If my webservice (powered by Django Rest Framework, v2.3.8) is inside a location protected by Nginx's HTTP Basic Authentication, like so:
location / {
auth_basic "Restricted access";
auth_basic_user_file /path/to/htpasswd;
uwsgi_pass django;
include /etc/uwsgi/config/uwsgi_params;
}
Then, when a user authenticate and tries to access the API, the following response is obtained for all views:
{"detail": "Invalid username/password"}
Does Django Rest Framework pick up the HTTP Authorization header (meant for Nginx) even though the view requires no authentication? If so, how should I go about this?
Any help would be greatly appreciated.
By default, Django Rest Framework has two authentication classes, see here.
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.BasicAuthentication'
)}
You can disable the rest framework authentication if you don't need it.
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': ()
}
Or you can remove only BasicAuthentication as it will work in your case.
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.SessionAuthentication'
)}
As noted in another post, you must add a comma next to the authentication class or it can throw a TypeError.
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.authentication.SessionAuthentication', #comma added here
)
Source: https://stackoverflow.com/a/22697034/5687330
Related
While working with the rest framework and frontend native client, I need to log in with both native clients and directly to the API endpoint for development and testing purpose.
Native client login requires token authentication and direct API login requires session authentication. But if I put both in settings.py as default I get csrf error from the native client and if I remove session auth I am not able to login directly to API (I can still log in to the admin console).
My settings .py
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
'rest_framework.authentication.TokenAuthentication',
'rest_framework.authentication.SessionAuthentication'
],
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.AllowAny',
)
}
What can be done to log in from both for development and testing? Any help?
#Daniel This is my current setting, check if this helps you -
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.TokenAuthentication',
# 'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.AllowAny',
)
}
AUTHENTICATION_BACKENDS = (
# Needed to login by username in Django admin, regardless of `allauth`
"django.contrib.auth.backends.ModelBackend",
# `allauth` specific authentication methods, such as login by e-mail
"allauth.account.auth_backends.AuthenticationBackend"
)
I am enabling token/api-key authentication on my API. But once I enable it, I can no longer use the browsable API page of the DRF. I know I can disable the authentication while developing, but this is a question of curiosity: Can I add an api-key to the header of each request sent to the browsable API page? Can I do that by tweaking the Browser settings? Or is it possible to tweak the Browsable API page itself and hardcode the api-key into it?
The better way to handle the situation is to add the SessionAuthentication to the DEFAULT_AUTHENTICATION_CLASSES section in your settings
# settings.py
REST_FRAMEWORK = {
"DEFAULT_AUTHENTICATION_CLASSES": [
"rest_framework.authentication.TokenAuthentication",
"rest_framework.authentication.SessionAuthentication",
],
}
More precisely,
# settings.py
REST_FRAMEWORK = {
"DEFAULT_AUTHENTICATION_CLASSES": [
"rest_framework.authentication.TokenAuthentication",
],
}
if DEBUG:
REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].append(
"rest_framework.authentication.SessionAuthentication"
)
By doing this, you can either use your APIKey or session key to authenticate the requests.
I created a frontend with vue.js using vue cli and webpack and the backend using django restframework where I am also implementing social authentication for google using restauth. Before I used the django webpack, the login and logout would work fine and as expected. (I should mention that I was using tokenauthentication) in my settings.py, file I had both the sessionauthentication as well as tokenauthentication enabled in the restframework authentication possibilities. The two settings being enabled never caused any trouble. However, after using the django webpack loader to render the frontend vue files using django templates, I would continuously get an error that said my csrf token was not present. The login would work fine in this case if I removed the sessionauthentication option out of the settings.py file however.
Does anyone know why this is happening?
https://medium.com/#rodrigosmaniotto/integrating-django-and-vuejs-with-vue-cli-3-and-webpack-loader-145c3b98501a
I used the above blog to implement the webpack loader functionality
I removed the 'rest_framework.authentication.SessionAuthentication', line from my settings.py after using the django-webpack-loader and the issue was resolved
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authtoken',
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
)
}
I basically changed it like below:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authtoken'
'rest_framework.authentication.BasicAuthentication',
)
}
as you are probably using axios, you need to include these two lines in your main.js
/* configure axios to forward the csrftoken back to Django on POST requests */
axios.defaults.xsrfHeaderName = 'X-CSRFToken';
axios.defaults.xsrfCookieName = 'csrftoken';
Images in the current database have one piece of data.
But, I am currently experiencing the following error
"GET /images/all/ HTTP/1.1" 401 58"
"detail": "Authentication credentials were not provided."
My Git Hub URL : https://github.com/Nomadcoders-Study/Nomadgram
Which part of the setup went wrong?
I saw your Github project settings.py file.
This error is because you are using IsAuthenticated backend for all of your requests to Rest APIs. Also you setup jwt authorization system:
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
),
}
So basically, if you want to create a request to any of your API endpoints, you should provide jwt token authorization header in it. like this for:
curl "<your api endpoint>" -H "Authorization: jwt <token_received>"
Also remember to setup and API to receive token from it, by providing username and password in serializer.
try this in your settings file
settings.py
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAuthenticated',),
'DEFAULT_AUTHENTICATION_CLASSES': ('rest_framework_simplejwt.authentication.JWTAuthentication',),
}
You can add it to your project Settings rest_framework configuration
settings.py
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES'('rest_framework.authentication.BasicAuthentication', ),
}
If I want to use both TokenAuthentication and SessionAuthentication, I get a CSRF error if it checks the session before the Token. Is this an indicator that something is wrong with my setup, or is this a shortcomming of DRF?
EDIT:
this works, but now everytime someone forgets the token I get an CSRF error.
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.TokenAuthentication',
'rest_framework.authentication.SessionAuthentication',
),
}