I am having trouble implementing token authentication with JWT in the Django rest framework with a Typscript frontend. I'm getting
{detail: "Authentication credentials were not provided."}
with my API call via Typescript, which is:
readonly BASE_URL = 'http://127.0.0.1:8000/'
api_url = this.BASE_URL + 'items/'
auth_url = this.BASE_URL + "api-token-auth/"
getItemsService(token) {
const headers = new HttpHeaders()
headers.append('Content-Type', 'application/json')
headers.append('Authorization', 'JWT ' + token.token)
return this.http.get(this.api_url, {headers: headers})
}
Logging in works fine. It's when I try to load the items that I have issues.
Here's my Django code:
views.py
from rest_framework import generics
from .models import Item
from .serializers import ItemSerializer
class ItemList(generics.ListCreateAPIView):
queryset = Item.objects.all()
serializer_class = ItemSerializer
class ItemDetail(generics.RetrieveUpdateDestroyAPIView):
queryset = Item.objects.all()
serializer_class = ItemSerializer
items/urls.py
from django.urls import path
from .views import ItemList, ItemDetail
urlpatterns = [
path('', ItemList.as_view()),
path('<int:pk>/', ItemDetail.as_view()),
]
project/urls.py
from django.contrib import admin
from django.urls import include, path
from rest_framework_jwt.views import obtain_jwt_token
urlpatterns = [
path('items/', include('groceries.urls')),
path('admin/', admin.site.urls),
path('api-auth/', include('rest_framework.urls')),
path('api-token-auth/', obtain_jwt_token),
]
settings.py
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
),
}
I thought the issue would have to be with Django, but I am able to get what I expect with
curl -H "Authorization: JWT <token>" http://localhost:8000/items/
If my backend was not set up correctly, this wouldn't work. So it must be my frontend code.
Based on what you described, It may be a CORS issue. Because you have access to your api endpoint via curl command. But not with browser.
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin. A web application makes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, and port) than its own origin.
I checked your Angular typescript code, It seems fine. I suggest to follow below instructions in your django project and see how it goes:
1) install it for pip via pip install django-cors-headers command.
2) In settings.py file, add this app to your installed apps:
INSTALLED_APPS = (
...
'corsheaders',
...
)
3) You will also need to add a middleware class to listen in on responses:
MIDDLEWARE = [ # Or MIDDLEWARE_CLASSES on Django < 1.10
...
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
...
]
remember CorsMiddleware should be placed as high as possible.
4) Add this line to your settings.py file.
CORS_ORIGIN_ALLOW_ALL = True
for full documentation refer to django-cors-headers.
Related
So I have a Django app with Swagger, but I also added a custom authenticator to every endpoint automatically with
settings.py
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'cheers.utils.authenticator.CognitoAuthentication',
),
}
urls.py
schema_view = get_schema_view(
openapi.Info(
title="Resource API",
default_version="v1",
description="A sample API for resource with DRF",
terms_of_service="https://www.google.com/policies/terms/",
contact=openapi.Contact(email="cheersocialinc#gmail.com"),
license=openapi.License(name="BSD License"),
),
public=True,
permission_classes=(
permissions.AllowAny,), # Anyone have access to API documentation
)
if settings.DEBUG:
urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
urlpatterns += ADMIN_URLS
urlpatterns += SWAGGER_URLS
How do I turn this off for swagger and admin url? The reason I'm not sure is because Swagger and admin is added to URLs it's not a view
urls.py
How do I disable automatic authentication for swagger?
Also I guess a side question would be how to disable this URL when debug is False
To disable authentication | permission on swagger urls, set permission_classes in get_schema_view like this :
urls.py
from django.urls import path
from rest_framework import permissions
from rest_framework.schemas import get_schema_view
from django.conf import settings
schema_view = get_schema_view(
openapi.Info(
title="Resource API",
default_version="v1",
description="A sample API for resource with DRF",
terms_of_service="https://www.google.com/policies/terms/",
contact=openapi.Contact(email="your_email#yopmail.com"),
license=openapi.License(name="BSD License"),
),
public=True,
permission_classes=(
permissions.AllowAny, ), # Anyone have access to API documentation
)
if settings.DEBUG == False
# urlpatterns
urlpatterns = [
# Production urls only
]
else:
urlpatterns = [
# Production urls + swagger doc urls
path(
'doc/',
schema_view.with_ui('swagger', cache_timeout=0),
name='schema-swagger-ui'),
]
For Django admin without authentication follow this post.
In my application I need to have multiple Swagger pages with grouped endpoints for multiple clients.
One of my clients (paths) supplies mobile app API, another supplies web client API. URL patterns are kept in 2 different urls.py accordingly.
I'm using drf-yasg to generate schema for my API.
To generate swagger specification for those I'm initializing 2 separate schema_views for each urls.py file like this:
from api_mobile.urls import urlpatterns as mobile_patterns
from api_web.urls import urlpatterns as web_patterns
mobile_schema_view = get_schema_view(
openapi.Info(
title="Mobile API",
default_version='v3',
),
public=True,
permission_classes=(permissions.AllowAny,),
patterns=mobile_patterns,
)
web_schema_view = get_schema_view(
openapi.Info(
title="Web API",
default_version='v1',
),
public=True,
permission_classes=(permissions.AllowAny,),
patterns=web_patterns,
)
urlpatterns = [
path(
'api/mobile/docs',
mobile_schema_view.with_ui('swagger', cache_timeout=0),
name='mobile-schema-ui'
),
path(
'api/web/docs',
web_schema_view.with_ui('swagger', cache_timeout=0),
name='web-schema-ui'
),
path('api/mobile/v3/', include('api_mobile.urls'), name='mobile_urls'),
path('api/web/v1/', include('api_web.urls'), name='web_urls'),
...
]
Where mobile_patterns and web_patterns are just a list of url patterns.
If I open http://localhost:8000/api/mobile/docs or http://localhost:8000/api/web/docs I do see correctly generated schema for both lists of patterns, yet if I try to do a request directly from swagger specification page all endpoints return 404 error – they all try to do a request to non-existing url pattern without providing full path to endpoint.
So if I do a request to any view from mobile endpoints swagger tries to do a request at
http://localhost:8000/some_mobile_url/ instead of http://localhost:8000/api/mobile/v3/some_mobile_url/
And situation is the same for another schema, swagger wrongly requests http://localhost:8000/some_web_url/ instead of using full path
http://localhost:8000/api/web/v3/some_web_url/
Obviously being able to test API directly through swagger is very important so specification itself is not enough in my case.
Is this an issue in me misconfiguring swagger itlesf or should I be somehow providing path to swagger so it prepends full path to each url accordingly?
This is working fine for us:
api_schema.py
from django.conf.urls import include, url
from drf_yasg.views import get_schema_view
from drf_yasg import openapi
from books.api.v1.urls import urlpatterns as api_v1
API_DESCRIPTION = openapi.Info(
...
)
schema_view = get_schema_view(
info=...,
...
url='https://oursite.company.io/',
patterns=[
url('api/v1/', include(api_v1)),
],
)
books.api.v1.urls.py
from django.conf.urls import include, url
urlpatterns = [
url(r'^books', ...),
...
]
urls.py
from ...api_schema import schema_view
...
url(r'^api/v1/', include(api_v1)),
url(r'^api/schema(?P<format>\.json|\.yaml)$',
schema_view.without_ui(cache_timeout=0),
name='api_schema_v1'),
...
when i trying to access api i'm getting this error:
"detail": "Authentication credentials were not provided."
i have included this in settings.py:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES':(
'rest_framework.authentication.TokenAuthentication',
'rest_framework.authentication.SessionAuthentication',
),
'DEFAULT_PERMISSION_CLASSES':(
'rest_framework.permissions.IsAuthenticated',
)
}
my app api urls.py:
from django.urls import path,include
from . import views
from rest_framework import routers
router = routers.SimpleRouter()
router.register(r'',views.UserViewSet, 'user_list')
urlpatterns = router.urls
my views.py:
class UserViewSet(viewsets.ModelViewSet):
queryset = User.object.all()
serializer_class = serializers.UserSerializers
serializers.py:
from rest_framework import serializers
from users.models import User
class UserSerializers(serializers.ModelSerializer):
class Meta:
model = User
fields = ('email','password')
my main urls.py:
urlpatterns = [
path('admin/', admin.site.urls),
path('',include(urls)),
path ('', include(user_urls)),
path('api/',include(api_urls)),
when i running localhost:8000/api i'm getting the error
You can't access the api from the browsers url if you are using TokenAuthentication.
as said by #DarkOrb TokenAuthentication expects a authorization header with token as it's value.
So You must pass token whenever you call the api.
You can test your api using postman.
In above image i have passed token in headers of postman to access my api.
When you call your api from frontend side,pass your token along with the request.
If you just want to use your api in only desktop's browser,in that case you can use SessionAuthentication only.For mobile devices Tokenauthentication must be done.
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES':(
'rest_framework.authentication.TokenAuthentication',
'rest_framework.authentication.SessionAuthentication',
),
'DEFAULT_PERMISSION_CLASSES':(
'rest_framework.permissions.IsAuthenticated',
)
}
use this in your settings.py file, what is happening is that rest_framework.authentication.TokenAuthentication expects a authorization header with token as it's value, but you can't send that with your browser, to browse API from browser you must have SessionAuthentication enabled.
I have a problem with token authentication.
I run my django app with django built in server.
$python manage.py runserver
My App's urls.py
from rest_framework_jwt.views import obtain_jwt_token
from .views import LectureCreateView
urlpatterns = [
...
url(r'^api/user_auth/$', obtain_jwt_token),
url(r'^api/lecture/create/$', LectureCreateView.as_view()),
]
My App's models.py
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated
class LectureStartView(APIView):
permission_classes = (IsAuthenticated,)
authentication_classes = (TokenAuthentication,)
def post(self, request):
...
and settings.py
...
INSTALLED_APPS = [
...
# Rest framework
'rest_framework',
'rest_framework.authtoken',
'myApp',
]
...
REST_FRAMEWORK = {
# other settings...
'DEFAULT_AUTHENTICATION_CLASSES': [
'rest_framework.authentication.TokenAuthentication',
],
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.IsAuthenticated',
],
}
I want auth with token.
I successfully issued token.
POST '...api/user_auth/' {
"username": "test",
"password": "blahbalh123"
}
{
"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjIwMTMyMzA2Iiwib3JpZ19pYXQiOjE1MDk5NzA5NjcsInVzZXJfaWQiOjMsImVtYWlsIjoiaW50ZXJydXBpbmdAbmF2ZXIuY29tIiwiZXhwIjoxNTA5OTcxNTY3fQ.acwqAP4sBPZWYPC0GfgL3AZarNz4Opb_5P4RewZJYrI"
}
but I fail Auth with Token
Request:
POST ...api/lecture/create/ HTTP/1.1
Host: 127.0.0.1:8000
Authorization: Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjIwMTMyMzA2Iiwib3JpZ19pYXQiOjE1MDk5NzA5NjcsInVzZXJfaWQiOjMsImVtYWlsIjoiaW50ZXJydXBpbmdAbmF2ZXIuY29tIiwiZXhwIjoxNTA5OTcxNTY3fQ.acwqAP4sBPZWYPC0GfgL3AZarNz4Opb_5P4RewZJYrI
Response:
Status: 401 Unauthorized
Allow →GET, POST, HEAD, OPTIONS
Content-Length →27
Content-Type →application/json
Date →Mon, 06 Nov 2017 12:59:17 GMT
Server →WSGIServer/0.1 Python/2.7.13
Vary →Accept
WWW-Authenticate →Token
X-Frame-Options →SAMEORIGIN
{
"detail": "Invalid token."
}
What's wrong with my code?
sorry for my english skill.
I think you are mixing the Tokens from django-rest-framework and REST framework JWT.
In the DJR documentations says:
from rest_framework.authtoken import views
urlpatterns += [
url(r'^api-token-auth/', views.obtain_auth_token)
]
You should replace your code with:
from rest_framework.authtoken import views
from .views import LectureCreateView
urlpatterns = [
...
url(r'^api/user_auth/$', views.obtain_auth_token),
url(r'^api/lecture/create/$', LectureCreateView.as_view()),
]
I hope it can help you.
I am using DjangoRestFramework 3.3.2 for Routing in my django application. I have 6 different folders for 6 apps and 1 main project app. I have include all 6 apps urls into main url file. Following is my main url file.
from django.conf.urls import include, url
from django.contrib import admin
urlpatterns = [
url(r'^admin/', admin.site.urls),
url(r'^vpc/', include('vpc.urls')),
url(r'^dss/', include('dss.urls')),
url(r'^rds/', include('rds.urls')),
url(r'^compute/', include('compute.urls')),
url(r'^iam/', include('iam.urls')),
]
And this is my one of app url file.
from django.conf.urls import url
from rest_framework import routers
import views.instance_views as instance
import views.snapshot_views as snapshot
router = routers.SimpleRouter()
router.register(r'instance', instance.IntanceViewSet, base_name='instance')
router.register(r'snapshot', snapshot.SnapshotViewSet, base_name='snapshot')
urlpatterns = []
urlpatterns += router.urls
Now my problem is when I open urls in browser, I can see whole url hierarchy. Which is not required.
How do I hide these rendered views. I don't want to show any extra information
I was able to hide view using:
REST_FRAMEWORK = {
'DEFAULT_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
)
}
But I am still getting all urls under 1 app.
{"instance":"http://127.0.0.1:8000/compute/instance/","keypair":"http://127.0.0.1:8000/compute/keypair/","volume":"http://127.0.0.1:8000/compute/volume/","image":"http://127.0.0.1:8000/compute/image/","snapshot":"http://127.0.0.1:8000/compute/snapshot/"}
In your urls.py change the default router to simple router.
router = routers.SimpleRouter()
You should also add the following snippet in your production settings file to only enable JSONRenderer for the API, This will completely disable the web browsable API.
REST_FRAMEWORK = {
'DEFAULT_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
)
}
Just to update on the answers given. You do need to specify the SimpleRouter() router, but often the DefaultRouter() router is useful for viewing and debugging whilst in development.
With that in mind, I would advise doing the simple following step:
if settings.DEBUG:
router = DefaultRouter()
else:
router = SimpleRouter()
Then as normal:
from myproject.users.api.viewsets import UserViewSet
router.register(r'users', UserViewSet)
In settings.py DEBUG=False and your REST API wont show.