In [None]:
## Authentication
Authentication is the mechanism of associating an incoming request with a set of identifying 
credentials, such as the user the request came from, or the token that it was signed with. 
The permission and throttling policies can then use those credentials to determine if the request 
should be permitted.
Authentication is always run at the very start of the view, before the permission and throttling checks 
occur, and before any other code is allowed to proceed.

In [None]:
REST framework provides a number of authentication schemes out of the box, and also allows you to 
implement custom schemes.
1)BasicAuthentication
2)SessionAuthentication
3)TokenAuthentication
4)RemoteUserAuthentication
5)Custom authentication

In [None]:
BasicAuthentication

Basic authentication is a simple and widely used authentication method for securing RESTful APIs. 
It involves sending a username and password with each request to the API, typically in the form of a 
Authorization header.
This authentication scheme uses HTTP Basic Authentication, signed against a user's 
username and password. 
Basic authentication is generally only appropriate for testing.
If successfully authenticated, BasicAuthentication provides the following credentials.
request.user will be a Django User instance.
request.auth will be None.
Unauthenticated responses that are denied permission will result in an HTTP 401 Unauthorized response 
with an appropriate WWW-Authenticate header. For example:
WWW-Authenticate: Basic realm="api"

In [None]:
SessionAuthentication
This authentication scheme uses Django's default session backend for authentication. Session
authentication is appropriate for AJAX clients that are running in the same session context as your 
website.
It involves the server creating and managing a session for each authenticated user. 
If successfully authenticated, SessionAuthentication provides the following credentials.
request.user will be a Django User instance.
request.auth will be None.
Unauthenticated responses that are denied permission will result in an HTTP 403 Forbidden response.

In [None]:
TokenAuthentication
This authentication scheme uses a simple token-based HTTP Authentication scheme. Token authentication
is appropriate for client-server setups, such as native desktop and mobile clients.
To use the TokenAuthentication scheme you'll need to configure the authentication classes to include
TokenAuthentication, and additionally include rest_framework.authtoken in your INSTALLED_APPS setting:
INSTALLED_APPS = [
    ...
    'rest_framework.authtoken’
]
Note: Make sure to run manage.py migrate after changing your settings. 
The rest_framework.authtoken app provides Django database migrations.

You'll also need to create tokens for your users.
from rest_framework.authtoken.models import Token
token = Token.objects.create(user=...)
print(token.key)

For clients to authenticate, the token key should be included in the Authorization HTTP header.
The key should be prefixed by the string literal "Token", with whitespace separating the two strings.
For example:
Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b
    
If successfully authenticated, TokenAuthentication provides the following credentials.
request.user will be a Django User instance.
request.auth will be a rest_framework.authtoken.models.Token instance.
Unauthenticated responses that are denied permission will result in an HTTP 401 Unauthorized response 
with an appropriate WWW-Authenticate header. For example:
WWW-Authenticate: Token
The http command line tool may be useful for testing token authenticated APIs. For example:
http http://127.0.0.1:8000/studentapi/ 'Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b'

In [None]:
Generate Token

Using Admin Application
Using Django manage.py command
	python manage.py drf_create_token <username> - This command will 	return API Token for the given
user or Creates a Token if token doesn’t exist 	for user.
By exposing an API endpoint
Using Signals

In [None]:
How Client can Ask/Create Token

When using TokenAuthentication, you may want to provide a mechanism for clients to obtain a token 
given the username and password.
REST framework provides a built-in view to provide this behavior. To use it, add the 
obtain_auth_token view to your URLconf:
from rest_framework.authtoken.views import obtain_auth_token
urlpatterns = [
    path(‘gettoken/', obtain_auth_token)
]
The obtain_auth_token view will return a JSON response when valid username and password fields are 
POSTed to the view using form data or JSON:
http POST http://127.0.0.1:8000/gettoken/ username=“name” password=“pass”
{ 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b’ }