-
-
Notifications
You must be signed in to change notification settings - Fork 6.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add API token authentication. #9
Comments
Maybe this is what we need: https://github.com/jpulgarin/django-tokenapi I'll just post a request at that repo to allow to set timeout per-token instead of using a django setting |
First off thanks for the link alanjds; my workplace is now happily using django-tokenapi together with django rest framework! For anyone who wants to follow in our footsteps, you can basically just:
(NOTE: This is the URL your users will use to acquire a token).
With that all of your API calls will now accept normal (cookie/session-based) Django authentication OR authentication tokens. If you want to not accept normal Django authentication it should be pretty easy to tweak the decorator. Hope this helps someone :-) |
Oops, I lied; don't use that decorator, use this one (which has a few extra lines to actually return a ResponseForbidden if the user fails to authenticate):
|
Awesome! I have found one other bug in my code through (sorry, should have tested better before posting). Can you please change:
(without that fix the normal authentication flow fails). |
Hey @machineghost I'm trying to understand the changes you made to |
It's been nine months, I've since stopped working on Python, and I have an absolutely terrible memory even for code I wrote yesterday, so ... you've been warned. That being said, I think the issue I had was just that |
At the moment Basic authentication only support username/password.
It'd be great if it could also be used with token objects, stored in the database, where each token has a key, a secret, and is tied to a user.
The right way to do this would be to write a standard django auth backend that validates (username, password) arguments against an APIToken table rather than the standard backend which validates it against the User table.
After that I'd modify the BasicAuthentication class, adding a 'backend' attribute, which would be unset by default. If the attribute is not set then the class would simply call 'authenticate(username, password)', otherwise it would call backend.authenticate(username, password).
TokenBasicAuthentication would then simply extend BasicAuthentication, setting 'backend=APITokenBackend'.
It would be nice if the token table didn't get installed by default on syncdb unless it's actually being used.
The text was updated successfully, but these errors were encountered: