26Mar
Is it safe to create a session from an auth token?
My server is using Django Rest Framework. My mobile app logs in using token authentication. However, I also have a webview in the mobile app where I need to log in. I can't inject the auth token on every request in the webview, so I use the auth token for authenticating this endpoint and then create a session from it. This is the code:
class CreateSessionView(APIView):
authentication_classes = [TokenAuthentication]
permission_classes = (permissions.AllowAny,)
throttle_classes = [ScopedRateThrottle]
throttle_scope = 'auth_token_verify'
renderer_classes = [TemplateHTMLRenderer]
def get(self, request, format=None):
return Response({}, template_name='pages/create-session.html')
# this template has a <form> that includes a {% csrf_token %} and authtoken
@method_decorator(csrf_protect)
def post(self, request, format=None):
try:
user = Token.objects.get(key=request.POST['authtoken']).user
login(request, user, backend='django.contrib.auth.backends.ModelBackend')
except:
raise AuthenticationFailed()
return redirect(reverse('home'))
My question is: Is there a vulnerability here? If so, how can I secure it?
