request with .force_athenticate() still giving 401

[Massakera]

Checklist

• Raised initially as discussion #...
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.

I've been trying to implement a test in a view where my permission_class is (IsAuthenticated) but when I use force_authenticated(request,user=user) it still gives me 401 unauthorized. My testcase:

def test_final_result(self):
    user = User.objects.get(username='test1')
    story_id = Story.objects.get(storyName='testplanning').id
    room_id = PokerRoom.objects.get(name='planning').id
    request = self.client.post(reverse('finalvotes', kwargs={'pk': room_id, 'idStory': story_id}), {'finalResult': '2'}, format='json')
    force_authenticate(request, user=user)
    self.assertEqual(200,request.status_code) 

[Smixi]

My guess is that you're trying to use the client request instead of the APIRequest factory. The client request behave as a web browser, so when you do

    request = self.client.post(reverse('finalvotes', kwargs={'pk': room_id, 'idStory': story_id}), {'finalResult': '2'}, format='json')

the request is performed, your view executed, and result is returned.

If you want to have a request object like in your view, you should use the ApiRequestFactory, not the ClientFactory or RequestsFactory.

This does works :

Example :

from django.test import TestCase
from rest_framework.test import APIRequestFactory, force_authenticate, APIClient
from django.contrib.auth import get_user_model

User = get_user_model()

from testperms.views import UserView
# Create your tests here.
class SimpleTest(TestCase):
    def setUp(self):
        # Every test needs access to the request factory.
        self.factory = APIRequestFactory()
        self.client = APIClient()
        self.user = User.objects.create_user(
            username='jacob', email='jacob@…', password='top_secret')
    # Work
    def test_request_api_request(self):
        request = self.factory.get('/users')
        view = UserView.as_view({'get': 'list'})
        force_authenticate(request, user=self.user)
        response = view(request)

   # DOES NOT WORK
    def test_request_client(self):
        request = self.client.get('/users/')
        view = UserView.as_view({'get': 'list'})
        force_authenticate(request, user=self.user)
        response = view(request)

[Smixi]

@Massakera did it worked for you ?

[mschoettle]

In theory his force_authenticate should just be above client.post. However, I ran into the same (or similar) problem.

Edit: Removed my original comment. I realized that I used force_authenticate instead of force_login. Using client.force_login(user=admin_user) works fine. @Massakera: Try force_login before calling client.post.

[Smixi]

Both should work for your purposes, can you share your code if you think it's force_authenticate is buggy ?

[Massakera]

Sorry for delaying the answer! Both solutions did it worked for my code and It was my mistake

[mschoettle]

Both should work for your purposes, can you share your code if you think it's force_authenticate is buggy ?

I looked into it further: I had added a middleware (login required middleware) that checks request.user.is_authenticated. Using force_login it returns True, with force_authenticate it returns False.

I also observed that using SessionAuthentication request.user returns the actual user whereas when using TokenAuthentication it always returns AnonymousUser. After thinking about it it does make sense (since my understanding is that DRF is not providing an auth backend for token authentication, correct me if I am wrong). At the very least the documentation is misleading since it says that request.user will be a Django User instance.