Intro:
This is a suggestion for changes. If it gains traction I am interrested in making a ticket and writing a PR.
RemoteUserMiddleware
is a built-in middleware that allows the webserver to externally authenticate a user and pass the authenticated username to Django using a environment variable or request header in request.META
.
The key to look up from request.META is controlled by a variable called header
, even if it is a environment variable by default, and does not have to be a request header. This is somewhat confusing.
PersistentRemoteUserMiddleware
is a built-in subclass of RemoteUserMiddleware
that will log out the user if the configured request.META
key is not present on all requests. (i.e. when just doing external authentication on a /login
endpoint, and handing persistence over to Django)
Suggestion #1:
- Make
header
of RemoteUserMiddleware a configurable setting, i.e.REMOTEUSER(_MIDDLEWARE)_KEY
(purposefully using_KEY
and not_HEADER
), while keeping the default value asREMOTE_USER
Reasoning #1:
-
-
Changing the key to look up in
request.META
is more relevant these days. The defaultREMOTE_USER
value is the environment variable that i.e. Apache will set when authenticating a user. Anything using HTTP reverse proxying (i.e. running in a container, separate WSGI/ASGI server etc.) requires using a HTTP request header and thus changing the key. -
header
is currently not a setting, and requires a subclass to change. This requires a sysadmin to make a subclass to change the header. I assume that more sysadmins (when integrating a Django application into the company environment) than developers will make use ofRemoteUserMiddleware
.
-
Suggestion #2:
- Deprecate PersistentRemoteUserMiddleware and make
force_logout_if_no_header
a configurabe setting onRemoteUserMiddleware
, i.e.REMOTEUSER(_MIDDLEWARE)_PERSISTENT
Reasoning #2:
PersistentRemoteUserMiddleware
is a direct subclass ofRemoteUserMiddleware
withforce_logout_if_no_header
flipped toFalse
. It feels messy to have a separate, built-in middleware just to change a single setting. Assuming 1. is implemented, it also makes the most sense to have this as a setting.