_rocky_view-current_step": "auth"},
     )
 
     assert response.status_code == 200
-    assertNotContains(response, "Explanation:")
     assertContains(response, "Login")
     assertContains(response, "Error")
-    assertContains(response, "Please enter a correct email and password.")
+    assertContains(response, "Please enter a correct email address and password.")
 
     response = client.post(
-        "/account/login/",
+        "/login/",
         {
             "auth-username": superuser.email,
             "auth-password": "SuperSuper123!!",
-            "login_view-current_step": "auth",
+            "login_rocky_view-current_step": "auth",
         },
     )
 
     assert response.status_code == 200
 
     assertContains(response, "Explanation:")
-    assertContains(response, "Login")
     assertContains(response, "Please enter the token generated by your token generator.")
     assertContains(response, "Submit")
 
     response = client.post(
-        "/account/login/",
-        {"token-otp_token": "123456", "login_view-current_step": "token"},
+        "/login/",
+        {"token-otp_token": "123456", "login_rocky_view-current_step": "token"},
     )
 
     assert response.status_code == 200

diff --git a/rocky/tests/test_core.py b/rocky/tests/test_core.py
@@ -4,6 +4,7 @@ def test_root(client):
     assert response.headers["Location"] == "/en/"
 
 
-def test_404(client):
+def test_404(client, clientuser):
+    client.force_login(clientuser)
     response = client.get("/en/does/not/exist/")
     assert response.status_code == 404