DRAFT: Allow API tokens in the query string

[jwalgran]

Draft

This is a draft issue, and it will need to clarify specs and formalize what
counts as "done" before work begins on it.

Check with the issue's creator before starting work on this issue.

Overview

Solves 2 issues:

• Allows for more conventional use of the API, where an API key is passed as part of the URL.
• Allows us to avoid an incompatibility between DRF TokenAuthentication and django-rest-swaggar SECURITY_DEFINITIONS type 'apiKey' isn't compatible with rest_framework.authentication.TokenAuthentication marcgibbons/django-rest-swagger#660

This SO answer has an example of subclassing TokenAuthentication to support both query string and header. https://stackoverflow.com/a/29435607

class TokenAuthSupportQueryString(TokenAuthentication):
    """
    Extend the TokenAuthentication class to support querystring authentication
    in the form of "http://www.example.com/?auth_token=<token_key>"
    """
    def authenticate(self, request):
        # Check if 'token_auth' is in the request query params.
        # Give precedence to 'Authorization' header.
        if 'auth_token' in request.QUERY_PARAMS and \
                        'HTTP_AUTHORIZATION' not in request.META:
            return self.authenticate_credentials(request.QUERY_PARAMS.get('auth_token'))
        else:
            return super(TokenAuthSupportQueryString, self).authenticate(request)

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like

• Subclass TokenAuthentication to check querystring or header.
• Update the RequestLogMiddleware class to check the querystring for a token.

Additional Context

Optional. Add any other context, screenshots, gifs, etc about the feature request here.