Extend PAT authentication support to all /api/v2/ endpoints (mozilla#4081)

The PersonalAccessTokenAuthentication class raised AuthenticationFailed
when no Bearer header was present, preventing it from coexisting with
session auth on the same view. Changed it to return None per DRF
convention, allowing the next authenticator in the chain to try.

Added PAT and session auth as DEFAULT_AUTHENTICATION_CLASSES in
REST_FRAMEWORK settings so all API endpoints accept Bearer tokens
alongside session cookies.

PretranslationView retains its explicit token-only authentication.

Author: mzeier

pontoon/api/authentication.py

@@ -18,9 +18,9 @@ def authenticate(self, request):
         auth_header = request.headers.get("Authorization")
 
         if not auth_header or not auth_header.startswith("Bearer "):
-            raise AuthenticationFailed(
-                {"detail": "Missing or invalid Authorization header."}
-            )
+            # Return None to let DRF try the next authenticator (e.g. session auth).
+            # Raising AuthenticationFailed here would block all non-Bearer requests.
+            return None
 
         try:
             token_id, unhashed_token = auth_header.split(" ")[1].split("_")

pontoon/api/tests/test_authentication.py

@@ -38,9 +38,17 @@ def test_authenticate_missing_authorization_header():
     auth = PersonalAccessTokenAuthentication()
     request = type("Request", (), {"headers": {}})
 
-    with pytest.raises(AuthenticationFailed) as excinfo:
-        auth.authenticate(request)
-    assert excinfo.value.detail["detail"] == "Missing or invalid Authorization header."
+    result = auth.authenticate(request)
+    assert result is None
+
+
+@pytest.mark.django_db
+def test_authenticate_non_bearer_authorization_header():
+    auth = PersonalAccessTokenAuthentication()
+    request = type("Request", (), {"headers": {"Authorization": "Basic dXNlcjpwYXNz"}})
+
+    result = auth.authenticate(request)
+    assert result is None
 
 
 @pytest.mark.django_db

pontoon/api/tests/test_views.py

@@ -1835,3 +1835,66 @@ def test_pretranslation_tm(member):
     )
 
     assert response.status_code == 400
+
+
+@pytest.mark.django_db
+def test_pat_auth_on_locales_endpoint(member):
+    """PAT authentication works on non-pretranslation endpoints."""
+    token = PersonalAccessToken.objects.create(
+        user=member.user,
+        name="Test Token PAT Locales",
+        token_hash="hashed_token",
+        expires_at=now() + timedelta(days=1),
+    )
+    token_id = token.id
+    token_unhashed = "unhashed-token"
+    token.token_hash = make_password(token_unhashed)
+    token.save()
+
+    response = APIClient().get(
+        "/api/v2/locales/",
+        HTTP_ACCEPT="application/json",
+        headers={"Authorization": f"Bearer {token_id}_{token_unhashed}"},
+    )
+
+    assert response.status_code == 200
+
+
+@pytest.mark.django_db
+def test_session_auth_still_works_on_user_actions(member):
+    """Session authentication continues to work after PAT auth is added to defaults."""
+    client = APIClient()
+    client.force_authenticate(user=member.user)
+
+    project = ProjectFactory(slug="test-session-project")
+    date = now().strftime("%Y-%m-%d")
+
+    response = client.get(
+        f"/api/v2/user-actions/{date}/project/{project.slug}/",
+        HTTP_ACCEPT="application/json",
+    )
+
+    assert response.status_code == 200
+
+
+@pytest.mark.django_db
+def test_expired_pat_rejected_on_non_pretranslation_endpoint(member):
+    """Expired PAT returns 403 on non-pretranslation endpoints."""
+    token = PersonalAccessToken.objects.create(
+        user=member.user,
+        name="Test Token Expired",
+        token_hash="hashed_token",
+        expires_at=now() - timedelta(days=1),
+    )
+    token_id = token.id
+    token_unhashed = "unhashed-token"
+    token.token_hash = make_password(token_unhashed)
+    token.save()
+
+    response = APIClient().get(
+        "/api/v2/locales/",
+        HTTP_ACCEPT="application/json",
+        headers={"Authorization": f"Bearer {token_id}_{token_unhashed}"},
+    )
+
+    assert response.status_code == 403

pontoon/settings/base.py

@@ -1270,6 +1270,10 @@ def account_username(user):
 TBX_DESCRIPTION = os.environ.get("TBX_DESCRIPTION", "Terms localized in Pontoon")
 
 REST_FRAMEWORK = {
+    "DEFAULT_AUTHENTICATION_CLASSES": [
+        "pontoon.api.authentication.PersonalAccessTokenAuthentication",
+        "rest_framework.authentication.SessionAuthentication",
+    ],
     "DEFAULT_FILTER_BACKENDS": ["django_filters.rest_framework.DjangoFilterBackend"],
     "DEFAULT_PAGINATION_CLASS": "pontoon.api.pagination.DynamicPageNumberPagination",
     "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",