1👍
Django has a login_required decorator you can use for this.
You can map urls to views such that certain urls require login and others don’t
0👍
I wouldn’t put the username and password in the url of the request. That stuff can be seen plaintext. This also leads me to believe that you’re ios app caches my username and password. Which is a security risk in itself.
According to your current middleware logic, you are still logging in the user. It also looks like that you’re logging in the user per url for the ios requests, creating a new session per login/url.
If you’re app doesn’t support http cookies then passing a key or token of somesort is the best way, essentially the same as a cookie but doing it manually.I would try to leverage django’s session and auth as much as possible. In the ios app I would collect the username and password and call login right after. Ideally it would return a long lasting session (https://docs.djangoproject.com/en/dev/topics/http/sessions/#django.contrib.sessions.backends.base.SessionBase.set_expiry) to ios app and the app will ONLY store the returned session key. Which is what you would use for auth in place of username/password credentials for all other requests. The session won’t die if the phone looses reception as long as the phone retains the session key, the session doesn’t live on the phone it lives on the server.
If possible I would attach the session key in the headers of all the requests after (for the sake of this example I’ll call the header DJANGO_SESSION_KEY), that way it’s in the same place for all types of requests (POST, GET, PUT, etc.)
Then I would extend django’s session middleware and rewrite the process_request function. In the version of django i’m using (1.5), I would change the line that looks for the session_key in the process_request function.
class MySessionMiddleware(SessionMiddleware):
def process_request(self, request):
engine = import_module(settings.SESSION_ENGINE)
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME, request.META.get('HTTP_DJANGO_SESSION_KEY'))
request.session = engine.SessionStore(session_key)
I would then use this custom extended session middleware in lieu of django’s in the settings.py.
Then your custom middleware comes it, defined at the end of the request middleware chain.
def process_request(self, request):
if request.path != '/accounts/login/' and request.user.is_anonymous():
if request.META.HTTP_CONTENT_TYPE == 'application/json' or request.META.HTTP_ACCEPT == 'application/json':
# return json error response
# return error redirect