using JSONWebTokenAuthentication with DRF IsAuthenticatedOrReadOnly permission throws 401 on GET

[lucibit]

If I'm trying to build rest endpoints (single view) that allow both safe (GET) and unsafe methods, whilst relying only on JSONWebTokenAuthentication as authentication class, I get a 401 on GET instead of the request succeeding.

Reason for this is that JSONWebTokenAuthentication throws an exception if the token is invalid instead of not setting request.user.

https://github.com/GetBlimp/django-rest-framework-jwt/blob/master/rest_framework_jwt/authentication.py#L36

The default behavior for SessionAuthentication in django is to simply not set user on request, leaving the request unauthenticated and letting the permissions do their thing after.

There are several ways around this, as far as I can tell:

1. Do not send Authenticate header from the client for the GET requests.
2. Build a separate view for the GET endpoints i want to expose and set authentication_class explicitly to not try to authenticate.

None of these are however ideal for several reasons:

1. What if I want custom behavior on the GET endpoint depending on wether I'm authenticated or not.
2. It's nice and efficient(and RESTFUL) to use a single view with post/get/put/delete for a resource.
3. It doesn't tie in nicely with DRF's or django's permissions.

I'm not sure wether this was built on purpose because of the JWT standard but It would be nice to be able to control this behavior from setting perhaps? OR maybe some other elegant solution.

[dopeboy]

@lucibit - I don't have anything to offer to this discussion. I was stuck on this and found your post via google. Ended up with going with workaround (1) on my client. Thanks for posting that.

[oliverbienert]

Thank you for posting this! Workaround (1) also works for me.

[angvp]

👍