You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 26, 2020. It is now read-only.
If I'm trying to build rest endpoints (single view) that allow both safe (GET) and unsafe methods, whilst relying only on JSONWebTokenAuthentication as authentication class, I get a 401 on GET instead of the request succeeding.
Reason for this is that JSONWebTokenAuthentication throws an exception if the token is invalid instead of not setting request.user.
The default behavior for SessionAuthentication in django is to simply not set user on request, leaving the request unauthenticated and letting the permissions do their thing after.
There are several ways around this, as far as I can tell:
Do not send Authenticate header from the client for the GET requests.
Build a separate view for the GET endpoints i want to expose and set authentication_class explicitly to not try to authenticate.
None of these are however ideal for several reasons:
What if I want custom behavior on the GET endpoint depending on wether I'm authenticated or not.
It's nice and efficient(and RESTFUL) to use a single view with post/get/put/delete for a resource.
It doesn't tie in nicely with DRF's or django's permissions.
I'm not sure wether this was built on purpose because of the JWT standard but It would be nice to be able to control this behavior from setting perhaps? OR maybe some other elegant solution.
The text was updated successfully, but these errors were encountered:
@lucibit - I don't have anything to offer to this discussion. I was stuck on this and found your post via google. Ended up with going with workaround (1) on my client. Thanks for posting that.
If I'm trying to build rest endpoints (single view) that allow both safe (GET) and unsafe methods, whilst relying only on JSONWebTokenAuthentication as authentication class, I get a 401 on GET instead of the request succeeding.
Reason for this is that JSONWebTokenAuthentication throws an exception if the token is invalid instead of not setting request.user.
https://github.com/GetBlimp/django-rest-framework-jwt/blob/master/rest_framework_jwt/authentication.py#L36
The default behavior for SessionAuthentication in django is to simply not set user on request, leaving the request unauthenticated and letting the permissions do their thing after.
There are several ways around this, as far as I can tell:
None of these are however ideal for several reasons:
I'm not sure wether this was built on purpose because of the JWT standard but It would be nice to be able to control this behavior from setting perhaps? OR maybe some other elegant solution.
The text was updated successfully, but these errors were encountered: