Skip to content
Extends Django Rest Framework to add a Session Authentication Viewpoint.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
rest_framework_sav
tests
.gitignore
.travis.yml
LICENSE
README.md
runtests.py
setup.cfg
setup.py

README.md

Session Authentication View for Django Rest Framework

Build Status Coverage Status Code Health PyPI version

This package extends Django Rest Framework to add a Session Authentication view , in a similar manner to the obtain_auth_token view. It allows session login and logout in a REST-like manner, ideal if you want to completely decouple a single-page application from your backend.

Whilst the package is quite simple, providing one view and reusing the serializer from the included auth_token app, it is well tested, making it useful for production systems using Django Rest Framework 3.0. The build matrix for testing covers all currently supported versions of Django and their compatible Python versions.

Installation

Grab the package using PIP.

pip install djangorestframework-sav

Add rest_framework_sav to INSTALLED_APPS in settings.py.

INSTALLED_APPS = [
    ...
    'rest_framework_sav',
    ...
]

Make sure Session Authentication is setup correctly.

In your URLconf, add the view to the endpoint you want it at.

from rest_framework_sav.views import session_auth_view

urlpatterns += [
    url(r'^auth-session/$', session_auth_view)
]

In production, make sure to serve this view only over HTTPS.

Usage

To login, send a POST request with username and password fields to the endpoint. Successful attempts will return with HTTP status 200, and a JSON message in the response body.

{'detail': 'Session login successful.'}

The view will call Django's login method if it passes the authenticate method, setting the session cookie on the client, and providing a CSRF token. Unsuccessful attempts will return with HTTP status 400, and a JSON message with more detail in the response body.

To logout, simply send a DELETE request to the endpoint. The view will call Django's logout method, invalidating the current session. Whilst sending a DELETE request without authenticating will not cause an error, session authentication must be used in order to have an effect, and this will require a CSRF token to be sent.

Future enhancements

  • More informative error status codes other than 400.
  • Implement throttle setting.
You can’t perform that action at this time.