Added JWT authentication, initial roles and permissions #5
Conversation
jimabramson
force-pushed
the
jsa/ecom-2186-auth
branch
2 times, most recently
from
8d60ce4 to
96d6d51
Compare
programs/apps/api/authentication.py
Outdated
There was a problem hiding this comment.
Use .get() here to avoid KeyErrors. If the key is missing, raise DRF's AuthenticationFailed exception.
|
@rlucioni thanks for feedback - addressed your comments in a fixup. |
|
👍 |
programs/apps/api/v1/views.py
Outdated
There was a problem hiding this comment.
Make these the default authentication class and permissions in settings.
|
Why not use session authentication for the browseable API? |
|
@clintonb main reason to disable session auth is to avoid the need for CSRF protection. |
|
@clintonb updated with minor improvements to authentication settings. |
|
@jimabramson what's the harm in CSRF? What, if anything, do we gain from trying to work around de-facto standard behavior? |
|
@clintonb do you have a suggestion for how to pass / use csrf tokens when the client is using JWT authentication? |
|
Session authentication is only used for the browseable API, and all of Clinton Blackburn |
jimabramson
force-pushed
the
jsa/ecom-2186-auth
branch
from
62c5b05 to
f5c4853
Compare
|
@clintonb last fixup adds session authentication and removes the query string / redirection hackery. i've verified that requests using session auth require a csrf token, but jwt auth requests do not. hooray, less code. thanks for the help! |
programs/apps/api/v1/views.py
Outdated
There was a problem hiding this comment.
Move both of the authentication and permission declarations to the defaults in settings. The (very few?) classes that need to override them can, but I'd imagine almost all of the endpoints will use the same authentication and permissions.
There was a problem hiding this comment.
There is an easier way to create custom permissions: https://courses.stage.edx.org/api/credit/v1/courses/.
Also, the add permission should have been created when the model was created, along with the change and delete permissions.
There was a problem hiding this comment.
@clintonb i added a comment in the last commit explaining why the permission is being created explicitly during the migration.
|
@clintonb cleaned up. |
|
👍 |
Added JWT authentication, initial roles and permissions
@clintonb @rlucioni Please review.
@ormsbee @nasthagiri FYI.
This adds JWT authentication (and only JWT authentication) for the REST API. A little redirection trick when using the oidc login via browser makes the browseable API usable enough (though it doesn't handle refreshing expired tokens).
I have decided to leave the user model in place, even though it is theoretically not needed. The basic reasoning is that it helps to use django's APIs for groups and permissions, and perhaps more significantly, doesn't require a major overhaul of the social-auth pipeline / oidc client, which is a piece I've found rather difficult to debug.
At present one can only login to the API if a properly configured LMS is running to provision the id_tokens. In a separate PR we can modify auto-auth to generate self-issued tokens with long expirations which should make various kinds of manual/automated testing easier.