[Django] #33513: Custom authentication class: raising AuthenticationFailed leads to 403
Django
----------------------------------------+--------------------------------
Reporter: Wissperwind | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 3.2
Severity: Normal | Keywords: authentication
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+--------------------------------
Hi,
I am writing a custom authentication class. I overwrite:
**def authenticate(self, request):**
If a user is not authenticated I do:
**raise exceptions.AuthenticationFailed(_('Invalid token.'))**
I expect that djano returns a 401. But django returns 403 like i were in
has_permission(). But I am in authenticate() for sure and if there this
exception is raised Django shaluld return a 401!
My custom auth class inherits from BaseAuthentication:
from rest_framework.authentication import BaseAuthentication
--
Ticket URL: <https://code.djangoproject.com/ticket/33513>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Wissperwind | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 3.2
Keywords: authentication | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by Wissperwind:
Old description:
> Hi,
> I am writing a custom authentication class. I overwrite:
>
> **def authenticate(self, request):**
>
> If a user is not authenticated I do:
> **raise exceptions.AuthenticationFailed(_('Invalid token.'))**
> I expect that djano returns a 401. But django returns 403 like i were in
> has_permission(). But I am in authenticate() for sure and if there this
> exception is raised Django shaluld return a 401!
>
> My custom auth class inherits from BaseAuthentication:
> from rest_framework.authentication import BaseAuthentication
New description:
Hi,
I am writing a custom authentication class. I overwrite:
**def authenticate(self, request):**
If a user is not authenticated I do:
**raise exceptions.AuthenticationFailed(_('Invalid token.'))**
I expect that djano returns a 401. But django returns 403 like if I were
in has_permission(). But I am in authenticate() for sure and if there this
exception is raised Django, sholuld return a 401!
My custom auth class inherits from BaseAuthentication:
from rest_framework.authentication import BaseAuthentication
--
--
Ticket URL: <https://code.djangoproject.com/ticket/33513#comment:1>
Django
Reporter: Wissperwind | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 3.2
Keywords: authentication | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by Wissperwind:
Old description:
> Hi,
> I am writing a custom authentication class. I overwrite:
>
> **def authenticate(self, request):**
>
> If a user is not authenticated I do:
> **raise exceptions.AuthenticationFailed(_('Invalid token.'))**
> I expect that djano returns a 401. But django returns 403 like if I were
> in has_permission(). But I am in authenticate() for sure and if there
> this exception is raised Django, sholuld return a 401!
>
> My custom auth class inherits from BaseAuthentication:
> from rest_framework.authentication import BaseAuthentication
New description:
Hi,
I am writing a custom authentication class. I overwrite:
**def authenticate(self, request):**
If a user is not authenticated I do:
**raise exceptions.AuthenticationFailed(_('Invalid token.'))**
I expect that djano returns a 401. But django returns 403 like if I were
in has_permission(). But I am in authenticate() for sure. And if in this
methoid this exception is raised Django, sholuld return a 401!
My custom auth class inherits from BaseAuthentication:
from rest_framework.authentication import BaseAuthentication
--
--
Ticket URL: <https://code.djangoproject.com/ticket/33513#comment:2>
Django
Reporter: Aurel | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 3.2
Keywords: authentication | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Aurel):
Well, ok, you need to overwrite / implement also "def
authenticate_header(self, request):". Otherwise a 403 is returned. This
does not make sense to me. Why django changes to 403 only if there is no
authenticate header? 403 means, you are identified, but not allowed to get
in...
--
Ticket URL: <https://code.djangoproject.com/ticket/33513#comment:3>
Django
Reporter: Aurel | Owner: nobody
Type: Bug | Status: closed
Component: contrib.auth | Version: 3.2
Severity: Normal | Resolution: invalid
Keywords: authentication | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* status: new => closed
* resolution: => invalid
Comment:
`rest_framework.authentication.BaseAuthentication` is not a builtin
backend. Please check docs about
[https://docs.djangoproject.com/en/4.0/topics/auth/customizing/#writing-
an-authentication-backend Writing an authentication backend] and if you're
having trouble understanding how Django works, see
TicketClosingReasons/UseSupportChannels for ways to get help.
--
Ticket URL: <https://code.djangoproject.com/ticket/33513#comment:4>