FAQ | This is a LIVE service | Changelog

Skip to content

add user when authenticating

Dr Rich Wareham requested to merge add-user into main

The actual feature introduced by this MR is described in #2 (closed). It is not critical but in summary:

When authenticating a principal add a synthetic "APIGatewayUser" object as the request user. This object is not backed by a database object but does have an id meaning that DRF templates used to render the API views will correctly identify the authenticated user.

It doesn't really matter if this feature lands or not but this MR mostly fixes a problem which implementing the feature highlighted.

Our library as is subtly breaks a Django convention about importing applications. The fix breaks documented backwards compatibility and so we need to put a bit of a hack in until we can fix up the users. (Currently just card API?) Once fixed we can remove the hack.

The long story:

One needs to be very careful with what is imported as a side-effect of importing the top-level application module. That is because that module is imported at application configure time as part of configuring the application. It follows that applications in general are not yet configured when the top-level application module is imported.

The top-level module here then directly imports some of the implementation. So now our implementation must not rely on applications having been configured at import time.

We got away with this due to the simplicity of the application but attempting to derive from AnonymousUser triggered the problem: trying to import anything from django.contrib.auth.models threw an exception about applications not being configured.

The convention for DRF authentication classes is for them to sit in a submodule named "authentication" within the top-level application. This is for good reason; trying to have them in the top-level leads to this sort of pain.

Unfortunately we have users in the wild using "apigatewayauth.APIGatewayAuthentication" in their settings and so we need to support that until users are fixed up to use "apigatewayauth.authentication.APIGatewayAuthentication".

In the meantime, do some nasty hackery to support what was required by the original issue.

Closes #2 (closed)

Edited by Dr Rich Wareham

Merge request reports