Allow Ajax requests to bypass basic auth

edivorce/apps/core/middleware/basicauth_middleware.py

@@ -1,4 +1,6 @@
 import base64
+
+import sys
 from django.http import HttpResponse
 from django.conf import settings
 from django.template.loader import render_to_string
@@ -18,6 +20,13 @@ class BasicAuthMiddleware(object):
         if request.path == settings.FORCE_SCRIPT_NAME + 'health':
             return None
 
+        # allow ajax requests -
+        # basic auth through ajax is tricky, and besides, this isn't really
+        # intended as security.  It's just to prevent users from
+        # logging into the wrong environment.
+        if request.path.startswith(settings.FORCE_SCRIPT_NAME + 'api/'):
+            return None
+
         # check if the middleware is enabled in settings
         if not settings.BASICAUTH_ENABLED:
             return None

edivorce/settings/base.py

@@ -82,6 +82,12 @@ TEMPLATES = [
 
 WSGI_APPLICATION = 'wsgi.application'
 
+# need to disable auth in Django Rest Framework so it doesn't get triggered
+# by presence of Basic Auth headers
+REST_FRAMEWORK = {
+    'DEFAULT_AUTHENTICATION_CLASSES': []
+}
+
 # Internationalization
 # https://docs.djangoproject.com/en/1.8/topics/i18n/