Restore session id (cvat-ai#905)

nmanovic · Chris Lee-Messer · commit ccb16b048836 · 2020-03-04T20:30:12.000-08:00
* Restore session id when we use token authorization.
diff --git a/cvat/apps/authentication/auth.py b/cvat/apps/authentication/auth.py
@@ -2,7 +2,6 @@
 #
 # SPDX-License-Identifier: MIT
 
-import os
 from django.conf import settings
 from django.db.models import Q
 import rules
@@ -11,6 +10,20 @@
 from rest_framework.permissions import BasePermission
 from django.core import signing
 from rest_framework import authentication, exceptions
+from rest_framework.authentication import TokenAuthentication as _TokenAuthentication
+from django.contrib.auth import login
+
+# Even with token authorization it is very important to have a valid session id
+# in cookies because in some cases we cannot use token authorization (e.g. when
+# we redirect to the server in UI using just URL). To overkill that we override
+# the class to call `login` method which restores the session id in cookies.
+class TokenAuthentication(_TokenAuthentication):
+    def authenticate(self, request):
+        auth = super().authenticate(request)
+        session = getattr(request, 'session')
+        if auth is not None and session.session_key is None:
+            login(request, auth[0], 'django.contrib.auth.backends.ModelBackend')
+        return auth
 
 def register_signals():
     from django.db.models.signals import post_migrate, post_save
diff --git a/cvat/apps/authentication/decorators.py b/cvat/apps/authentication/decorators.py
@@ -8,7 +8,7 @@
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.http import JsonResponse
 from django.conf import settings
-from rest_framework.authentication import TokenAuthentication
+from cvat.apps.authentication.auth import TokenAuthentication
 
 def login_required(function=None, redirect_field_name=REDIRECT_FIELD_NAME,
     login_url=None, redirect_methods=['GET']):
@@ -21,7 +21,6 @@ def _wrapped_view(request, *args, **kwargs):
                 tokenAuth = TokenAuthentication()
                 auth = tokenAuth.authenticate(request)
                 if auth is not None:
-                    request.user = auth[0]
                     return view_func(request, *args, **kwargs)
 
                 login_url = '{}/login'.format(settings.UI_URL)
diff --git a/cvat/settings/base.py b/cvat/settings/base.py
@@ -124,7 +124,7 @@ def generate_ssh_keys():
         'rest_framework.permissions.IsAuthenticated',
     ],
     'DEFAULT_AUTHENTICATION_CLASSES': [
-        'rest_framework.authentication.TokenAuthentication',
+        'cvat.apps.authentication.auth.TokenAuthentication',
         'cvat.apps.authentication.auth.SignatureAuthentication',
         'rest_framework.authentication.SessionAuthentication',
         'rest_framework.authentication.BasicAuthentication'
