Add django-oauth-toolkit + django-ninja integration

pyproject.toml

@@ -44,12 +44,16 @@ Repository = "https://github.com/kitware-resonant/django-resonant-utils"
 allauth = [
   "django-allauth",
 ]
-rest_framework = [
-  "djangorestframework",
-]
 minio_storage = [
   "django-minio-storage",
 ]
+ninja = [
+  "django-ninja",
+  "django-oauth-toolkit",
+]
+rest_framework = [
+  "djangorestframework",
+]
 s3_storage = [
   "django-storages[s3]>=1.14",
 ]
@@ -152,3 +156,9 @@ warn_unused_ignores = true
 mypy_path = [
   "$MYPY_CONFIG_FILE_DIR/stubs",
 ]
+
+[[tool.mypy.overrides]]
+module = [
+  "oauth2_provider.*",
+]
+ignore_missing_imports = true

resonant_utils/ninja.py

@@ -0,0 +1,44 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Any
+
+from ninja.security.http import HttpAuthBase
+from oauth2_provider.oauth2_backends import get_oauthlib_core
+
+if TYPE_CHECKING:
+    from django.http import HttpRequest
+    from oauth2_provider.models import AbstractAccessToken
+
+
+# TODO: Remove this once https://github.com/django-oauth/django-oauth-toolkit/pull/1646 is released.
+# Don't inherit from `HttpBearer`, since we have our own header extraction logic
+class HttpOAuth2(HttpAuthBase):
+    """Perform OAuth2 authentication, for use with Django Ninja."""
+
+    openapi_scheme: str = "bearer"
+
+    def __init__(self, *, scopes: list[str] | None = None) -> None:
+        super().__init__()
+        self.scopes = scopes if scopes is not None else []
+
+    def __call__(self, request: HttpRequest) -> Any | None:
+        oauthlib_core = get_oauthlib_core()
+        # This also sets `request.user`,
+        # which Ninja does not: https://github.com/vitalik/django-ninja/issues/76
+        valid, r = oauthlib_core.verify_request(request, scopes=self.scopes)
+
+        if not valid:
+            return None
+
+        return self.authenticate(request, r.access_token)
+
+    def authenticate(self, request: HttpRequest, access_token: AbstractAccessToken) -> Any | None:
+        """
+        Determine whether authentication succeeds.
+
+        If this returns a truthy value, authentication will succeed.
+        Django Ninja will set the return value as `request.auth`.
+
+        Subclasses may override this to implement additional authorization logic.
+        """
+        return access_token

tox.ini

@@ -10,8 +10,9 @@ env_list =
 runner = uv-venv-lock-runner
 extras =
     allauth
-    rest_framework
     minio_storage
+    ninja
+    rest_framework
     s3_storage
 
 [testenv:lint]
@@ -35,4 +36,3 @@ dependency_groups =
     type
 commands =
     mypy {posargs}
-