# Reference

- https://www.youtube.com/playlist?list=PLbGui_ZYuhijTKyrlu-0g5GcP9nUp_HlN

![image.png](attachment:8c6020a3-1bd0-4231-860d-86a6e95c5dbe.png)

# Serializer and Serializertion in Django REST Framework

### Python JSON

Python has a built in package called json, which is used to work with json data.
- `dumps(data)` - This is used to convert python object into json string.
- `loads(data)` - This is used to parse json string.

In [8]:
import json

python_data = {'name': 'Sonam', 'roll':101}
json_data = json.dumps(python_data)
print(json_data)
print(type(json_data))

{"name": "Sonam", "roll": 101}
<class 'str'>


In [9]:
import json

parsed_data = json.loads(json_data)
print(parsed_data)
print(type(parsed_data))

{'name': 'Sonam', 'roll': 101}
<class 'dict'>


## Serializer

In Django REST Framework, serializers are responsible for converting complex data such as querysets and model instances to native Python datatypes (called serialization) that can then be easily rendered into JSON, XML or other content types which is
understandable by Front End.

Serializers are also responsible for deserialization which means it allows parsed data to be converted back into complex types, after first validating the incoming data.

A serializer class is very similar to a Django Form and ModelForm class, and includes similar validation flags on the various fields, such as required, max_length and default.

DRF provides a Serializer class which gives you a powerful, generic way to control the output of your responses, as well as a ModelSerializer class which provides a useful shortcut for creating serializers that deal with model instances and querysets.

## How to Create Serializer Class

- Create a separate `serializers.py` file to write all serializers.

<code>
    from rest_framework import serializers
    class StudentSerializer(serializers.Serializer):
        name = serializers.CharField(max_length=100)
        roll = serializers.IntegerField()
        city = serializers.CharField(max_length=100)
</code>

**Remark:** Generally class name is named as model name that is ModelSerialzer

## Serializertion

The process of converting complex data such as querysets and model instances to native Python datatypes are called as Serialization in DRF.

- Creating model instance stu <code> stu = Student.objects.get(id = 1) </code>
- Converting model instance stu to Python Dict / Serializing Object <code>serializer =  StudentSerializer(stu) </code>


- Creating Query Set <code> stu = Student.objects.all() </code>
- Converting Query Set stu to List of Python Dict / Serializing Query Set
<code> serializer = StudentSerializer(stu, many=True) </code>


`serializer.data` gives data in serializer.

`JSONRenderer` is used to render Serialized data into JSON which is understandable by Front End.

<code>
    import JSONRenderer
    from rest_framework.renderers import JSONRenderer
    json_data = JSONRenderer().render(serializer.data)
</code>

![image.png](attachment:c5ea1f14-00e7-4487-af19-1d67d0fe7ce2.png)

`JsonResponse(data, encoder=DjangoJSONEncoder, safe=True, json_dumps_params=None,**kwargs)`

An HttpResponse subclass that helps to create a JSON-encoded response. It inherits most
behavior from its superclass with a couple differences:

- Its default Content-Type header is set to application/json.
- The first parameter, data, should be a dict instance. If the safe parameter is set to False it can be any JSON-serializable object.
- The encoder, which defaults to django.core.serializers.json.DjangoJSONEncoder, will be used to serialize the data.
- The safe boolean parameter defaults to True. If it's set to False, any object can be passed for serialization (otherwise only dict instances are allowed). If safe is True and a non-dict object is passed as the first argument, a TypeError will be raised.
- The json_dumps params parameter is a dictionary of keyword arguments to pass to the json.dumps call used to generate the response.

In [None]:
# rest_project/settings.py:

INSTALLED_APPS = [
    "django.contrib.admin",
    "django.contrib.auth",
    "django.contrib.contenttypes",
    "django.contrib.sessions",
    "django.contrib.messages",
    "django.contrib.staticfiles",
    "rest_framework", # should be added to use DRF
    "api", # app name
]    

In [None]:
# api/models.py:

from django.db import models

# Create your models here.
class Student(models.Model):
    name = models.CharField(max_length=100)
    roll = models.IntegerField()
    city = models.CharField(max_length=100)

In [None]:
# api/admin.py:

from django.contrib import admin
from .models import Student

# Register your models here.
@admin.register(Student)
class StudentAdmin(admin.ModelAdmin):
    list_display = ['id', 'name', 'roll', 'city']

In [None]:
# api/serializers.py:

from rest_framework import serializers

class StudentSerializer(serializers.Serializer):
    id = serializers.IntegerField() # if not specified then id can not be seen in response data
    name = serializers.CharField(max_length=100)
    roll = serializers.IntegerField()
    city = serializers.CharField(max_length=100)
    
# OR

# we can do like this:
from rest_framework import serializers
from .models import Student

class StudentSerializer(serializers.ModelSerializer):
    class Meta:
        model = Student
        fields = ['id', 'name', 'roll', 'city']


In [None]:
# api/views.py:

from django.shortcuts import render

from .models import Student
from .serializers import StudentSerializer
from rest_framework.renderers import JSONRenderer
from django.http import HttpResponse

# Create your views here.

# Model Object - Single Student Data
def student_detail(request, pk) :
    stu = Student.objects.get(id=pk) # complex data
    serializer = StudentSerializer(stu) # complex data converted into python object
    json_data = JSONRenderer().render(serializer.data) # python object is converted into json
    
    return HttpResponse(json_data, content_type='application/json')

# Queryset - All Student Data
def student_list(request) :
    stu = Student.objects.all() # complex data
    serializer = StudentSerializer(stu, many=True) # complex data converted into python object
    json_data = JSONRenderer().render(serializer.data) # python object is converted into json
    
    return HttpResponse(json_data, content_type='application/json')

In [None]:
# api/urls.py:

from django.urls import path
from . import views

urlpatterns = [
    path('stuinfo/<int:pk>', views.student_detail, name = "student_info"),
    path('stuinfo/', views.student_list, name = "all_student_info"),
]

In [None]:
# rest_project/urls.py:

from django.contrib import admin
from django.urls import path, include

urlpatterns = [
    path("admin/", admin.site.urls),
    path("", include("api.urls")),
]


Now let's look at realword scenario where how an app or third party use our API.

Let's say we have a third party app (python app) `third_party_app.py` and this app want to acess data then it will communicate with our api in order to get data:

In [None]:
# third_party_app.py

import requests

URL = "http://127.0.0.1:8000/stuinfo/"

res = requests.get(url = URL) # return json data
data = res.json()

print(data)

We can also use `JsonResponse`:

In [None]:
# api/views.py:

from django.shortcuts import render

from .models import Student
from .serializers import StudentSerializer
from rest_framework.renderers import JSONRenderer
from django.http import HttpResponse, JsonResponse

# Create your views here.

# Model Object - Single Student Data
def student_detail(request, pk) :
    stu = Student.objects.get(id = pk) # complex data
    serializer = StudentSerializer(stu) # complex data converted into python object
    
    return JsonResponse(serializer.data) # by default safe=True 
    # here serializer.data is dict

# Queryset - All Student Data
def student_list(request) :
    stu = Student.objects.all() # complex data
    serializer = StudentSerializer(stu, many=True) # complex data converted into python object
    
    return JsonResponse(serializer.data, safe=False) # here serializer.data is non-dict

    # By default, JsonResponse() only accepts dictionaries.
    # Since serializer.data returns a list (when many=True), we must set safe=False.

If we don't make `safe=False` then we will get an error: `TypeError at /stuinfo/
In order to allow non-dict objects to be serialized set the safe parameter to False.`

**Infact we can do one more thing or even better approach: `Response` objects directly from Django REST Framework, which automatically handles content type and status codes based on the serializer data.**

In [None]:
# api/views.py:

from django.shortcuts import render

from .models import Student
from .serializers import StudentSerializer
from rest_framework.renderers import JSONRenderer
from django.http import HttpResponse, JsonResponse

from rest_framework.response import Response
from rest_framework.decorators import api_view
from rest_framework import status

# Create your views here.

# Model Object - Single Student Data
@api_view(['GET'])
def student_detail(request, pk) :
    try:
        stu = Student.objects.get(id = pk) # complex data
        serializer = StudentSerializer(stu) # complex data converted into python object
        return Response(serializer.data) # DRF handles JSON conversion automatically
    except Student.DoesNotExist:
        return Response({'error': 'Student not found'}, status=404)

# Queryset - All Student Data
@api_view(['GET'])
def student_list(request):
    try:
        stu = Student.objects.all()
        if not stu.exists():
            return Response({"message": "No students found"}, status=status.HTTP_404_NOT_FOUND)
        
        serializer = StudentSerializer(stu, many=True)
        return Response(serializer.data, status=status.HTTP_200_OK)

    except Exception as e:  # Catching any unexpected errors
        return Response({"error": str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)

# DeSerialization and Insert Data Django REST Framework

Serializers are also responsible for deserialization which means it allows parsed data to be converted back into complex types, after first validating the incoming data.

`BytesIO()`:
A stream implementation using an in-memory bytes buffer. It inherits BufferedlOBase. The buffer is discarded when the close method is called.

<code>
    import io
    stream = io.ByteslO(json_data)
</code>

`JSONParser()`:
This is used to parse json data to python native data type.

<code>
    from rest_framework.parsers import JSONParser
    parsed_data = JSONParser().parse(stream)
</code>

- Creating Serializer Object
`serializer = StudentSerializer(data = parsed_data)`

- Validated Data
`serializer.is_valid()`

`serializer.validated_data`: gives valid data

`serializer.errors`: gives error

`@csrf_exempt` is a decorator in Django that disables Cross-Site Request Forgery (CSRF) protection for a specific view.

**Why Do We Need @csrf_exempt?**
- Django by default protects views from CSRF attacks when handling POST, PUT, and DELETE requests.
- However, if your API is receiving requests without a CSRF token (e.g., from an external frontend, Postman, or a mobile app), Django will block the request.
- @csrf_exempt disables this protection for that specific view, allowing requests without a CSRF token.

In [None]:
# api/serializers.py

from rest_framework import serializers
from .models import Student

class StudentSerializer(serializers.Serializer):
    id = serializers.IntegerField()
    name = serializers.CharField(max_length=100)
    roll = serializers.IntegerField()
    city = serializers.CharField(max_length=100)
    
    def create(self, validate_data):
        return Student.objects.create(**validate_data)

In [None]:
# api/views.py

from django.shortcuts import render

from .models import Student
from .serializers import StudentSerializer
from rest_framework.renderers import JSONRenderer
from django.http import HttpResponse, JsonResponse
import io
from rest_framework.parsers import JSONParser
from django.views.decorators.csrf import csrf_exempt

# Create your views here.

@csrf_exempt # Disables CSRF protection for this view
def student_create(request):
    if request.method == 'POST' :
        # Step 1: Convert JSON to Python native data
        json_data = request.body
        stream = io.BytesIO(json_data)
        pythondata = JSONParser().parse(stream) #  converts it into a Python dictionary.

        # Step 2: Deserialize JSON data
        serializer = StudentSerializer(data = pythondata)

        # Step 3: Validate and Save
        if serializer.is_valid(): # checks if the data is valid based on the model fields.
            serializer.save() # Saves to DB or creates a new Student object in the database.
            res = {'msg': 'data created'}
            json_data = JSONRenderer().render(res)
            return HttpResponse(json_data, content_type='application/json')
            # We can also use Response() or JSONResponse()
            
        json_data = JSONRenderer().render(serializer.errors)
        return HttpResponse(json_data, content_type='application/json')

In [None]:
# api/urls.py

from django.urls import path
from . import views

urlpatterns = [
    path('stucreate/', views.student_create, name = "student_create"),
]

In [None]:
# third_party_app.py:

import requests
import json

URL = "http://127.0.0.1:8000/stucreate/"

data = {
    "name": "rakesh",
    "roll": 105,
    "city": "indore"
}

json_data = json.dumps(data) # return json data
res = requests.post(url = URL, data = json_data)
data = res.json()
print(data)


**Why is @csrf_exempt Used Here?**
- This function-based view (student_create) is handling POST requests.
- Django expects a CSRF token when handling a POST request in templates (forms).
- Since this is a REST API, clients (like Postman or mobile apps) won't send a CSRF token.
- Without @csrf_exempt, Django will reject the request with a 403 Forbidden error.

**When Should You NOT Use @csrf_exempt?**
- Disabling CSRF protection makes your API vulnerable to Cross-Site Request Forgery (CSRF) attacks.
Use @csrf_exempt only when necessary, and never for views that handle user authentication or sensitive data.

**Instead of @csrf_exempt, DRF provides `APIView` and `ViewSet`, which automatically handle CSRF protection only when needed:**

In [None]:
# api/views.py:

# using APIView

from rest_framework.response import Response
from rest_framework.views import APIView
from rest_framework import status
from .models import Student
from .serializers import StudentSerializer

class StudentCreateAPIView(APIView):
    def post(self, request):
        serializer = StudentSerializer(data=request.data)  # DRF handles JSON parsing
        if serializer.is_valid():
            serializer.save()  # Calls `create()` method in serializer
            return Response(serializer.data, status=status.HTTP_201_CREATED)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

# api/urls.py
from django.urls import path
from .views import StudentCreateAPIView

urlpatterns = [
    path('stucreate/', StudentCreateAPIView.as_view(), name='student-create'),
]


In [None]:
# api/views.py:

# using ViewSet

from rest_framework import viewsets
from .models import Student
from .serializers import StudentSerializer

class StudentViewSet(viewsets.ModelViewSet):
    queryset = Student.objects.all()  # Fetch all Student objects
    serializer_class = StudentSerializer  # Use the StudentSerializer for data conversion



# api/urls.py
from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

# Create a router and register the viewset
router = DefaultRouter()
router.register(r'students', StudentViewSet, basename='studentapi')  # The 'students' endpoint will handle CRUD for students

urlpatterns = [
    path('', include(router.urls)),  # Automatically include the URLs for the registered ViewSet
]


You don't need to write custom logic for `parsing JSON`, `validation`, or `saving` the student — `ModelViewSet` handles that for you.

**Also Instead of manually defining fields and the create() method, you can use ModelSerializer, which automatically handles these:**

In [None]:
# api/serializers.py:

from rest_framework import serializers
from .models import Student

class StudentSerializer(serializers.ModelSerializer):
    class Meta:
        model = Student
        fields = '__all__'  # Automatically maps model fields

    # You can add custom validation to ensure data integrity:
    def validate_age(self, value):
        """Ensure age is a positive number."""
        if value <= 0:
            raise serializers.ValidationError("Age must be greater than zero.")
        return value
    # This Method is automatically invoked when is_valid() method is called


# CRUD API using Function Based View and Class Based View in Django REST Framework

In [None]:
# api/models.py

from django.db import models

# Create your models here.
class Student(models.Model) :
    name = models.CharField(max_length=100)
    roll = models.IntegerField()
    city = models.CharField(max_length=100)

In [None]:
# api/admin.py

from django.contrib import admin
from .models import Student

# Register your models here.
@admin.register(Student)
class StudentAdmin(admin.ModelAdmin):
    list_display = ['id', 'name', 'roll', 'city']

In [None]:
# api/serializers.py:

from rest_framework import serializers
from .models import Student

class StudentSerializer(serializers.Serializer):
    #id = serializers.IntegerField()
    name = serializers.CharField(max_length=100)
    roll = serializers.IntegerField()
    city = serializers.CharField(max_length=100)
    
    def create(self, validate_data):
        return Student.objects.create(**validate_data)
    
    def update(self, instance, validated_data): 
        instance.name = validated_data.get('name', instance.name)
        instance.roll = validated_data.get('roll', instance.roll)
        instance.city = validated_data.get('city', instance.city)
        instance.save()
        return instance

        # instance is old data stored in DB
        # validated_data is new data from user for updation

In [None]:
# api/urls.py:

from django.urls import path
from . import views

urlpatterns = [  
    path('studentapi/', views.student_api),
]

In [None]:
# api/views.py:


from django.shortcuts import render

from .models import Student
from .serializers import StudentSerializer
from rest_framework.renderers import JSONRenderer
from django.http import HttpResponse, JsonResponse
import io
from rest_framework.parsers import JSONParser
from rest_framework.response import Response
from rest_framework.decorators import api_view
from django.views.decorators.csrf import csrf_exempt

# Create your views here.

# creating api to perform CRUD

@csrf_exempt
def student_api(request):
    if request.method == 'GET':
        json_data = request.body
        print(json_data)
        stream = io.BytesIO(json_data)
        print(stream)
        pythondata = JSONParser().parse(stream)
        print(pythondata)
        id = pythondata.get('id', None)
        
        if id is not None:
            stu = Student.objects.get(id = id)
            serializer = StudentSerializer(stu)
            # By default, serializers must be passed values for all required fields or they
            # will raise validation errors.
            
            json_data = JSONRenderer().render(serializer.data)
            return HttpResponse(json_data, content_type='application/json')
        
        stu = Student.objects.all()
        serializer = StudentSerializer(stu, many=True)
        json_data = JSONRenderer().render(serializer.data)
        return HttpResponse(json_data, content_type='application/json')
    
    if request.method == 'POST':
        json_data = request.body
        stream = io.BytesIO(json_data)
        pythondata = JSONParser().parse(stream)
        serializer = StudentSerializer(data = pythondata)
        if serializer.is_valid():
            serializer.save()
            res = {'msg': 'Data Created'}
            json_data = JSONRenderer().render(res)
            return HttpResponse(json_data, content_type='application/json')
        
        json_data = JSONRenderer().render(serializer.errors)
        return HttpResponse(json_data, content_type='application/json')
    
    if request.method == 'PUT':
        json_data= request.body
        stream = io.BytesIO(json_data)
        pythondata = JSONParser().parse(stream)
        id = pythondata.get('id')
        stu = Student.objects.get(id=id)
        serializer = StudentSerializer(stu, data=pythondata, partial=True)
        if serializer.is_valid():
            serializer.save()
            res = {'msg': 'Data Updated !!'}
            json_data = JSONRenderer().render(res)
            return HttpResponse(json_data, content_type='application/json')
        json_data = JSONRenderer().render(serializer.errors)
        return HttpResponse(json_data, content_type='application/json')
    
    if request.method == 'DELETE':
        json_data = request.body
        stream = io.BytesIO(json_data)
        pythondata = JSONParser().parse(stream)
        id = pythondata.get('id')
        stu = Student.objects.get(id=id)
        stu.delete()
        res = {'msg': 'Data Deleted!!'}
        json_data = JSONRenderer().render(res)
        return HttpResponse(json_data, content_type='application/json')

In [None]:
# third_party_app.py:

import requests
import json
URL = "http://127.0.0.1:8000/studentapi/"

def get_data(id = None):
    data = {}
    if id is not None:
        data = {'id': id}
    json_data = json.dumps(data)
    res = requests.get(url = URL, data = json_data)
    data = res.json()
    print (data)

def post_data():
    data = {
        "name": "mohit",
        "roll": 101,
        "city": "dehradun"
    }
    json_data = json.dumps(data)
    res = requests.post(url = URL, data = json_data)
    data = res.json()
    print(data)

def update_data():
    data = {
        "id": 14,
        "name": "ravi",
        "city": "dehradun"
    }
    json_data = json.dumps(data)
    res = requests.put(url = URL, data = json_data)
    data = res.json()
    print(data)

def delete_data():
    data = {'id': 14}
    json_data = json.dumps(data)
    res = requests.delete(url = URL, data = json_data)
    data = res.json()
    print(data)

# get_data()
# post_data()
# update_data()
# delete_data()

We can do the same thing using class based views and for that we will have to make changes in `views.py` and `urls.py`.

In [None]:
# api/views.py:


from django.shortcuts import render

from .models import Student
from .serializers import StudentSerializer
from rest_framework.renderers import JSONRenderer
from django.http import HttpResponse, JsonResponse
import io
from rest_framework.parsers import JSONParser
from rest_framework.response import Response
from rest_framework.decorators import api_view
from django.views.decorators.csrf import csrf_exempt

from django.utils.decorators import method_decorator
from django.views import View

# Create your views here.

#------------class based views

@method_decorator(csrf_exempt, name="dispatch")
class StudentAPI(View):
    def get(self, request, *args, **kwargs):
        json_data = request.body
        stream = io.BytesIO(json_data)
        pythondata = JSONParser().parse(stream)
        print(pythondata)
        id = pythondata.get('id', None)
        
        if id is not None:
            stu = Student.objects.get(id = id)
            serializer = StudentSerializer(stu)
            json_data = JSONRenderer().render(serializer.data)
            return HttpResponse(json_data, content_type='application/json')
        
        stu = Student.objects.all()
        serializer = StudentSerializer(stu, many=True)
        json_data = JSONRenderer().render(serializer.data)
        return HttpResponse(json_data, content_type='application/json')
    
    def post(self, request, *args, **kwargs):
        json_data = request.body
        stream = io. BytesIO(json_data)
        pythondata = JSONParser().parse(stream)
        serializer = StudentSerializer(data = pythondata)
        if serializer.is_valid():
            serializer.save()
            res = {'msg': 'Data Created'}
            json_data = JSONRenderer().render(res)
            return HttpResponse(json_data, content_type='application/json')
        
        json_data = JSONRenderer().render(serializer.errors)
        return HttpResponse(json_data, content_type='application/json')
    
    def put(self, request, *args, **kwargs):
        json_data= request.body
        stream = io.BytesIO(json_data)
        pythondata = JSONParser().parse(stream)
        id = pythondata.get('id')
        stu = Student.objects.get(id=id)
        serializer = StudentSerializer(stu, data=pythondata, partial=True)
        if serializer.is_valid():
            serializer.save()
            res = {'msg': 'Data Updated !!'}
            json_data = JSONRenderer().render(res)
            return HttpResponse(json_data, content_type='application/json')
        json_data = JSONRenderer().render(serializer.errors)
        return HttpResponse(json_data, content_type='application/json')
    
    def delete(self, request, *args, **kwargs):
        json_data = request.body
        stream = io.BytesIO(json_data)
        pythondata = JSONParser().parse(stream)
        id = pythondata.get('id')
        stu = Student.objects.get(id=id)
        stu.delete()
        res = {'msg': 'Data Deleted!!'}
        json_data = JSONRenderer().render(res)
        return HttpResponse(json_data, content_type='application/json')

In [None]:
# api/urls.py

from django.urls import path
from . import views

urlpatterns = [
    path('studentapi/', views.StudentAPI.as_view()),
]

### Better Approach: Using Django REST Framework's APIView

1. Exception handling (get_object_or_404 instead of try/except)
2. Secure request methods without needing @csrf_exempt

In [None]:
# api/serializers.py:

from rest_framework import serializers
from .models import Student

class StudentSerializer(serializers.ModelSerializer):
    class Meta:
        model = Student
        fields = '__all__'  # Includes all model fields automatically


In [None]:
# api/views.py:

from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework import status
from django.shortcuts import get_object_or_404
from .models import Student
from .serializers import StudentSerializer

class StudentAPIView(APIView):
    def get(self, request):
        student_id = request.GET.get('id')  # Get 'id' from query parameters

        if student_id:
            student = get_object_or_404(Student, id=student_id)
            serializer = StudentSerializer(student)
        else:
            students = Student.objects.all()
            serializer = StudentSerializer(students, many=True)
        
        return Response(serializer.data)

    def post(self, request):
        serializer = StudentSerializer(data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Data Created'}, status=status.HTTP_201_CREATED)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

    def put(self, request):
        student_id = request.data.get('id')
        student = get_object_or_404(Student, id=student_id)

        serializer = StudentSerializer(student, data=request.data, partial=True)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Data Updated !!'})
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

    def delete(self, request):
        student_id = request.data.get('id')
        student = get_object_or_404(Student, id=student_id)
        student.delete()
        return Response({'msg': 'Data Deleted!!'}, status=status.HTTP_204_NO_CONTENT)


### Best Approach: Use DRF ViewSet With Routers

For even less code and automatic URL routing, use `ViewSet` and `Router`.

In [None]:
# api/views.py:

from rest_framework import viewsets
from .models import Student
from .serializers import StudentSerializer

class StudentViewSet(viewsets.ModelViewSet):
    queryset = Student.objects.all() # var name should be same
    serializer_class = StudentSerializer # var name should be same


In [None]:
# urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

# Create a router and register the StudentViewSet
router = DefaultRouter()
router.register(r'students', StudentViewSet, basename='studentapi')  # This creates routes for CRUD operations on students

# Define URL patterns for the app
urlpatterns = [
    path('', include(router.urls)),  # Include the automatically generated URLs from the router
]

![image.png](attachment:8fed1faa-f6e5-4a23-aa08-2e273fe9403b.png)

**Why ViewSet is the Best?**
- Automatically handles GET, POST, PUT, DELETE
- No need for id in `request.data` – DRF handles it in URLs
- Clean and minimal code

# Validation in Django REST Framework

### Field Level Validation
- We can specify custom field-level validation by adding `validate_fieldName()` methods to your Serializer subclass.
- These are similar to the `clean_fieldName` methods on Django forms.
- `validate_fieldName()` methods should return the validated value or raise a `serializers.ValidationError`

In [None]:
# api/serializers.py

from rest_framework import serializers
from .models import Student

class StudentSerializer(serializers.Serializer):
    #id = serializers.IntegerField()
    name = serializers.CharField(max_length=100)
    roll = serializers.IntegerField()
    city = serializers.CharField(max_length=100)
    
    def create(self, validate_data):
        return Student.objects.create(**validate_data)
    
    def update(self, instance, validated_data):
        instance.name = validated_data.get('name', instance.name)
        instance.roll = validated_data.get('roll', instance.roll)
        instance.city = validated_data.get('city', instance.city)
        instance.save()
        return instance
    
    # Field Lavel Validation
    def validate_roll(self, value): # should be name as validate_field
        if value >= 200:
            raise serializers.ValidationError('Seat Full')
        return value
    # function will be called by post() of views.py when this line of code is executed: if serializer.is_valid()

### Object Level Validation

When we need to do validation that requires access to multiple fields we do object level validation by adding a method called `validate()` to Serializer subclass.

- It raises a `serializers.ValidationError` if necessary, or just return the validated values.

In [None]:
# api/serializers.py

from rest_framework import serializers
from .models import Student

class StudentSerializer(serializers.Serializer):
    #id = serializers.IntegerField()
    name = serializers.CharField(max_length=100)
    roll = serializers.IntegerField()
    city = serializers.CharField(max_length=100)
    
    def create(self, validate_data):
        return Student.objects.create(**validate_data)
    
    def update(self, instance, validated_data):
        instance.name = validated_data.get('name', instance.name)
        instance.roll = validated_data.get('roll', instance.roll)
        instance.city = validated_data.get('city', instance.city)
        instance.save()
        return instance
    
    # Field Lavel Validation
    def validate_roll(self, value): # should be name as validate_field
        if value >= 200:
            raise serializers.ValidationError('Seat Full')
        return value
    # function will be called by post() of views.py when this line of code is executed: if serializer.is_valid()
    
    # Object Level Validation
    def validate(self, data):
        nm = data.get('name')
        ct = data.get('city')
        if nm.lower() == 'rohit' and ct.lower() != 'ranchi' :
            raise serializers.ValidationError('City must be Ranchi')
        return data


### Validators
Most of the time you're dealing with validation in REST framework you'll simply be relying on the default field validation, or writing explicit validation methods on serializer or field classes.

However, sometimes you'll want to place your validation logic into reusable components, so that it can easily be reused throughout your codebase. This can be achieved by using validator functions and validator classes.

REST framework the validation is performed entirely on the serializer class. This is advantageous for the following reasons:
- It introduces a proper separation of concerns, making your code behavior more obvious.
- It is easy to switch between using shortcut `ModelSerializer` classes and using explicit Serializer classes. Any validation behavior being used for ModelSerializer is simple to eplicate.
- Printing the `repr()` of a serializer instance will show you exactly what validation rules it applies. There's no extra hidden validation behavior being called on the model instance.
- When you're using `ModelSerializer` all of this is handled automatically for you. If you want to drop down to using Serializer classes instead, then you need to define the validation rules explicitly.


In [None]:
# api/serializers.py

from rest_framework import serializers
from .models import Student

# validators
def start_with_r(value) :
    if value[0].lower() != 'r':
        raise serializers.ValidationError('Name should be start with R')

class StudentSerializer(serializers.Serializer):
    #id = serializers.IntegerField()
    name = serializers.CharField(max_length=100, validators=[start_with_r])
    roll = serializers.IntegerField()
    city = serializers.CharField(max_length=100)
    
    def create(self, validate_data):
        return Student.objects.create(**validate_data)
    
    def update(self, instance, validated_data):
        instance.name = validated_data.get('name', instance.name)
        instance.roll = validated_data.get('roll', instance.roll)
        instance.city = validated_data.get('city', instance.city)
        instance.save()
        return instance
    
    # Field Lavel Validation
    def validate_roll(self, value): # should be name as validate_field
        print("field")
        if value >= 200:
            raise serializers.ValidationError('Seat Full')
        return value
    # function will be called by post() of views.py when this line of code is executed: if serializer.is_valid()
    
    # Object Level Validation
    def validate(self, data):
        print("object")
        nm = data.get('name')
        ct = data.get('city')
        if nm.lower() == 'rohit' and ct.lower() != 'ranchi' :
            raise serializers.ValidationError('City must be Ranchi')
        return data

**Note:** Priority of field,object level and validators in validation are: `validators > field > object` that is first validators will be checked then field and then object.


# ModelSerializer in Django REST Framework

The ModelSerializer class provides a shortcut that lets you automatically create a Serializer class with fields that correspond to the Model fields.

The ModelSerializer class is the same as a regular Serializer class, except that:
- It will automatically generate a set of fields for you, based on the model.
- It will automatically generate validators for the serializer, such as `unique_together` validators.
- It includes simple default implementations of create and update.

In [None]:
# api/serializers.py

from rest_framework import serializers
from .models import Student    

class StudentSerializer(serializers.ModelSerializer):
    class Meta:
        model = Student
        fields = ['name', 'roll', 'city']
        
        # fields = '__all__'
        # exclude = ['roll']
        
# OR-----------------------------

class StudentSerializer(serializers.ModelSerializer):
    name = serializers.CharField(read_only=True)
    class Meta:
        model = Student
        fields = ['name', 'roll', 'city']
        
# OR-----------------------------

class StudentSerializer(serializers.ModelSerializer):
    
    class Meta:
        model = Student
        fields = ['name', 'roll', 'city']
        read_only_fields = ['name','roll']
        
# OR-----------------------------

class StudentSerializer(serializers.ModelSerializer):
    
    class Meta:
        model = Student
        fields = ['name', 'roll', 'city']

        extra_kwargs = {'name': {'read_only': True}, 'roll': {'read_only': True}}

**Validators will remain the same:**

In [None]:
# api/serializers.py

from rest_framework import serializers
from .models import Student    

class StudentSerializer(serializers.ModelSerializer):
    
    # validators
    def start_with_r(value) :
        if value[0].lower() != 'r':
            raise serializers.ValidationError('Name should be start with R')
            
    name = serializers.CharField(validators = [start_with_r])
    
    class Meta:
        model = Student
        fields = ['name', 'roll', 'city']
        
    # Field Lavel Validation
    def validate_roll(self, value): # should be name as validate_field
        print("field")
        if value >= 200:
            raise serializers.ValidationError('Seat Full')
        return value
    # function will be called by post() of views.py when this line of code is executed: if serializer.is_valid()
    
    # Object Level Validation
    def validate(self, data):
        print("object")
        nm = data.get('name')
        ct = data.get('city')
        if nm.lower() == 'rohit' and ct.lower() != 'ranchi' :
            raise serializers.ValidationError('City must be Ranchi')
        return data

# Function Based API View in Django REST Framework

This wrapper provide a few bits of functionality such as making sure you receive Request instances in your view, and adding context to Response objects so that content negotiation can be
performed.

The wrapper also provide behaviour such as returning 405 Method Not Allowed responses when
appropriate, and handling any ParseError exceptions that occur when accessing request.data with
malformed input.

By default only GET methods will be accepted. Other methods will respond with "405 Method
Not Allowed".

### Request
REST framework's Request objects provide flexible request parsing that allows you to treat requests with JSON data or other media types in the same way that you would normally deal with form data.

`request.data` - request.data returns the parsed content of the request body. This is similar to the standard request. POST and request.FILES attributes except that:

- It includes all parsed content, including file and non-file inputs.
- It supports parsing the content of HTTP methods other than POST, meaning that you can access the content of PUT and PATCH requests.
- It supports REST framework's flexible request parsing, rather than just supporting form data. For example you can handle incoming JSON data in the same way that you handle incoming form data.

`request.method` - request.method returns the uppercased string representation of the request's HTTP method.

Browser-based PUT, PATCH and DELETE forms are transparently supported.

`request.query_params` - request.query_params is a more correctly named synonym for request. GET.

For clarity inside your code, we recommend using request.query_ params instead of the Django's standard request.GET. Doing so will help keep your codebase more correct and obvious - any HTTP method type may include query parameters, not just GET requests.

### Response()

REST framework supports HTTP content negotiation by providing a Response class which allows you to return content that can be rendered into multiple content types, depending on the client request.

Response objects are initialized with data, which should consist of native Python primitives. REST framework then uses standard HTTP content negotiation to determine how it should render the final response content.

Response class simply provides a nicer interface for returning content-negotiated Web API responses, that can be rendered to multiple formats.

**Syntax:**- `Response(data, status=None, template_name=None, headers=None, content_type=None)`

- `data`: The unrendered, serialized data for the response.
- `status`: A status code for the response. Defaults to 200.
- `template_ name`: A template name to use only if HTMLRenderer or some other custom template accepted renderer for the response.
- `headers`: A dictionary of HTTP headers to use in the response.
- `content_type`: The content type of the response. Typically, this will be set automatically by the renderer as determined by content negotiation, but there may be some cases where you need to specify the content type explicitly.

In [None]:
# views.py

from django.shortcuts import render
from rest_framework. decorators import api_view
from rest_framework.response import Response

@api_view() # is same as @api_view(['GET'])
def hello_world(request):
    return Response(( 'msg': 'Hello World' ))

In [None]:
# views.py

@api_view([ 'GET', 'POST'])
def hello_world(request) :
    if request.method == 'GET':
        return Response({'msg': 'This is GET Request'})
    if request.method == "POST" :
        print(request.data)
        return Response({"msg': 'This is POST Request'})
                         
# OR we can do this also:
                         
@api_view() # is same as @api_view(['GET'])
def hello_world(request):
    if request.method == 'GET':
        return Response({'msg': 'This is GET Request'})
                         
@api_view(['POST']) 
def hello_world(request):
    if request.method == "POST" :
        print(request.data)
        return Response({"msg': 'This is POST Request'})

In [None]:
# third_party_app.py

import requests
import json
URL = "http://127.0.0.1:8000/studentapi/"

def get_data(id = None):
    data = {}
    if id is not None:
        data = {'id': id}
    json_data = json.dumps(data)
    headers = {'content-Type': 'application/json'}
    res = requests.get(url = URL, headers = headers, data = json_data)
    data = res.json()
    print (data)

def post_data():
    data = {
        "name": "divya",
        "roll": 133,
        "city": "darbhanga"
    }
    json_data = json.dumps(data)
    headers = {'content-Type': 'application/json'}
    res = requests.post(url = URL, headers = headers, data = json_data)
    data = res.json()
    print(data)

def update_data():
    data = {
        "id": 34,
        "name": "ganesh",
        "city": "dehradun"
    }
    json_data = json.dumps(data)
    headers = {'content-Type': 'application/json'}
    res = requests.put(url = URL, headers = headers, data = json_data)
    data = res.json()
    print(data)

def delete_data():
    data = {'id': 33}
    json_data = json.dumps(data)
    headers = {'content-Type': 'application/json'}
    res = requests.delete(url = URL, headers = headers, data = json_data)
    data = res.json()
    print(data)

#get_data()
#post_data()
#update_data()
#delete_data()

**Let's see CRUD using function based API view:**

In [None]:
# api/models.py

from django.db import models

# Create your models here.
class Student(models.Model) :
    name = models.CharField(max_length=100)
    roll = models.IntegerField()
    city = models.CharField(max_length=100)

In [None]:
# api/admin.py

from django.contrib import admin
from .models import Student

# Register your models here.
@admin.register(Student)
class StudentAdmin(admin.ModelAdmin):
    list_display = ['id', 'name', 'roll', 'city']

In [None]:
# api/serializers.py:

from rest_framework import serializers
from .models import Student

class StudentSerializer(serializers.ModelSerializer):
    class Meta:
        model = Student
        fields = ['id', 'name', 'roll', 'city']

In [None]:
# api/urls.py

from django.urls import path
from . import views

urlpatterns = [
    path('studentapi/', views.student_api),
]

In [None]:
# api/views.py

from django.shortcuts import render
from rest_framework.decorators import api_view
from rest_framework.response import Response
from .models import Student
from .serializers import StudentSerializer


@api_view(['GET', 'POST', 'PUT', 'DELETE'])
def student_api(request):
    if request.method == 'GET':
        id = request.data.get('id')
        if id is not None:
            stu = Student.objects.get(id=id)
            serializer = StudentSerializer(stu)
            return Response(serializer.data)
        
        stu = Student.objects.all()
        serializer = StudentSerializer(stu, many=True)
        return Response(serializer.data)
    
    if request.method == 'POST' :
        serializer = StudentSerializer(data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Data Created'})
        return Response(serializer.errors)
    
    if request.method == 'PUT' :
        id = request.data.get('id')
        stu = Student.objects.get(pk=id)
        serializer = StudentSerializer(stu, data=request.data, partial=True)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Data updated'})
        return Response(serializer.errors)
    
    if request.method == 'DELETE' :
        id = request.data.get('id')
        stu = Student.objects.get(pk=id)
        stu.delete()
        return Response({'msg': 'Data Deleted' })

To test this api we have used a python app:

In [None]:
# third_party_app.py

import requests
import json

URL = "http://127.0.0.1:8000/studentapi/"


def get_data(id = None):
    data = {}
    if id is not None:
        data = {'id': id}
    json_data = json.dumps(data)
    headers = {'content-Type': 'application/json'}
    res = requests.get(url = URL, headers = headers, data = json_data)
    data = res.json()
    print (data)

def post_data():
    data = {
        "name": "prachi",
        "roll": 69,
        "city": "gurgaon"
    }
    json_data = json.dumps(data)
    headers = {'content-Type': 'application/json'}
    res = requests.post(url = URL, headers = headers, data = json_data)
    data = res.json()
    print(data)

def update_data():
    data = {
        "id": 34,
        "name": "gayatri",
        "city": "dehradun"
    }
    json_data = json.dumps(data)
    headers = {'content-Type': 'application/json'}
    res = requests.put(url = URL, headers = headers, data = json_data)
    data = res.json()
    print(data)

def delete_data():
    data = {'id': 12}
    json_data = json.dumps(data)
    headers = {'content-Type': 'application/json'}
    res = requests.delete(url = URL, headers = headers, data = json_data)
    data = res.json()
    print(data)

    
#get_data()
#post_data()
#update_data()
#delete_data()

**To test api on tool like `postman`, `Insomania` or even in `browser` we need to make minor changes in code:**

In [None]:
# api/urls.py

from django.urls import path
from . import views

urlpatterns = [
    path('studentapi/', views.student_api),
    path('studentapi/<int:pk>', views.student_api),
]

In [None]:
# api/views.py

from django.shortcuts import render
from rest_framework.decorators import api_view
from rest_framework.response import Response
from .models import Student
from .serializers import StudentSerializer
from rest_framework import status

@api_view(['GET', 'POST', 'PUT', 'PATCH', 'DELETE'])
def student_api(request, pk = None):
    if request.method == 'GET':
        id = pk
        if id is not None:
            stu = Student.objects.get(id=id)
            serializer = StudentSerializer(stu)
            return Response(serializer.data)
        
        stu = Student.objects.all()
        serializer = StudentSerializer(stu, many=True)
        return Response(serializer.data) # we can set status also
    
    if request.method == 'POST' :
        serializer = StudentSerializer (data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Data Created'}, status = status.HTTP_201_CREATED) 
        return Response(serializer.errors, status = status.HTTP_400_BAD_REQUEST)
    
    if request.method == 'PUT' : # put for complete update
        id = pk
        stu = Student.objects.get(pk=id)
        serializer = StudentSerializer(stu, data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Complete Data updated'}) # we can set status also
        return Response(serializer.errors)
    
    if request.method == 'PATCH' : # patch for partial update
        id = pk
        stu = Student.objects.get(pk=id)
        serializer = StudentSerializer(stu, data=request.data, partial=True)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Partial Data updated'}) # we can set status also
        return Response(serializer.errors)
    
    if request.method == 'DELETE' :
        id = pk
        stu = Student.objects.get(pk=id)
        stu.delete()
        return Response({'msg': 'Data Deleted' }) # we can set status also

# Class Based APIView

REST framework provides an APIView class, which subclasses Django's View class.

APIView classes are different from regular View classes in the following ways:

- Requests passed to the handler methods will be REST framework's Request instances, not Django's HttpRequest instances.
- Handler methods may return REST framework's Response, instead of Django's HttpResponse. The view will manage content negotiation and setting the correct renderer on the response.
- Any APIException exceptions will be caught and mediated into appropriate responses.
- Incoming requests will be authenticated and appropriate permission and/or throttle checks will be run before dispatching the request to the handler method.

In [None]:
# api/views.py:
from django.shortcuts import render
from rest_framework.decorators import api_view
from rest_framework.response import Response
from .models import Student
from .serializers import StudentSerializer
from rest_framework import status
from rest_framework.views import APIView


class StudentAPI(APIView):
    def get (self, request, pk=None, format=None) :
        id = pk
        if id is not None:
            stu = Student.objects.get(id=id)
            serializer = StudentSerializer(stu)
            return Response(serializer.data)
        stu = Student. objects.all()
        serializer = StudentSerializer(stu, many=True)
        return Response(serializer.data)
        
    def post(self, request, format=None):
        serializer = StudentSerializer (data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Data Created'}, status = status.HTTP_201_CREATED) 
        return Response(serializer.errors, status = status.HTTP_400_BAD_REQUEST)

    def put(self, request, pk, format=None):
        id = pk
        stu = Student.objects.get(pk=id)
        serializer = StudentSerializer(stu, data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Complete Data updated'}) # we can set status also
        return Response(serializer.errors)

    def patch(self, request, id, format=None):
        id = pk
        stu = Student.objects.get(pk=id)
        serializer = StudentSerializer(stu, data=request.data, partial=True)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Partial Data updated'}) # we can set status also
        return Response(serializer.errors)

    def delete(self, request, pk, format=None):
        id = pk
        stu = Student.objects.get(pk=id)
        stu.delete()
        return Response({'msg': 'Data Deleted' }) # we can set status also

In [None]:
# api/urls.py

from django.urls import path
from . import views

urlpatterns = [
    path('studentapi/', views.StudentAPI.as_view()),
    path('studentapi/<int:pk>', views.StudentAPI.as_view()),
]

# GenericAPIView and Mixins

This class extends REST framework's APIView class, adding commonly required behavior for standard list and detail views.

**Attributes**
  
- `queryset` - The queryset that should be used for returning objects from this view. Typically, you must either set this attribute, or override the `get_queryset()` method. If you are overriding a view method, it is important that you call `get_queryset()` instead of accessing this property directly, as queryset will get evaluated once, and those results will be cached for all subsequent requests.
- `serializer_class` - The serializer class that should be used for validating and deserializing input, and for serializing output. Typically, you must either set this attribute, or override the `get_serializer_class()` method.
- `lookup_field` - The model field that should be used to for performing object lookup of individual model instances. Defaults to 'pk'.
- `lookup_url_kwarg - The URL keyword argument that should be used for object lookup. The URL conf should include a keyword argument corresponding to this value. If unset this defaults to using the same value as lookup_ field.
- `pagination_class` - The pagination class that should be used when paginating list results. Defaults to the same value as the DEFAULT_PAGINATION_CLASS setting, which is `rest_framework.pagination.PageNumberPagination`. Setting `pagination_class=None` will disable pagination on this view.
- `filter_backends` - A list of filter backend classes that should be used for filtering the queryset. Default to the came value ae the DEFAULT_FILTER_BACKENDS SETTING.

**Methods**
    
- `get_queryset(self)` - It returns the queryset that should be used for list views, and that should be used as the base for lookups in detail views. Defaults to returning the queryset specified by the queryset attribute.

This method should always be used rather than accessing `self.queryset` directly, as `self.queryset` gets evaluated only once, and those results are cached for all subsequent requests.

- `get_object(self)` - It returns an object instance that should be used for detail views. Defaults to using the `lookup_ field` parameter to filter the base queryset.
    
- `get_serializer_class(self)` - It returns the class that should be used for the serializer. Default to returning the `serializer_class` attribute.

- `get_serializer_context(self)` - It returns a dictionary containing any extra context that should be supplied to the serializer. Defaults to including `request`, `view` and `format` keys.

- `get_serializer(self, instance=None, data=None, many=False, partial=False)` - It returns a serializer instance.

- `get_paginated_response(self, data)` - It returns a paginated style Response object.
    
- `paginate_queryset(self, queryset)` - Paginate a queryset if required, either returning a page object, or None if pagination is not configured for this view.

- `filter_queryset(self, queryset)` - Given a queryset, filter it with whichever filter backends are in use, returning a new queryset.

### Mixins

One of the big wins of using class-based views is that it allows us to easily compose reusable bits of behaviour.

The create/retrieve/update/delete operations that we've been using so far are going to be pretty similar for any model-backed API views we create.

Those bits of common behaviour are implemented in REST framework's mixin classes.

The mixin classes provide the actions that are used to provide the basic view behavior.

Note that the mixin classes provide action methods rather than defining the handler methods, such as get and post, directly. This allows for more flexible composition of behavior.

<br>
    
**ListModelMixin**
    
- It provides a `list(request, *args, **kwargs)` method, that implements listing a queryset.
- If the queryset is populated, this returns a 200 OK response, with a serialized representation of the queryset as the body of the response. The response data may optionally be paginated.

<code>
    from rest_framework.mixins import ListModelMixin
    from rest framework.generics import GenericAPIView
    class StudentList(ListModelMixin, GenericAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        def get(self, request, *args, **kwargs):
            return self.list(request, *args, **kwargs)
</code>

<br>

**CreateModelMixin**
- It provides a `create(request, *args, **kwargs)` method, that implements creating and saving a new model instance.
- If an object is created this returns a 201 Created response, with a serialized representation of the object as the body of the response. If the representation contains a key named url, then the Location header of the response will be populated with that value.
- If the request data provided for creating the object was invalid, a 400 Bad Request response will be returned, with the error details as the body of the response.

<code>
    from rest_framework.mixins import CreateModelMixin
    from rest framework.generics import GenericAPIView
    class StudentCreate(CreateModelMixin, GenericAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        def post(self, request, *args, **kwargs):
            return self.create(request, *args, **kwargs)
</code>

<br>

**RetrieveModelMixin**
- It provides a `retrieve(request, *args, **kwargs)` method, that implements returning an existing model instance in a response.
- If an object can be retrieved this returns a 200 OK response, with a serialized representation of the object as the body of the response. Otherwise it will return a 404 Not Found.

<code>
    from rest_framework.mixins import RetrieveModelMixin
    from rest framework.generics import GenericAPIView
    class StudentRetrieve(RetrieveModelMixin, GenericAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        def get(self, request, *args, **kwargs):
            return self.retrieve(request, *args, **kwargs)
</code>

<br>

**UpdateModelMixin**
- It provides a `update(request, *args, **kwargs)` method, that implements updating and saving an existing model instance.
- It also provides a `partial_update(request, *args, **kwargs)` method, which is similar to the update method, except that all fields for the update will be optional. This allows support for HTTP PATCH requests.
- If an object is updated this returns a 200 OK response, with a serialized representation of the object as the body of the response.
- If the request data provided for updating the object was invalid, a 400 Bad Request response will be returned, with the error details as the body of the response.

<code>
    from rest_framework.mixins import UpdateModelMixin
    from rest framework.generics import GenericAPIView
    class StudentUpdate(UpdateModelMixin, GenericAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        def put(self, request, *args, **kwargs):
            return self.update(request, *args, **kwargs)
</code>

<br>

**DestroyModelMixin**
- It provides a `destroy(request, *args, **kwargs)` method, that implements deletion of an existing model instance.
- If an object is deleted this returns a 204 No Content response, otherwise it will return a 404 Not Found.

<code>
    from rest_framework.mixins import DestroyModelMixin
    from rest framework.generics import GenericAPIView
    class StudentDestroy(DestroyModelMixin, GenericAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        def delete(self, request, *args, **kwargs):
            return self.destroy(request, *args, **kwargs)
</code>

In [None]:
# api/urls.py

from django.urls import path
from . import views

urlpatterns = [
    path('studentapi/', views.StudentList.as_view()),
    path('studentapi/', views.StudentCreate.as_view()),
    path('studentapi/<int:pk>', views.StudentRetrieve.as_view()),
    path('studentapi/<int:pk>', views.StudentUpdate.as_view()),
    path('studentapi/<int:pk>', views.StudentDestroy.as_view()),
]

In [None]:
# api/views.py:

from rest_framework.mixins import ListModelMixin, CreateModelMixin, RetrieveModelMixin, UpdateModelMixin, DestroyModelMixin
from rest framework.generics import GenericAPIView



class StudentList(ListModelMixin, GenericAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    def get(self, request, *args, **kwargs):
        return self.list(request, *args, **kwargs)

class StudentCreate(CreateModelMixin, GenericAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        def post(self, request, *args, **kwargs):
            return self.create(request, *args, **kwargs)

class StudentRetrieve(RetrieveModelMixin, GenericAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        def get(self, request, *args, **kwargs):
            return self.retrieve(request, *args, **kwargs)

class StudentUpdate(UpdateModelMixin, GenericAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        def put(self, request, *args, **kwargs):
            return self.update(request, *args, **kwargs)

 class StudentDestroy(DestroyModelMixin, GenericAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        def delete(self, request, *args, **kwargs):
            return self.destroy(request, *args, **kwargs)

We can refactor our views.py and urls.py code: 

In [None]:
# api/urls.py

from django.urls import path
from . import views

urlpatterns = [
    path('studentapi/', views.LCStudentAPI.as_view()),
    path('studentapi/<int:pk>', views.RUDStudentAPI.as_view()),
]

In [None]:
# api/views.py:

from rest_framework.mixins import ListModelMixin, CreateModelMixin, RetrieveModelMixin, UpdateModelMixin, DestroyModelMixin
from rest framework.generics import GenericAPIView



class LCStudentAPI(GenericAPIView, ListModelMixin, CreateModelMixin):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    
    def get(self, request, *args, **kwargs):
        return self.list(request, *args, **kwargs)
    def post(self, request, *args, **kwargs):
            return self.create(request, *args, **kwargs)

class RUDStudentAPI(GenericAPIView, RetrieveModelMixin, UpdateModelMixin, DestroyModelMixin):
        queryset = Student.objects.all
        serializer_class = StudentSerializer

        def get(self, request, *args, **kwargs):
            return self.retrieve(request, *args, **kwargs)

        def put(self, request, *args, **kwargs):
            return self.update(request, *args, **kwargs)

        def delete(self, request, *args, **kwargs):
            return self.destroy(request, *args, **kwargs)        

### What is GenericAPIView?

- GenericAPIView is a base class provided by DRF that offers basic functionality for handling requests and responses.
- It simplifies API development by allowing you to extend it and add mixins for common behaviors like retrieving, creating, updating, and deleting objects.
- It is more flexible than` APIView` and serves as the foundation for DRF’s generic views (e.g., `ListAPIView`, `CreateAPIView`).
                                                                 
**Key Features of GenericAPIView:**
- You can set queryset and serializer_class to automatically fetch and serialize data.
- Adds helper methods: `get_queryset()`, `get_serializer_class()`, `get_serializer()`
- It integrates with DRF’s authentication and permission classes.
- You can combine it with DRF mixins (e.g., `ListModelMixin`, `CreateModelMixin`) to add CRUD functionality.

<br>
    
**Example Without GenericAPIView (Using APIView):**

In [None]:
# api/views.py:

from rest_framework.response import Response
from rest_framework.views import APIView
from .models import Student
from .serializers import StudentSerializer

class StudentListAPIView(APIView):
    def get(self, request):
        students = Student.objects.all()
        serializer = StudentSerializer(students, many=True)
        return Response(serializer.data)


**Problems With This Approach:**
- We manually handle query fetching (Student.objects.all())
- We manually call the serializer (StudentSerializer(students, many=True))
- We lack built-in flexibility to override settings like queryset

<br>

**Refactored Using GenericAPIView:**

In [None]:
# api/views.py:

from rest_framework.generics import GenericAPIView
from rest_framework.response import Response
from .models import Student
from .serializers import StudentSerializer

class StudentListAPIView(GenericAPIView):
    queryset = Student.objects.all()  # DRF handles fetching records
    serializer_class = StudentSerializer  # DRF handles serialization

    def get(self, request):
        serializer = self.get_serializer(self.get_queryset(), many=True)  # Uses DRF's helper methods
        return Response(serializer.data)


**Advantages of Using GenericAPIView:**
- Less boilerplate code → We don’t need to manually query the database.
- Reusable → The queryset and serializer_class can be overridden dynamically.
- Helper methods → get_queryset() and get_serializer() provide flexibility.

<br>

**Using GenericAPIView With Mixins:**

The real power of GenericAPIView comes when combined with mixins. Here’s how you can extend it to create, retrieve, update, and delete records:


In [None]:
# api/views.py:

from rest_framework.generics import GenericAPIView
from rest_framework import mixins
from .models import Student
from .serializers import StudentSerializer

# Handles GET (list) and POST (create)
class StudentListCreateAPIView(mixins.ListModelMixin, mixins.CreateModelMixin, GenericAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

    def get(self, request, *args, **kwargs):
        return self.list(request, *args, **kwargs)  # Uses ListModelMixin

    def post(self, request, *args, **kwargs):
        return self.create(request, *args, **kwargs)  # Uses CreateModelMixin


**Even Better: Use `ListCreateAPIView`**
    
Instead of writing mixins manually, DRF provides pre-built generic views like `ListCreateAPIView`:

In [None]:
# api/views.py:

from rest_framework.generics import ListCreateAPIView, RetrieveUpdateDestroyAPIView
from .models import Student
from .serializers import StudentSerializer

# ListCreateAPIView Handles GET (list) and POST (create)
class StudentListCreateAPIView(ListCreateAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

# RetrieveUpdateDestroyAPIView Handles GET (retrieve), PUT (update), PATCH (partial update), DELETE (destroy)
class StudentRetrieveUpdateDestroyAPIView(RetrieveUpdateDestroyAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer


In [None]:
# api/urls.py:

from django.urls import path
from .views import StudentListCreateAPIView, StudentRetrieveUpdateDestroyAPIView

urlpatterns = [
    path('students/', StudentListCreateAPIView.as_view(), name='student-list-create'),
    path('students/<int:pk>/', StudentRetrieveUpdateDestroyAPIView.as_view(), name='student-retrieve-update-destroy'),
]


**Best Approach?**
- If you only need listing and creating, use `ListCreateAPIView`.
- If you need all CRUD operations, use `RetrieveUpdateDestroyAPIView` as well.
- If you need to retrieve and update a record but NOT delete, use `RetrieveUpdateAPIView`.
- If you need to retrieve and delete a record but NOT update, use `RetrieveDestroyAPIView`.
- If you want even cleaner code, use ViewSet with Router (best for full CRUD).
- If you only need list and retrieve functionality (no create, update, or delete), use `ReadOnlyModelViewSet`:

In [None]:
# api/views.py:

from rest_framework.viewsets import ReadOnlyModelViewSet
from .models import Student
from .serializers import StudentSerializer

class StudentReadOnlyViewSet(ReadOnlyModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer


### Mixin

In Django REST Framework (DRF), mixins provide reusable behaviors for views. Instead of writing full CRUD logic manually, mixins allow you to add only the functionality you need by combining them with `GenericAPIView`.

![image.png](attachment:27e020c3-c32a-4585-b2ae-b342f6590d3f.png)

In [None]:
# api/views.py:

from rest_framework.generics import GenericAPIView
from rest_framework.mixins import (
    ListModelMixin, CreateModelMixin,
    RetrieveModelMixin, UpdateModelMixin, DestroyModelMixin
)
from .models import Student
from .serializers import StudentSerializer

# List and Create (GET, POST)
class StudentListCreateView(ListModelMixin, CreateModelMixin, GenericAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

    def get(self, request, *args, **kwargs):
        return self.list(request, *args, **kwargs)  # Handles GET (list)

    def post(self, request, *args, **kwargs):
        return self.create(request, *args, **kwargs)  # Handles POST (create)

# Retrieve, Update, and Delete (GET by ID, PUT, PATCH, DELETE)
class StudentRetrieveUpdateDestroyView(RetrieveModelMixin, UpdateModelMixin, DestroyModelMixin, GenericAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

    def get(self, request, *args, **kwargs):
        return self.retrieve(request, *args, **kwargs)  # Handles GET (retrieve)

    def put(self, request, *args, **kwargs):
        return self.update(request, *args, **kwargs)  # Handles PUT (update)

    def patch(self, request, *args, **kwargs):
        return self.partial_update(request, *args, **kwargs)  # Handles PATCH (partial update)

    def delete(self, request, *args, **kwargs):
        return self.destroy(request, *args, **kwargs)  # Handles DELETE (destroy)


In [None]:
# api/urls.py:

from django.urls import path
from .views import StudentListCreateView, StudentRetrieveUpdateDestroyView

urlpatterns = [
    path('students/', StudentListCreateView.as_view(), name='student-list-create'),
    path('students/<int:pk>/', StudentRetrieveUpdateDestroyView.as_view(), name='student-retrieve-update-destroy'),
]

**Alternative: Using GenericAPIView Directly**
    
Instead of using mixins separately, DRF provides pre-built generic views that combine them:

![image.png](attachment:fed71926-f43c-45f5-970e-f1defdbde81e.png)

In [None]:
# api/views.py:

from rest_framework.generics import ListCreateAPIView, RetrieveUpdateDestroyAPIView
from .models import Student
from .serializers import StudentSerializer

class StudentListCreateAPIView(ListCreateAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

class StudentRetrieveUpdateDestroyAPIView(RetrieveUpdateDestroyAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer


**Final Thoughts**
- Use mixins if you want more customization and fine control over each method.
- Use generic views (`ListCreateAPIView`, `RetrieveUpdateDestroyAPIView`) if you want shorter, cleaner code.
- Use `ViewSet` + `Routers` for a fully automatic REST API.

# Understanding DRF's Generic Views

Django REST Framework (DRF) provides generic views to simplify CRUD operations. Here are five commonly used ones:

![image.png](attachment:4f6a8260-e0da-40d6-9a85-d3aec867a3ed.png)

In [None]:
# api/views.py:

from rest_framework.generics import ListAPIView, CreateAPIView, RetrieveAPIView, UpdateAPIView, DestroyAPIView
from .models import Student
from .serializers import StudentSerializer

class StudentListAPIView(ListAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer


class StudentCreateAPIView(CreateAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializerr

class StudentRetrieveAPIView(RetrieveAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

class StudentUpdateAPIView(UpdateAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

class StudentDestroyAPIView(DestroyAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

In [None]:
# api/urls.py:

from django.urls import path
from .views import (
    StudentListAPIView, 
    StudentCreateAPIView, 
    StudentRetrieveAPIView, 
    StudentUpdateAPIView, 
    StudentDestroyAPIView
)

urlpatterns = [
    path('students/', StudentListAPIView.as_view(), name='student-list'),
    path('students/create/', StudentCreateAPIView.as_view(), name='student-create'),
    path('students/<int:pk>/', StudentRetrieveAPIView.as_view(), name='student-retrieve'),
    path('students/<int:pk>/update/', StudentUpdateAPIView.as_view(), name='student-update'),
    path('students/<int:pk>/delete/', StudentDestroyAPIView.as_view(), name='student-delete'),
]


**Alternative: Using `RetrieveUpdateDestroyAPIView`**
    
Instead of separate views for retrieve, update, and delete, use RetrieveUpdateDestroyAPIView to handle all three in one.

In [None]:
# api/views.py:

from rest_framework.generics import RetrieveUpdateDestroyAPIView
from .models import Student
from .serializers import StudentSerializer

class StudentRetrieveUpdateDestroyAPIView(RetrieveUpdateDestroyAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer


# api/urls.py:

urlpatterns = [
    path('students/<int:pk>/', StudentRetrieveUpdateDestroyAPIView.as_view(), name='student-detail'),
]

# ViewSet

A ViewSet is a special type of class-based view in Django REST Framework that provides CRUD operations without writing individual methods for each action. Instead of defining separate views for listing, creating, updating, and deleting records, ViewSet groups them into a single class.

<br>

**Why Use ViewSets?**
    
Without ViewSet, you typically write multiple views like this:

In [None]:
class StudentListCreateAPIView(ListCreateAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

class StudentRetrieveUpdateDestroyAPIView(RetrieveUpdateDestroyAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer


Then, manually define URLs:

In [None]:
urlpatterns = [
    path('students/', StudentListCreateAPIView.as_view(), name='student-list-create'),
    path('students/<int:pk>/', StudentRetrieveUpdateDestroyAPIView.as_view(), name='student-detail'),
]


**Using ModelViewSet (Handles Full CRUD)**
                      
ModelViewSet is the most powerful ViewSet because it automatically includes: `list()`, `retrieve()`, `create()`, `update()`, `partial_update()`,`destroy()`

In [None]:
# api/views.py:

from rest_framework.viewsets import ModelViewSet
from .models import Student
from .serializers import StudentSerializer

class StudentViewSet(ModelViewSet):  # 🚀 Handles all CRUD actions
    queryset = Student.objects.all()
    serializer_class = StudentSerializer


In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

router = DefaultRouter()
router.register(r'students', StudentViewSet, basename='student')

urlpatterns = [
    path('', include(router.urls)),  # 🚀 Automatically generates all URLs
]


**If you only need to list and retrieve records, use `ReadOnlyModelViewSet`:**

In [None]:
# api/views.py:

from rest_framework.viewsets import ReadOnlyModelViewSet

class StudentReadOnlyViewSet(ReadOnlyModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer


### ViewSet (No Automatic Actions)

If you want full control, use `ViewSet` instead of `ModelViewSet`

When using `ViewSet` (not ModelViewSet), it does NOT automatically provide: `list()`, `retrieve()`, `create()`, `update()`, `partial_update()`,`destroy()`.  You must define these methods manually in the `ViewSet` class.

In [None]:
# api/views.py:

from rest_framework.viewsets import ViewSet
from rest_framework.response import Response
from rest_framework import status
from django.shortcuts import get_object_or_404
from .models import Student
from .serializers import StudentSerializer

class StudentViewSet(ViewSet):

    # 1️⃣ List all students (GET /students/)
    def list(self, request):
        students = Student.objects.all()
        serializer = StudentSerializer(students, many=True)
        return Response(serializer.data)

    # 2️⃣ Retrieve a single student (GET /students/<id>/)
    def retrieve(self, request, pk=None):
        student = get_object_or_404(Student, pk=pk)
        serializer = StudentSerializer(student)
        return Response(serializer.data)

    # 3️⃣ Create a new student (POST /students/)
    def create(self, request):
        serializer = StudentSerializer(data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response(serializer.data, status=status.HTTP_201_CREATED)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

    # 4️⃣ Update a student (PUT /students/<id>/)
    def update(self, request, pk=None):
        student = get_object_or_404(Student, pk=pk)
        serializer = StudentSerializer(student, data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response(serializer.data, status=status.HTTP_200_OK)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

    # 5️⃣ Partially update a student (PATCH /students/<id>/)
    def partial_update(self, request, pk=None):
        student = get_object_or_404(Student, pk=pk)
        serializer = StudentSerializer(student, data=request.data, partial=True)
        if serializer.is_valid():
            serializer.save()
            return Response(serializer.data, status=status.HTTP_200_OK)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

    # 6️⃣ Delete a student (DELETE /students/<id>/)
    def destroy(self, request, pk=None):
        student = get_object_or_404(Student, pk=pk)
        student.delete()
        return Response({'message': 'Student deleted successfully'}, status=status.HTTP_204_NO_CONTENT)


In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

# Create a router and register the viewset
router = DefaultRouter()
router.register(r'students', StudentViewSet, basename='student')

urlpatterns = [
    path('', include(router.urls)),  # Automatically generates URLs
]


During dispatch, the following attributes are available on the ViewSet:-
- `basename` - the base to use for the URL names that are created.
- `action` - the name of the current action (e.g., list, create).
- `detail` - boolean indicating if the current action is configured for a list or detail view.
- `suffix` - the display suffix for the viewset type - mirrors the detail attribute.
- `name` - the display name for the viewset. This argument is mutually exclusive to suffix.
- `description` - the display description for the individual view of a viewset.

We can use all these atrributes inside method `list()`, `retrieve()`, `create()`, `update()`, `partial_update()` and `destroy()` using `self`. **Syntax: `self.attribute_name`**

# Basic Authentication and Permission 

Currently our API doesn't have any restrictions on who can edit or delete Data. We'd like to have some more advanced behavior in order to make sure that:
- Data is always associated with a creator.
- Only authenticated users may create Data.
- Only the creator of a Data may update or delete it.
- Unauthenticated requests should have full read-only access.

Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with. The permission and throttling
policies can then use those credentials to determine if the request should be permitted.

Authentication is always run at the very start of the view, before the permission and throttling checks occur, and before any other code is allowed to proceed.

REST framework provides a number of authentication schemes out - the box, and also allows you to implement custom schemes.
- BasicAuthentication
- SessionAuthentication
- TokenAuthentication
- RemoteUserAuthentication
- Custom authentication

**BasicAuthentication**
- This authentication scheme uses HTTP Basic Authentication, signed against a user's username and password.
- Basic authentication is generally only appropriate for testing.
- If successfully authenticated, Basic Authentication provides the - credentials.
    - request.user will be a Django User instance.
    - request. auth will be None.
        
Unauthenticated responses that are denied permission will result in an HTTP 401 Unauthorized response with an appropriate WWW-Authenticate header. For example: WWW-Authenticate: Basic realm="api"

**Note:** If you use Basic Authentication in production you must ensure that your API is only available over https.
    
You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.

### Permission

- Permissions are used to grant or deny access for different classes of users to different parts of the API.
- Permission checks are always run at the very start of the view, before any other code is allowed to proceed.
- Permission checks will typically use the authentication information in the `request.user` and `request.auth` properties to determine if the incoming request should be permitted

Permissions in REST framework are always defined as a list of permission classes: 
- AllowAny
- IsAuthenticated
- IsAdminUser
- IsAuthenticatedOrReadOnly
- DjangoModelPermissions
- DjangoModelPermissionsOrAnonReadOnly
- DjangoObjectPermissions
- Custom Permissions

<br>
    
**AllowAny**
- The Allow Any permission class will allow unrestricted access, regardless of if the request was authenticated or unauthenticated.
- This permission is not strictly required, since you can achieve the same result by using an empty list or tuple for the permissions setting, but you may find it useful to specify this class because it makes the intention explicit.

**IsAuthenticated**
- The IsAuthenticated permission class will deny permission to any unauthenticated user, and allow permission otherwise.
- This permission is suitable if you want your API to only be accessible to registered users.

**IsAdminUser**
- The IsAdmin User permission class will deny permission to any user, unless `user.is_staff` is True in which case permission will be allowed.
- This permission is suitable if you want your API to only be accessible to a subset of trusted administrators.

**IsAuthenticatedOrReadOnly**
- The IsAuthenticatedOrReadOnly will allow authenticated users to perform any request. Requests for unauthorised users will only be permitted if the request method is one of the "safe" methods; GET, HEAD or OPTIONS.
- This permission is suitable if you want to your API to allow read permissions to anonymous users, and only allow write permissions to authenticated users.

**DiangoModelPermissions**
- This permission class ties into Django's standard django.contrib.auth model permissions. This permission must only be applied to views that have a queryset property set. Authorization will only be granted if the user is authenticated and has the relevant model permissions assigned.
    - POST requests require the user to have the add permission on the model.
    - PUT and PATCH requests require the user to have the change permission on the model.
    - DELETE requests require the user to have the delete permission on the

- The default behaviour can also be overridden to support custom model permissions. For example, you might want to include a view model permission for GET request.
- To use custom model permissions, override DjangoModelPermissions and set the perms_map proverty.

**DiangoModelPermissionsOrAnonReadOnly**
- Similar to DjangoModelPermissions, but also allows unauthenticated users to have read-only access to the API.

**DiangoObjectPermissions**
- This permission class ties into Django's standard object permissions framework that allows per-object permissions on models. In order to use this permission class, you'll also need to add a permission backend that supports object-level permissions, such as django-guardian.
- As with DjangoModelPermissions, this permission must only be applied to views that have a queryset property or get_queryset() method. Authorization will only be granted if the user is authenticated and has the relevant per-object permissions relevant model permissions assigned.
    - POST requests require the user to have the add permission on the model instance.
    - PUT and PATCH requests require the user to have the change permission on the model instance.
    - DELETE requests require the user to have the delete permission on the model instance.

    
    
![image.png](attachment:37521fa6-30e9-430b-aaa5-888284486b61.png)

**How basic authentication works?**

Basic Authentication uses username and password in the Authorization header. The request must include: `Authorization: Basic base64(username:password)`. DRF decodes it, authenticates the user, and attaches it to `request.user`

In [None]:
# api/views.py:

from .models import Student
from .serializers import StudentSerializer
from rest_framework import viewsets
from rest_framework.authentication import BasicAuthentication
from rest_framework permissions import IsAuthenticated

class StudentmodelViewSet(viewsets.ModelViewSet):
    queryset = Student. objects.all()
    serializer_class = StudentSerializer
    authentication_classes = [BasicAuthentication]
    permission_classes = [IsAuthenticated] # multiple classes can be adding using coma(,)

Let's say we have several classes here like StudentmodelViewSet, TeachermodelViewSet, SecuritymodelViewSet and we want to apply these two authentication class and permission class to all these classes then we will have to write these permission and authentication in all these classes . What we can also do is we can apply these permission and authentication globally so that it will be applied for all classes. We can do so from our `settings.py`:

In [None]:
# settings.py:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES' : ['rest_framework.authentication.BasicAuthentication'],
    'DEFAULT_PERMISSION_CLASSES': ['rest_framework.permissions.IsAuthenticated' ]
}


**NOTE:** We can override globally applied permission and authentication classes by writing permission and authentication our class. Example:

In [None]:
# api/views.py:

from .models import Student
from .serializers import StudentSerializer
from rest_framework import viewsets
from rest_framework.authentication import BasicAuthentication
from rest_framework permissions import IsAuthenticated, AllowAny

class StudentmodelViewSet(viewsets.ModelViewSet):
    queryset = Student. objects.all()
    serializer_class = StudentSerializer
    

class TeachermodelViewSet(viewsets.ModelViewSet):
    queryset = Student. objects.all()
    serializer_class = StudentSerializer
    authentication_classes = [BasicAuthentication]
    permission_classes = [AllowAny] # overwrite global permission

class SecuritytmodelViewSet(viewsets.ModelViewSet):
    queryset = Student. objects.all()
    serializer_class = StudentSerializer
    

**Example: Allow Only Admins to Delete Students:**

In [None]:
# api/views.py:

from rest_framework.permissions import IsAdminUser

class StudentViewSet(ViewSet):
    authentication_classes = [BasicAuthentication]
    permission_classes = [IsAuthenticated]  # Default permission for all actions

    def destroy(self, request, pk=None):
        self.permission_classes = [IsAdminUser]  # overriding permission so that only admins can delete
        self.check_permissions(request)  # Recheck permissions after dynamically updating self.permission_classes
        student = get_object_or_404(Student, pk=pk)
        student.delete()
        return Response({'message': 'Student deleted successfully'}, status=status.HTTP_204_NO_CONTENT)


# Session Authentication and Permission

- This authentication scheme uses Django's default session backend for authentication. Session authentication is appropriate for AJAX clients that are running in the same session context as your website.
- If successfully authenticated, Session Authentication provides the following credentials.
    - request.user will be a Django User instance.
    - request.auth will be None.
- Unauthenticated responses that are denied permission will result in an HTTP 403 Forbidden response.

If you're using an AJAX style API with Session Authentication, you'll need to make sure you include a valid CSRF token for any "unsafe" HTTP method calls, such as PUT, PATCH, POST or DELETE requests.



**What is Session Authentication?**
- Session Authentication uses Django's built-in authentication system (`request.session`).
- It is ideal for web applications (not APIs used by mobile apps).
- The user must log in via Django’s login view (/admin/login/ or a custom login view).

**How it Works**
- A user logs in via Django’s authentication system.
- Django sets a session cookie (sessionid) in the browser.
- DRF checks the session cookie in requests to authenticate users.

In [None]:
# api/views.py:

from .models import Student
from .serializers import StudentSerializer
from rest_framework import viewsets
from rest_framework.authentication import SessionAuthentication
from rest_framework permissions import IsAuthenticated

class StudentmodelViewSet(viewsets.ModelViewSet):
    queryset = Student. objects.all()
    serializer_class = StudentSerializer
    authentication_classes = [SessionAuthentication]
    permission_classes = [IsAuthenticated] # multiple classes can be adding using coma(,)

In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

# Create a router
router = DefaultRouter()
router.register(r'students', StudentViewSet, basename='student')

urlpatterns = [
    path('', include(router.urls)),  # Include router-generated URLs
]


**How to Test Session Authentication?**
1. Login to Django Admin (/admin/) or a custom login view.
2. Open Postman / Browser Console:
    - Session Authentication works in the browser (no need for tokens).
    - Use the browser’s developer tools (F12 > Storage > Cookies) to check the sessionid.
3. Send API requests without a token (since the session is already stored in the browser).


If you want to use the built-in URL for login with Session Authentication, Django REST Framework (DRF) provides a default login view that integrates with Django’s authentication system.

In [None]:
# project/urls.py:

from django.contrib import admin
from django.urls import path, include

urlpatterns = [
    path('admin/', admin.site.urls),
    path('api/', include('api.urls')),  # Include app-level URLs
    path('api-auth/', include('rest_framework.urls')),  # DRF built-in login/logout
]
# Go to `/api-auth/login/` and log in using a Django admin user or a regular user.

# Custom Permission 

To implement a custom permission, override BasePermission and implement either, or both, of the following methods:
- has_permission(self, request, view)
- has_object_ permission(self, request, view, obj)

The methods should return True if the request should be granted access, and False otherwise.

In [None]:
# api/permissions.py:

from rest_framework permissions import BasePermission

class MyPermission(BasePermission):
    def has_permission(self, request, view):
        if request.method == 'GET' :
            return True
        return False

In [None]:
# api/views.py:

from .models import Student
from .serializers import StudentSerializer
from rest_framework import viewsets
from rest_framework.authentication import SessionAuthentication
from .permissions import MyPermission

class StudentModelViewSet(viewsets.ModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    authentication_classes = [SessionAuthentication] # we can use any authentication class
    permission_classes = [MyPermission]

**Custom Permission (Only Superusers Can Edit):**

In [None]:
# api/permissions.py:

from rest_framework.permissions import BasePermission

class IsSuperUser(BasePermission):
    def has_permission(self, request, view):
        return request.user and request.user.is_superuser


In [None]:
# api/views.py:

from .permissions import IsSuperUser

class StudentViewSet(ModelViewSet):
    authentication_classes = [SessionAuthentication]
    permission_classes = [IsSuperUser]  # Only superusers can access

Third party packages that provide permissions:-
- DRF - Access Policy
- Composed Permissions
- REST Condition
- DRY Rest Permissions
- Django Rest Framework Roles
- Django REST Framework API Key
- Django Rest Framework Role Filters
- Diango Rest Framework PSQ

# Authentication and Permission in Function Based View 

In [None]:
# api/urls.py

from django.urls import path
from . import views

urlpatterns = [
    path('studentapi/', views.student_api),
    path('studentapi/<int:pk>', views.student_api),
]

In [None]:
# api/views.py

from django.shortcuts import render
from rest_framework.decorators import api_view, authentication_classes, permissions_classes
from rest_framework.response import Response
from .models import Student
from .serializers import StudentSerializer
from rest_framework import status
from rest_framework. authentication import BasicAuthentication
from rest framework.permissions import IsAuthenticated

@api_view(['GET', 'POST', 'PUT', 'PATCH', 'DELETE'])
@authentication_classes([BasicAuthentication])
@permission_classes([IsAuthenticated])
def student_api(request, pk = None):
    if request.method == 'GET':
        id = pk
        if id is not None:
            stu = Student.objects.get(id=id)
            serializer = StudentSerializer(stu)
            return Response(serializer.data)
        
        stu = Student.objects.all()
        serializer = StudentSerializer(stu, many=True)
        return Response(serializer.data) # we can set status also
    
    if request.method == 'POST' :
        serializer = StudentSerializer (data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Data Created'}, status = status.HTTP_201_CREATED) 
        return Response(serializer.errors, status = status.HTTP_400_BAD_REQUEST)
    
    if request.method == 'PUT' : # put for complete update
        id = pk
        stu = Student.objects.get(pk=id)
        serializer = StudentSerializer(stu, data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Complete Data updated'}) # we can set status also
        return Response(serializer.errors)
    
    if request.method == 'PATCH' : # patch for partial update
        id = pk
        stu = Student.objects.get(pk=id)
        serializer = StudentSerializer(stu, data=request.data, partial=True)
        if serializer.is_valid():
            serializer.save()
            return Response({'msg': 'Partial Data updated'}) # we can set status also
        return Response(serializer.errors)
    
    if request.method == 'DELETE' :
        id = pk
        stu = Student.objects.get(pk=id)
        stu.delete()
        return Response({'msg': 'Data Deleted' }) # we can set status also

# Token Authentication

Token authentication allows API users to authenticate using a token instead of a username and password.

This authentication scheme uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients.

To use the TokenAuthentication scheme you'll need to configure the authentication classes to include TokenAuthentication, and additionally include `rest_framework.authtoken` in your INSTALLED_APPS setting:

<code>

INSTALLED_APPS = [
    'rest_framework.authtoken',
] 
</code>

**Note:** Make sure to run `python manage.py migrate` after changing your settings. The rest_framework.authtoken app provides Django database migrations.

If successfully authenticated, TokenAuthentication provides the following credentials:
- `request.user` will be a Django User instance.
- `request.auth` will be a rest_framework.authtoken.models.Token instance.

Unauthenticated responses that are denied permission will result in an HTTP 401 Unauthorized response with an appropriate WWW-Authenticate header. For example: WWW-Authenticate: Token

The http command line tool may be useful for testing token authenticated APIs. For example:
http http://127.0.0.1:8000/studentapi/ 'Authorization: Token 9944Ъ09199c62bcf9418ad846dd0e4bbdfc6ee4b'

**Note:** If you use TokenAuthentication in production you must ensure that your API is only available over https.

<br>

**Generate Token**
- Using Admin Application
- Using Django manage.py command
    - `python manage.py drf_create_token <username>` - This command will return API Token for the given user or creates a Token if token doesn't exist for user.
- By exposing an API endpoint
- Using Signals

In [None]:
# settings.py:

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'rest_framework',
    'rest_framework.authtoken',  # Add this for token authentication
    'api',  # Your app
]

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.TokenAuthentication',  # Enable token authentication
    ],
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',  # Require authentication for API access
    ],
}

# Run command: python manage.py migrate

In [None]:
# api/views.py:

from .models import Student
from .serializers import StudentSerializer
from rest_framework import viewsets
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated

class StudentModelViewSet(viewsets.ModelViewSet):
    queryset = Student.objects.all)
    serializer_class = StudentSerializer
    # authentication_classes=[SessionAuthentication]
    # permission_classes=[IsAuthenticated]

### How Client can Ask/Create Token

When using TokenAuthentication, you may want to provide a mechanism for clients to obtain a token given the username and password.

REST framework provides a built-in view to provide this behavior. To use it, add the `obtain_auth_token` view to your URLconf:

    from rest_framework.authtoken.views import obtain_auth_token
    urlpatterns = [
        path("gettoken/", obtain_auth_token)
    ]

The obtain auth token view will return a JSON response when valid username and fields are POSTed to the view using form data or JSON:
http POST http://127.0.0.1:8000/gettoken/ username="name" password="pass"

'token' : 19944609199c62bcf9418ad846dd0e4bbdfc6ee4b' }

It also generates token if the token is not generated for the provided user.


In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet
from rest_framework.authtoken.views import obtain_auth_token  # DRF built-in token view

# Create a router
router = DefaultRouter()
router.register(r'students', StudentViewSet, basename='student')

urlpatterns = [
    path('', include(router.urls)),  # Include router-generated URLs
    path('auth/', include( 'rest_framework.urls', namespace='rest_framework')),
    path('gettoken/', obtain_auth_token) # API to get token
]


 Run command : `pip install httpie`

Now run ths command to create token: `http POST http://127.0.0.1:8000/gettoken/ username="user1" password="mypassword"`

As we run command we get token along with some other detail. Let's say we also to display `id`, `email` or other user's information then we can that in this way:

In [None]:
# api/auth.py:

from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.authtoken.models import Token
from rest_framework.response import Response

class CustomAuthToken(ObtainAuthToken) :
    def post(self, request, *args, **kwargs):
        serializer = self serializer_class(data=request.data, context={'request': request})
        serializer.is_valid(raise_exception=True)
        user = serializer.validated_data['user']
        token, created = Token.objects.get_or_create(user=user)
        return Response({
            'token': token.key,
            'user_id': user.pk,
            'email': user.email
        })
    

In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

from api.auth import CustomAuthToken

# Create a router
router = DefaultRouter()
router.register(r'students', StudentViewSet, basename='student')

urlpatterns = [
    path('', include(router.urls)),  # Include router-generated URLs
    path('auth/', include( 'rest_framework.urls', namespace='rest_framework')),
    path('gettoken/', CustomAuthToken.as_view()),
]

Now run command: `http POST http://127.0.0.1:8000/gettoken/ username="user1" password="mypassword"`

### httpie

HTTPie (pronounced aitch-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized output. HTTPie can be
used for testing, debugging, and generally interacting with HTTP servers.

Syntax:- `http [flags] [METHOD] URL [ITEM [ITEM]]`

**How to Install:** `pip install httpie`

**Use httpie**

1. GET Request
    - `http http://127.0.0.1:8000/studentapi/`

2. GET Request with Auth
    - `http http://127.0.0.1:8000/studentapi/ 'Authorization:Token 621cdf999d9151f9aea8e52f00eb436aa680fa24'`

3. POST Request/ Submitting Form
    - `http -f POST http://127.0.0.1:8000/studentapi/ name=Jay roll=104 city=Dhanbad 'Authorization:Token 621cdf999d9151f9aea8e52f00eb436aa680fa24'`

4. PUT Request: for id=4
    - `http PUT http://127.0.0.1:8000/studentapi/4/ name=Kunal roll=109 city=Bokaro 'Authorization:Token 621cdf999d9151f9aea8e52f00eb436aa680fa24'`

5. Delete Request: for id=4
    - `http DELETE http://127.0.0.1:8000/studentapi/4/ 'Authorization:Token 621cdf999d9151f9aea8e52f00eb436a680fa24'`

**Example using Postman:**

1. Set Method → GET
2. Set URL → http://127.0.0.1:8000/api/students/
3. Go to Headers → Add:
    - Key: Authorization
    - Value: Token your_generated_token_here


**Generate token using signal:**

Let's say when a user is created then his token should also get created:

In [None]:
# api/models.py:

# we can write signal code in models.py or signals.py 

from django.db import models

# Create your models here.
class Student (models .Model) :
    name = models.CharField(max_Length=50)
    roll = models.IntegerField()
    city = models.CharField(max_Length=50)


# signals for creating token
from django.conf import settings
from django. db.models. signals import post_save
from django. dispatch import receiver
from rest_framework.authtoken.models import Token

@receiver(post_save, sender=settings.AUTH_USER_MODEL)
def create_auth_token(sender, instance=None, created=False, **kwargs):
    if created:
        Token.objects.create(user=instance)

# Example token authentication

In [None]:
# api/signals.py:

from django.conf import settings
from django.db.models.signals import post_save
from django.dispatch import receiver
from rest_framework.authtoken.models import Token
from django.contrib.auth.models import User

@receiver(post_save, sender=User)
def create_auth_token(sender, instance=None, created=False, **kwargs):
    if created:
        Token.objects.create(user=instance)  # Automatically create token when a new user is created


In [None]:
# api/apps.py:

from django.apps import AppConfig

class ApiConfig(AppConfig):
    default_auto_field = 'django.db.models.BigAutoField'
    name = 'api'

    def ready(self):
        import api.signals  # Ensure signals are connected when app loads


In [None]:
# settings.py:

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'rest_framework',
    'rest_framework.authtoken',  # Required for token authentication
    'api',  # Your app
]

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.TokenAuthentication',  # Only allow token authentication
    ],
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',  # Require authentication for all endpoints
    ],
}


In [None]:
# api/views.py:

from rest_framework.viewsets import ModelViewSet
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated, IsAdminUser
from .models import Student
from .serializers import StudentSerializer
from django.contrib.auth.models import User

class StudentViewSet(ModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    authentication_classes = [TokenAuthentication]  # Enforce token authentication
    permission_classes = [IsAuthenticated]  # Require authentication for all requests

    def destroy(self, request, *args, **kwargs):
        """Only admins can delete a student"""
        self.permission_classes = [IsAdminUser]  # Override permission for delete
        self.check_permissions(request)
        return super().destroy(request, *args, **kwargs)


In [None]:
# project/urls.py:

from django.contrib import admin
from django.urls import path, include
from rest_framework.authtoken.views import obtain_auth_token  # Built-in token login API

urlpatterns = [
    path('admin/', admin.site.urls),
    path('api/', include('api.urls')),  # Include app-level URLs
    path('api/token/', obtain_auth_token, name='get_token'),  # Endpoint to get token
]


In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

router = DefaultRouter()
router.register('students', StudentViewSet, basename='student')

urlpatterns = [
    path('', include(router.urls)),  # Use router for API endpoints
]


###  Testing in Postman & Browser

**Step 1: Create a User & Token Automatically**

1️⃣ Register a User via Django Admin
- Go to http://127.0.0.1:8000/admin/
- Create a new user (username: testuser, password: testpass).
- The token is automatically created for this user.

2️⃣ OR Use Django Shell to Create User & Token:
<code>
    from django.contrib.auth.models import User
    from rest_framework.authtoken.models import Token
    user = User.objects.create_user(username='testuser', password='testpass')
    token, created = Token.objects.get_or_create(user=user)
    print(token.key)  # Copy this token for testing

</code>

**Step 2: Get Token for an Existing User (Postman)**
- Make a POST request to: `http://127.0.0.1:8000/api/token/` With JSON data: `{
    "username": "testuser",
    "password": "testpass"
}`

**Step 3: Test API with Token (Postman)**
- Make a GET request to: `http://127.0.0.1:8000/api/students/` In Postman Headers, add: `Authorization: Token your_generated_token_here`

**Step 4: Access API in Browser**
- Browsers do not support Authorization headers, so use Django’s built-in login page at: `http://127.0.0.1:8000/api-auth/login/`
    1. Enter your username and password.
    2. You will now be authenticated in your browser session.
    3. Visit http://127.0.0.1:8000/api/students/ → You will see the API response.


# Custom Authentication

To implement a custom authentication scheme, subclass `BaseAuthentication` and override the `authenticate(self, request)` method.
    
The method should return a two-tuple of (user, auth) if authentication succeeds, or None otherwise.

In [None]:
# api/auth.py:

from rest_ framework. authentication import BaseAuthentication
from django.contrib.auth.models import User
from rest_framework.exceptions import AuthenticationFailed

class CustomAuthentication(BaseAuthentication):
    def authenticate(self, request):
        username = request.GET.get('username')
        if username is None:
            return None
        try:
            user = User.objects.get(username=username)
        except User.DoesNotExist:
            raise AuthenticationFailed('No Such User')
        return (user, None)

In [None]:
# api/views.py:

from .models import Student
from .serializers import StudentSerializer
from rest_framework import viewsets
from rest_framework.permissions import IsAuthenticated
from api.auth import CustomAuthentication

class StudentModelViewSet(viewsets.ModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    authentication_classes=[CustomAuthentication]
    permission_classes=[IsAuthenticated]

**See another example:**

In [None]:
# api/authentication.py:

from rest_framework.authentication import BaseAuthentication
from rest_framework.exceptions import AuthenticationFailed
from django.contrib.auth.models import User

class CustomTokenAuthentication(BaseAuthentication):
    def authenticate(self, request):
        """
        Custom authentication method using a header: `X-Custom-Token`
        """
        custom_token = request.headers.get('X-Custom-Token')  # Get token from headers

        if not custom_token:
            return None  # No authentication

        try:
            user = User.objects.get(username=custom_token)  # Dummy logic: Use username as token
        except User.DoesNotExist:
            raise AuthenticationFailed('Invalid token')

        return (user, None)  # Return authenticated user


In [None]:
# api/views.py:

from rest_framework.viewsets import ModelViewSet
from rest_framework.permissions import IsAuthenticated
from .models import Student
from .serializers import StudentSerializer
from .authentication import CustomTokenAuthentication  # Import custom authentication

class StudentViewSet(ModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    authentication_classes = [CustomTokenAuthentication]  # Use custom authentication
    permission_classes = [IsAuthenticated]  # Require authentication for all actions


In [None]:
# settings.py:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'api.authentication.CustomTokenAuthentication',  # Custom Authentication
    ],
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',  # Require authentication for all endpoints
    ],
}


# JSON Web Token and Simple JWT

**JWT**
  
JSON Web Token is a fairly new standard which can be used for token-based authentication. Unlike the built-in TokenAuthentication scheme, JWT Authentication doesn't need to use a database to validate a token.

**Simple JWT**

Simple JWT provides a JSON Web Token authentication backend for the Django REST Framework. It aims to cover the most common use cases of JWTs by offering a conservative set of default features. It also aims to be easily extensible in case a desired feature is not present.

**Install:** `pip install djangorestframework-simplejwt`

For globally apply simaple JWT we need to add following thing in our `settings.py`:

    REST_FRAMEWORK = {
        'DEFAULT _AUTHENTICATION_CLASSES': (
        rest_framework_simplejwt.authentication.JWTAuthentication',
    )}

You can also include a route for Simple JWT's Token Verify View if you wish to allow API users to verify HMAC-signed tokens without having access to your signing key.

<code>
from rest _framework simplejwt.views import TokenObtainPairView, TokenRefreshView,TokenVerifyView
urlpatterns = [
    path('gettoken/', TokenObtainPairView.as_view(), name='token_obtain pair'),
    path('refreshtoken/', TokenRefreshView.as_view(), name='token_refresh'),
    path('verifytoken/', TokenVerify View.as_view(), name='token_verify'),
]
</code>

**Note:** `TokenVerifyView` only works with access tokens, not refresh tokens.

**Use simple JWT**

1. GET Token
    - `http POST http://127.0.0.1:8000/gettoken/ username="userl" password="geekyshows"`

2. Verify Token
    - `http POST http://127.0.0.1:8000/verifytoken/ token="eyJ0eXAiOiJKV1QiLCJhbGciOiJTUzI1NiJ9.eyJ0b2tlbl90eXBljoiYWNjZXNzliwiZXhwIjoxNjAzNjIxOTAxLCJqdGkiOiI2NmM4ZWJiYjUwMWM0MzA3YWJjMGNjNTY2ZmNmNTJiMyIsInVzZXJfaWQiOjJ9.cwUSWrkFnFdO8fP45aEP6GDa3yaybSVYAG6vGUlkFOo"`

3. Refresh Token
- `http POST http://127.0.0.1:8000/refreshtoken/ refresh="eyJ0eXAiOiJKV1QiLCJhbGciOiJUzI1NiJ9.eyJOb2tlbl90eXBlljoicmVmcmVzaCIsImV4cCI6MTYwMzcwODAwMSwianRpljoiYzYzODBmYjVjMDk3NDVhNjkyYzASYWRmMGI1ZDQ5OWIiLCJc2VyX21kljoyfQ.Q-E-8N8VvSZofSIjoNIL-2KECRLqlYzBojbTCj_4dBc"`

![image.png](attachment:297a5884-1bde-4a35-bc77-e5bc8c8fa3c4.png)

- The Access Token is valid for 5 minutes by default, meaning after 5 minutes, the user needs to use the refresh token to obtain a new access token.
- The Refresh Token is valid for 24 hours by default, allowing users to get new access tokens for a day before needing to log in again. In simple word If the refresh token expires after 24 hours, the user must log in again to get a new access and refresh token.

**Note:** TokenVerifyView only works with access tokens, not refresh tokens.

In [None]:
# project/urls.py:

from django.contrib import admin
from django.urls import path, include
from rest_framework_simplejwt.views import (
    TokenObtainPairView,  # Get Access & Refresh Tokens
    TokenRefreshView,      # Refresh Access Token
    TokenVerifyView
)

urlpatterns = [
    path('admin/', admin.site.urls),
    path('', include('api.urls')),  # Include app-level URLs
    path('gettoken/', TokenObtainPairView.as_view(), name='token_obtain_pair'),  # Login (Get token)
    path('refreshtoken/', TokenRefreshView.as_view(), name='token_refresh'),  # Refresh token
    path('verifytoken/', TokenVerifyView.as_view(), name='token_verify'),  # Verify token
    #  Verify token only works with access tokens, not refresh tokens.
]


In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

router = DefaultRouter()
router.register(r'students', StudentViewSet, basename='student')

urlpatterns = [
    path('', include(router.urls)),
]


Now we can generate token and refresh the token.

In [None]:
# api/views.py:

from .models import Student
from .serializers import StudentSerializer
from rest_framework import viewsets
from rest_framework.permissions import IsAuthenticated
from rest_framework_simplejwt.authentication import JWTAuthentication

class StudentModelViewSet(viewsets.ModelViewSet):
    queryset = Student. objects.all()
    serializer_class = StudentSerializer
    authentication_classes=[JWTAuthentication]
    permission classes= [IsAuthenticated]

- `http -f POST http://127.0.0.1:8000/students/ name=Jay roll=104 city=Dhanbad 'Authorization:Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJUzI1NiJ9.eyJOb2tlbl90eXBlljoicmVmcmVzaCIsImV4cCI6MTYwMzcwODAwMSwianRpljoiYzYzODBmYjVjMDk3NDVhNjkyYzASYWRmMGI1ZDQ5OWIiLCJc2VyX21kljoyfQ.Q-E-8N8VvSZofSIjoNIL-2KECRLqlYzBojbTCj_4dBc'`

**See another example:**

In [None]:
# settings.py:

from datetime import timedelta

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',  # Use JWT
    ),
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',  # Restrict access to authenticated users
    ),
}

SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': timedelta(minutes=30),  # Token valid for 30 minutes
    'REFRESH_TOKEN_LIFETIME': timedelta(days=1),  # Refresh token valid for 1 day
    'ROTATE_REFRESH_TOKENS': True,
    'BLACKLIST_AFTER_ROTATION': True,
}


In [None]:
# project/urls.py:

from django.contrib import admin
from django.urls import path, include
from rest_framework_simplejwt.views import (
    TokenObtainPairView,  # Get Access & Refresh Tokens
    TokenRefreshView,      # Refresh Access Token
)

urlpatterns = [
    path('admin/', admin.site.urls),
    path('api/', include('api.urls')),  # Include app-level URLs
    path('api/token/', TokenObtainPairView.as_view(), name='token_obtain_pair'),  # Login (Get token)
    path('api/token/refresh/', TokenRefreshView.as_view(), name='token_refresh'),  # Refresh token
]


In [None]:
# api/views.py:

from rest_framework.viewsets import ModelViewSet
from rest_framework.permissions import IsAuthenticated
from rest_framework_simplejwt.authentication import JWTAuthentication
from .models import Student
from .serializers import StudentSerializer

class StudentViewSet(ModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    authentication_classes = [JWTAuthentication]  # Use JWT authentication
    permission_classes = [IsAuthenticated]  # Restrict access to authenticated users


In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

router = DefaultRouter()
router.register(r'students', StudentViewSet, basename='student')

urlpatterns = [
    path('', include(router.urls)),
]


# Throttling

**What is Throttling?**
- Throttling is a mechanism used in Django REST Framework (DRF) to limit the number of API requests a user can make within a specific time frame.
- It helps to prevent abuse, rate-limit API usage, and enhance security.


Throttling is similar to permissions, in that it determines if a request should be authorized. Throttles indicate a temporary state, and are used to control the rate of requests that clients can make to an API.
Your API might have a restrictive throttle for unauthenticated requests, and a less restrictive throttle for authenticated requests.
                                                                                                        
The default throttling policy may be set globally, using the DEFAULT_ THROTTLE_CLASSES and DEFAULT_THROTTLE_RATES settings. For example:
    
    REST_FRAMEWORK = {
        'DEFAULT_THROTTLE_CLASSES': [
            'rest_framework.throttling.AnonRateThrottle',
            'rest_framework. throttling.UserRateThrottle'
        ],
        'DEFAULT_THROTTLE_RATES': {
            'anon': '100/day',
            'user': '1000/day'
        }
    }

Note:- The rate descriptions used in `DEFAULT_THROTTLE_RATES` may include second, minute, hour or day as throttle period.


**`AnonRateThrottle`**

- The AnonRateThrottle will only ever throttle unauthenticated users. The IP address of the incoming request is used to generate a unique key to throttle against.
- The allowed request rate is determined from one of the following (in order of preference).
- The rate property on the class, which may be provided by overriding `AnonRateThrottle` and setting the property.
- The DEFAULT_THROTTLE_RATES['anon'] setting.
- AnonRateThrottle is suitable if you want to restrict the rate of requests from unknown sources.

<br>

**`UserRateThrottle`**

- The UserRateThrottle will throttle users to a given rate of requests across the API. The user id is used to generate a unique key to throttle against. Unauthenticated requests will fall back to using the IP address of the
incoming request to generate a unique key to throttle against.
- The allowed request rate is determined from one of the following (in order of preference).
- The rate property on the class, which may be provided by overriding UserRateThrottle and setting the property.
- The DEFAULT_THROTTLE_RATES['user'] setting.

<br>

**`ScopedRateThrottle`**

The ScopedRateThrottle class can be used to restrict access to specific parts of the API. This throttle will only be applied if the view that is being accessed includes a `throttle_scope` property. The unique throttle key will then be formed by concatenating the "scope" of the request with the unique user id or IP address.

![image.png](attachment:7d21c068-7a20-4d09-98dc-cdfd7e65ea5d.png)

In [None]:
# views.py:

from .models import Student
from .serializers import StudentSerializer
from rest_framework import viewsets
from rest_framework.permissions import IsAuthenticatedOrReadOnly
from rest_framework.authentication import SessionAuthentication
from rest_framework.throttling import AnonRateThrottle, UserRateThrottle

class StudentModelViewSet(viewsets.ModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    authentication_classes=[SessionAuthentication]
    permission_classes=[IsAuthenticatedOrReadOnly]
    throttle_classes = [AnonRateThrottle, UserRateThrottle] # locally

In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

# Create a router
router = DefaultRouter()
router.register(r'students', StudentViewSet, basename='student')

urlpatterns = [
    path('', include(router.urls)),  # Include router-generated URLs
]


In [None]:
# project/urls.py:

from django.contrib import admin
from django.urls import path, include

urlpatterns = [
    path('admin/', admin.site.urls),
    path('api/', include('api.urls')),  # Include app-level URLs
    path('api-auth/', include('rest_framework.urls')),  # DRF built-in login/logout
]
# Go to `/api-auth/login/` and log in using a Django admin user or a regular user.

In [None]:
# settings.py:

REST_FRAMEWORK = {
    'DEFAULT_THROTTLE_RATES' : {
        'anon': ' 2/day', # 2 request/day
        'user': '5/hour', # 5 request/hour
    }
}


Above throttle rate will be applied on all classes of our views.py

Let's say we want to set different throttle rate specific to a view and we can do this by:  

In [None]:
# api/throttle.py:

from rest_framework.throttling import UserRateThrottle

class JackRateThrottle(UserRateThrottle): # you can out class name anything
    scope = 'jack' # name anything

In [None]:
# views.py:

from .models import Student
from .serializers import StudentSerializer
from rest_framework import viewsets
from rest_framework.permissions import IsAuthenticatedOrReadOnly
from rest_framework.authentication import SessionAuthentication
from rest_framework.throttling import AnonRateThrottle, UserRateThrottle
from api.throttle import JackRateThrottle

class StudentModelViewSet(viewsets.ModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    authentication_classes=[SessionAuthentication]
    permission_classes=[IsAuthenticatedOrReadOnly]
    throttle_classes = [AnonRateThrottle, JackRateThrottle] # throttle rate specific to this class

In [None]:
# settings.py:

REST_FRAMEWORK = {
    'DEFAULT_THROTTLE_RATES' : {
        'anon': ' 2/day', # 2 request/day
        'user': '5/hour', # 5 request/hour
        'jack': '3/minutes', # 3 request/minute
    }
}


**Another Example: Basic Throttling Configuration**

In [None]:
# setting.py:

REST_FRAMEWORK = {
    'DEFAULT_THROTTLE_CLASSES': [
        'rest_framework.throttling.AnonRateThrottle',  # Throttle for anonymous users
        'rest_framework.throttling.UserRateThrottle',  # Throttle for authenticated users
    ],
    'DEFAULT_THROTTLE_RATES': {
        'anon': '5/minute',  # Max 5 requests per minute for anonymous users
        'user': '10/minute',  # Max 10 requests per minute for authenticated users
    }
}


In [None]:
# api/views.py:

from rest_framework.throttling import AnonRateThrottle, UserRateThrottle
from rest_framework.views import APIView
from rest_framework.response import Response

class StudentAPIView(APIView):
    throttle_classes = [AnonRateThrottle, UserRateThrottle]  # Apply throttling

    def get(self, request):
        return Response({"message": "Hello, world!"})


###  Scoped Throttling

Scoped throttling allows you to apply different request rate limits to different API views.

In [None]:
# settings.py:

REST_FRAMEWORK = {
    'DEFAULT_THROTTLE_CLASSES': [
        'rest_framework.throttling.ScopedRateThrottle',  # Enable Scoped Throttling globally
    ],
    'DEFAULT_THROTTLE_RATES': {
        'student_list': '3/minute',   # Limit list view to 3 requests per minute
        'student_detail': '5/minute',  # Limit detail view to 5 requests per minute
    }
}


In [None]:
# api/views.py:

from rest_framework.response import Response
from rest_framework import status
from rest_framework.generics import ListAPIView, RetrieveAPIView
from rest_framework.throttling import ScopedRateThrottle
from .models import Student
from .serializers import StudentSerializer

# Scoped Throttling for List View
class StudentListView(ListAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    throttle_classes = [ScopedRateThrottle]  # Apply Scoped Throttling
    throttle_scope = 'student_list'  # Scope name defined in settings.py

# Scoped Throttling for Detail View
class StudentDetailView(RetrieveAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    throttle_classes = [ScopedRateThrottle]  # Apply Scoped Throttling
    throttle_scope = 'student_detail'  # Scope name defined in settings.py


In [None]:
# api/urls.py:

from django.urls import path
from .views import StudentListView, StudentDetailView

urlpatterns = [
    path('students/', StudentListView.as_view(), name='student-list'),
    path('students/<int:pk>/', StudentDetailView.as_view(), name='student-detail'),
]


In [None]:
# project/urls.py:

from django.contrib import admin
from django.urls import path, include

urlpatterns = [
    path('admin/', admin.site.urls),
    path('api/', include('api.urls')),  # Include app-level URLs
]


### Custom Throttling

Custom throttling allows you to define your own logic to control API request limits based on IP address, user type, request method, or any custom condition.

**Steps to Implement Custom Throttling:**
1. Create a Custom Throttle Class by extending BaseThrottle.
2. Implement the allow_request() method to define throttling logic.
3. Return True (Allow) or False (Throttle) based on request frequency.
4. Use the custom throttle in DRF views.

In [None]:
# setting.py:

REST_FRAMEWORK = {
    'DEFAULT_THROTTLE_CLASSES': [
        'api.throttling.CustomThrottle',  # Use custom throttle
    ],
    'DEFAULT_THROTTLE_RATES': {
        'custom_scope': '5/minute',  # Example throttle rate (not used in custom throttling)
    }
}


In [None]:
# api/throttling.py:

from rest_framework.throttling import BaseThrottle
import time

class CustomThrottle(BaseThrottle):
    """
    Custom throttle that allows a user to make only 3 requests per minute.
    The counter resets every 60 seconds.
    """

    THROTTLE_LIMIT = 3  # Maximum allowed requests
    THROTTLE_TIME = 60  # Time window in seconds (1 min)

    cache = {}  # Store request timestamps for each user/IP

    def allow_request(self, request, view):
        """
        Allows or denies a request based on custom logic.
        """
        user_ip = self.get_ident(request)  # Get user IP address

        # Get current timestamp
        current_time = time.time()

        if user_ip not in self.cache:
            self.cache[user_ip] = []

        # Remove timestamps older than the time window
        self.cache[user_ip] = [
            t for t in self.cache[user_ip] if t > current_time - self.THROTTLE_TIME
        ]

        # Check if the request limit is exceeded
        if len(self.cache[user_ip]) >= self.THROTTLE_LIMIT:
            return False  # Request throttled

        # Otherwise, log the new request and allow it
        self.cache[user_ip].append(current_time)
        return True  # Request allowed

    def wait(self):
        """Returns the time (in seconds) until the next request is allowed."""
        return 60  # Example: Always returns 60 seconds


**How It Works:**

- Keeps track of request timestamps per user/IP.
- Limits to 3 requests per minute.
- Clears old timestamps beyond the time window.
- Blocks requests if limit is exceeded.

In [None]:
# api/views.py:

from rest_framework.response import Response
from rest_framework.views import APIView
from rest_framework import status
from .throttling import CustomThrottle

class StudentListView(APIView):
    throttle_classes = [CustomThrottle]  # Apply custom throttling

    def get(self, request):
        data = {'message': 'You have accessed the API successfully!'}
        return Response(data, status=status.HTTP_200_OK)


In [None]:
# api/urls.py:

from django.urls import path
from .views import StudentListView

urlpatterns = [
    path('students/', StudentListView.as_view(), name='student-list'),
]


In [None]:
# project/urls.py:

from django.contrib import admin
from django.urls import path, include

urlpatterns = [
    path('admin/', admin.site.urls),
    path('api/', include('api.urls')),  # Include app-level URLs
]


# Filtering and django filter

Filtering is essential in APIs to retrieve specific records based on user-defined criteria. Django Filter simplifies this process by allowing filtering on query parameters without manually handling them in views.

The simplest way to filter the queryset of any view that subclasses Generic APIView is to override the `.get_queryset()` method.

In [None]:
# api/models.py:

from django.db import models

# Create your models here.
class Student (models Model) :
    name = models.CharField(max_Length=50)
    roll = models.IntegerField()
    city = models.CharField(max_Length=50)
    passby = models.CharField(max_Length=50) # we will store name of user in this field

In [None]:
# api/serializers.py:

from rest_framework import serializers
from .models import Student

class StudentSerializer(serializers.ModeLSerializer):
    class Meta:
        model = Student
        fields = ['id', 'name', 'roll', 'city', 'passby']

We have this data:

![image.png](attachment:e3601879-1072-4bc8-8f75-98b3bdfdcbc0.png)

In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import StudentSerializer
from rest_ framework generics import ListAPIView
from models import Student

# Create your views here.
class StudentList(ListAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

    # our intension is to display data of students who were passed by current user
    def get_queryset(self):
        user = self.request.user
        return Student.objects.filter(passby=user)

In [None]:
# api/urls.py:

from django.urls import path
from .views import StudentListView

urlpatterns = [
    path('studentapi/', StudentList.as_view(), name='student-list'),
]


**`DiangoFilterBackend`**

The django-filter library includes a DjangoFilterBackend class which supports highly customizable field filtering for REST framework.

**Install:** `pip install django-filter`

Then add 'django_filters' to Django's INSTALLED_APPS:

    INSTALLED_APPS = [
        'django_filters',
    ]

**Global Setting**
  
    REST_FRAMEWORK = {
        'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend']
    }

**Per View Setting**
You can set the filter backends on a per-view, or per-viewset basis, using the `GenericAPIView` class-based views.
    
    from django_filters.rest_framework import DjangoFilterBackend
    class StudentList View(ListAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        filter_backends = [DjangoFilterBackend]

<br>

If all you need is simple equality-based filtering, you can set a `filterset_fields` attribute on the view, or viewset, listing the set of fields you wish to filter against.
    
    class StudentList(ListAPIView):
        queryset = Student.objects.all
        serializer_class = StudentSerializer
        filter_backends = [DjangoFilterBackend]
        filterset_fields = ['name', 'city']

In [None]:
# settings.py:

INSTALLED_APPS = [
    'django.contrib.admin'
    'django.contrib.auth'
    'django.contrib.contenttypes'
    'django.contrib.sessions'
    'django.contrib.messages'
    'django.contrib.staticfiles'
    'rest_framework',
    'django_filter",
    'api',
]
REST_FRAMEWORK = {
    'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend']
}

In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import StudentSerializer
from rest_ framework generics import ListAPIView
from models import Student
from diango.filters.rest_framework import DiangoFilterBackend

# Create your views here.
class StudentList(ListAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    filter_backends = [DjangoFilterBackend] # locally or per view
    filterset_fields = ['city']

So, our client request will look like: `http://127.0.0.1:8000/studentapi/?city=Ranchi`

In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import StudentSerializer
from rest_ framework generics import ListAPIView
from models import Student
from diango.filters.rest_framework import DiangoFilterBackend

# Create your views here.
class StudentList(ListAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    filter_backends = [DjangoFilterBackend] # locally or per view
    # filterset_fields = ['city']
    filterset_fields = ['name', 'city']

Now client request will look like: `http://127.0.0.1:8000/studentapi/?name=sonam&city=Ranchi`

### Advanced Filtering with Custom Filters

For more complex filters, we create a separate filter class.

In [None]:
# api/models.py:

from django.db import models

class Student(models.Model):
    name = models.CharField(max_length=100)
    age = models.IntegerField()
    grade = models.CharField(max_length=10)
    city = models.CharField(max_length=100)

    def __str__(self):
        return self.name


In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

router = DefaultRouter()
router.register(r'students', StudentViewSet)

urlpatterns = [
    path('api/', include(router.urls)),
]


In [None]:
# api/filters.py:

import django_filters
from .models import Student

class StudentFilter(django_filters.FilterSet):
    min_age = django_filters.NumberFilter(field_name="age", lookup_expr='gte')
    max_age = django_filters.NumberFilter(field_name="age", lookup_expr='lte')
    name_contains = django_filters.CharFilter(field_name="name", lookup_expr='icontains')

    class Meta:
        model = Student
        fields = ['min_age', 'max_age', 'name_contains'] # Defines which filters can be used in API queries.


In [None]:
# api/views.py:

from .filters import StudentFilter

class StudentViewSet(viewsets.ModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    filter_backends = [DjangoFilterBackend]
    filterset_class = StudentFilter  # Use Custom Filter


URL: 

- `GET http://127.0.0.1:8000/api/students/?min_age=18`
- `GET http://127.0.0.1:8000/api/students/?max_age=25`
- `GET http://127.0.0.1:8000/api/students/?name_contains=John`

**Note:** by default, Django Filter is case-sensitive when filtering string fields.

In [None]:
# api/filters.py:

import django_filters
from .models import Student

class StudentFilter(django_filters.FilterSet):
    city = django_filters.CharFilter(field_name="city", lookup_expr='iexact')  # Case-insensitive exact match
    name_contains = django_filters.CharFilter(field_name="name", lookup_expr='icontains')  # Case-insensitive contains

    class Meta:
        model = Student
        fields = ['city', 'name_contains']


Now, the following requests will work correctly, regardless of case:
- GET http://127.0.0.1:8000/api/students/?city=NEW YORK
- GET http://127.0.0.1:8000/api/students/?city=New york
- GET http://127.0.0.1:8000/api/students/?name_contains=john
- GET http://127.0.0.1:8000/api/students/?name_contains=JOHN

<br>

![image.png](attachment:038f4cfd-e71a-49b5-8132-540aaeb49731.png)

**Best Practice:** If your app needs case-insensitive filtering, always use `iexact` or `icontains` in your filters.py.

# SearchFilter

The `SearchFilter` class supports simple single query parameter based searching, and is based on the Django admin's search functionality.

The `SearchFilter` class will only be applied if the view has a `search_fields` attribute set. The `search_fields` attribute should be a list of names of text type fields on the model, such as `CharField` or `TextField`.

    from rest_framework.filters import SearchFilter
    class StudentList View(ListAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        filter_backends = [SearchFilter]
        search_fields = ['city']

In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import StudentSerializer
from rest_ framework generics import ListAPIView
from models import Student
from rest_framework.filters import SearchFilter

# Create your views here.
class StudentList(ListAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    filter_backends = [SearchFilter] # locally or per view
    # search_fields = ['city']
    search_fields = ['name', 'city']
    

`http://127.0.0.1:8000/studentapi/?search=Ranchi`

**SearchFilter**
- '^' Starts-with search.
- '=' Exact matches.
- '@' Full-text search. (Currently only supported Django's PostgreSQL backend.)
- '$' Regex search.

Example:-
search_fields = ['^name']

`http://127.0.0.1:8000/studentapi/?search=r` this will give data of those student whose name start with letter `r` because we have specified `search_fields = ['^name']` in our code.

Now while searching, we have specify `search` keyword. We can use differant word by cahnging its default setting:

In [None]:
# settings.py:

REST_FRAMEWORK ={
    'SEARCH_PARAM': 'query',
}

Now our URL will look like: `http://127.0.0.1:8000/studentapi/?query=r`

# OrderingFilter

The Ordering Filter in Django REST Framework (DRF) allows API clients to sort the response data by specified fields using the `?ordering=` parameter.

It's recommended that you explicitly specify which fields the API should allowing in the ordering filter. You can do this by setting an `ordering_fields` attribute on the view, like so:

    class StudentList View(generics.ListAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        filter_backends = [OrderingFilter]
        ordering_fields = ['name']
        # ordering_fields = ['name', 'city']
        # ordering_fields = '__all__'


- The OrderingFilter class supports simple query parameter controlled ordering of results. `http://127.0.0.1:8000/studentapi/?ordering=name`
- The client may also specify reverse orderings by prefixing the field nattup for with '-', like so:
`http://127.0.0.1:8000/studentapi/?ordering=-name`
- Multiple orderings may also be specified: `http://example.com/api/users?ordering=account,username`

In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import StudentSerializer
from rest_ framework generics import ListAPIView
from models import Student
from rest_framework.filters import OrderingFilter

# Create your views here.
class StudentList(ListAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    filter_backends = [SearchFilter] # locally or per view
    # ordering_fields = ['city']
    ordering_fields = '__all__'
    ordering_fields = ['name', 'city'] # Fields available for ordering
    ordering = ['name']  # Default ordering (optional)

# Combined example: filter, serach, Order

In [None]:
# settings.py:

REST_FRAMEWORK = {
    'DEFAULT_FILTER_BACKENDS': [
        'django_filters.rest_framework.DjangoFilterBackend',  # Enables filtering
        'rest_framework.filters.SearchFilter',  # Enables searching
        'rest_framework.filters.OrderingFilter',  # Enables ordering
    ],
}


In [None]:
# aoi/models.py:

from django.db import models

class Student(models.Model):
    name = models.CharField(max_length=100)
    age = models.IntegerField()
    city = models.CharField(max_length=100)

    def __str__(self):
        return self.name


In [None]:
# api/serializers.py:

from rest_framework import serializers
from .models import Student

class StudentSerializer(serializers.ModelSerializer):
    class Meta:
        model = Student
        fields = '__all__'


In [None]:
# api/filters.py:

import django_filters
from .models import Student

class StudentFilter(django_filters.FilterSet):
    min_age = django_filters.NumberFilter(field_name="age", lookup_expr='gte')
    max_age = django_filters.NumberFilter(field_name="age", lookup_expr='lte')
    name_contains = django_filters.CharFilter(field_name="name", lookup_expr='icontains')

    class Meta:
        model = Student
        fields = ['min_age', 'max_age', 'name_contains', 'city']


In [None]:
# api/views.py:

from rest_framework import viewsets
from django_filters.rest_framework import DjangoFilterBackend
from .models import Student
from .serializers import StudentSerializer
from .filters import StudentFilter  # Import custom filter

class StudentViewSet(viewsets.ModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

    # Filtering, Searching, and Ordering
    filterset_class = StudentFilter  # Uses the custom filter from filters.py
    search_fields = ['name', 'city']  # Searchable fields
    ordering_fields = ['name', 'age', 'city']  # Fields allowed for ordering
    ordering = ['name']  # Default ordering (ascending by name)


In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentViewSet

router = DefaultRouter()
router.register(r'students', StudentViewSet, basename='student')

urlpatterns = [
    path('', include(router.urls)),  # Include all ViewSet routes
]


- http://127.0.0.1:8000/students/
- `http://127.0.0.1:8000/students/?min_age=20&max_age=30&city=Delhi` : (Filters students whose age is between 20 and 30 and live in Delhi)
- `http://127.0.0.1:8000/students/?search=John` : (Finds students with 'John' in their name or city)
- To filter students whose city is "Mumbai" and age is greater than 23, use the following API request: `http://127.0.0.1:8000/students/?city=Mumbai&min_age=24`

# Pagination

REST framework includes support for customizable pagination styles. This allows you to modify how large result sets are split into individual pages of data.

- PageNumberPagination
- LimitOffsetPagination
- CursorPagination

**Pagination Global Setting**

The pagination style may be set globally, using the DEFAULT_PAGINATION_CLASS and PAGE_ SIZE setting keys.
    
    REST_FRAMEWORK = {
        'DEFAULT _PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
        'PAGE_ SIZE': 5
    }

**Pagination Per View**

You can set the pagination class on an individual view by using the pagination class attribute.

    class StudentList(ListAPIView):
        queryset = Student.objects.all()
        serializer_class = StudentSerializer
        pagination_class = PageNumberPagination

### PageNumberPagination

- This pagination style accepts a single number page number in the request query parameters.
- To enable the PageNumberPagination style globally, use the following configuration, and set the PAGE_SIZE as desired:
    
REST_FRAMEWORK = {
    'DEFAULT_ PAGINATION_CLASS': rest_framework.pagination.PageNumberPagination',
    'PAGE_SIZE': 5
}
- `http://127.0.0.1:8000/studentapi/?page=3`

The PageNumberPagination class includes a number of attributes that may be overridden to modify the pagination style.

To set these attributes you should override the PageNumberPagination class, and then enable your custom pagination class.
- `django_paginator_class` - The Django Paginator class to use. Default is `django.core.paginator.Paginator`, which should be fine for most use cases.
- `page_size` - A numeric value indicating the page size. If set, this overrides the `PAGE_SIZE` setting. Defaults to the same value as the PAGE_ SIZE settings key.
- `page_query_param` - A string value indicating the name of the query parameter to use for the pagination control.
- `page_size_query_param` - If set, this is a string value indicating the name of a query parameter that allows the client to set the page size on a per-request basis. Defaults to None, indicating that the client may not control the requested page size.
- `max page_size` - If set, this is a numeric value indicating the maximum allowable requested page size. This attribute is only valid if page_size_query_ param is also set.
- `last_page_strings` - A list or tuple of string values indicating values that may be used with the `page_query_param` to request the final page in the set. Defaults to ('last',).
- `template` - The name of a template to use when rendering pagination controls in the browsable API. May be overridden to modify the rendering style, or set to None to disable HTML pagination controls completely. Defaults to "rest_framework/pagination/numbers.html".

<br>

    class MyPageNumberPagination(PageNumberPagination):
        page_size = 5
        page_size_query_param = 'records'
        max_page_size = 7
        
    class StudentList(ListAPIView):
        queryset = Student.objects.allO
        serializer _class = StudentSerializer
        pagination_class = MyPageNumberPagination

In [None]:
# settings.py:

REST_FRAMEWORK = {
    'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
    'PAGE_ SIZE': 5
}

In [None]:
# api/models.py:

from django. db import models
# Create your models here.

class Student(models .Model) :
    name = models.CharField(max_Length=50)
    roll = models.IntegerField()

In [None]:
# api/serializers.py:

from rest_framework import serializers
from .models import Student

class StudentSerializer (serializers.ModelSerializer):
    class Meta:
        model = Student
        fields = ['id', 'name', 'roll']

In [None]:
# api/urls.py:

from django.urls import path
from api import views
urlpatterns = [
    path('studentapi/', views.StudentList.as_view()),
]

In [None]:
# api/views.py;

from django. shortcuts import render
from .serializers import StudentSerializer
from models import Student
from rest_framework generics import ListAPIView

# Create your views here.
class StudentList(ListAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

Now request URL will look like: `http://127.0.0.1:8000/studentapi/?page=3`

In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import StudentSerializer
from .models import Student
from rest_framework.generics import ListAPIView
from rest_framework.pagination import PageNumberPagination

# Create your views here.
class StudentList(ListAPIView) :
queryset = Student.objects.all()
serializer_class = StudentSerializer
pagination_class = PageNumberPagination # locally or oer view

Above we also have to specify `page_size` but DRF recommends to not modify page size directly instead do by inheriting `PageNumberPagination` class:

In [None]:
# api/pagination.py:

from rest_framework.pagination import PageNumberPagination

class MyPageNumberPagination(PageNumberPagination):
    page_size = 5 # 5 records per page
    page_query_param = 'page number' # now url will: http://127.0.0.1:8000/studentapi/?page number=3

    # client can set no. of records he want to see using page_size_query_param
    page_size_query_param = 'records' # http://127.0.0.1:8000/studentapi/?page number=5&records=10
    max_page_size = 7 # display max 7 records even client set larger no. of records using page_size_query_param
    last_page_strings = 'end' # http://127.0.0.1:8000/studentapi/?page number=end --- >end of page

In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import StudentSerializer
from .models import Student
from rest_framework.generics import ListAPIView
from .paginations import MyPageNumberPagination

# Create your views here.
class StudentList(ListAPIView) :
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    pagination_class = MyPageNumberPagination

### LimitOffsetPagination

This pagination style mirrors the syntax used when looking up multiple database records. The client includes both a "limit" and an "offset" query parameter. The limit indicates the maximum number of items to return, and is equivalent to the `page_size` in other styles. The offset indicates the starting position of the query in
relation to the complete set of unpaginated items.

To enable the LimitOffsetPagination style globally, use the following configuration:

    REST_FRAMEWORK = {
        'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination'
    }

- `http://127.0.0.1:8000/studentapi/?limit=10&offset=50` --> limit means no. of records, offset means after how many records you want to see. Hence above url means Skips 50 records and returns 10 records.

The LimitOffsetPagination class includes a number of attributes that may be overridden to modify the pagination style.

To set these attributes you should override the LimitOffsetPagination class, and then enable your custom pagination class.
    
- `default_limit` - A numeric value indicating the limit to use if one is not provided by the client in a query parameter. Defaults to the same value as the PAGE_SIZE settings key.
- limit_query_param` - A string value indicating the name of the "limit" query parameter. Defaults to 'limit'.
- `offset_query_param` - A string value indicating the name of the "offset" query parameter. Defaults to 'offset'.
- `max_limit` - If set this is a numeric value indicating the maximum allowable limit that may be requested by the client. Defaults to None.
- `template` - The name of a template to use when rendering pagination controls in the browsable API. May be overridden to modify the rendering style, or set to None to disable HTML pagination controls completely. Defaults to "rest_framework/pagination/numbers.html".

In [None]:
# settings.py:

REST_FRAMEWORK = {
    'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination',
    'PAGE_SIZE': 5  # Default limit (optional)
}


In [None]:
# api/pagination.py:

from rest_framework.pagination import LimitOffsetPagination

class MyLimitOffsetPagination(LimitOffsetPagination):
    default_limit = 5 # by default display 5 records 
    limit_query_param = 'mylimit' # now url will: http://127.0.0.1:8000/studentapi/?mylimit=10&offset=50
    offset_query_param = 'myoffset' # now url will: http://127.0.0.1:8000/studentapi/?mylimit=10&myoffset=50
    max_limit = 6 # display max 6 records


In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import StudentSerializer
from .models import Student
from rest_framework.generics import ListAPIView
from .paginations import MyLimitOffsetPagination

# Create your views here.
class StudentList(ListAPIView) :
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    pagination_class = MyLimitOffsetPagination

### Cursor Pagination

The cursor-based pagination presents an opaque "cursor" indicator that the client may use to page through the result set. This pagination style only presents forward and reverse controls, and does not allow the client to navigate to arbitrary positions

Cursor based pagination requires that there is a unique, unchanging ordering of items in the result set. This ordering might typically be a creation timestamp on the records, as this presents a consistent ordering to paginate against.

The default is to order by "-created". This assumes that there must be a 'created' timestamp field on the model instances, and will present a "timeline" style paginated view, with the most recently added items first.

The CursorPagination class includes a number of attributes that may be overridden to modify the pagination style.

To set these attributes you should override the CursorPagination class, and then enable your custom pagination class.
- `page_size` - A numeric value indiçating the page size. If set, this overrides the PAGE_SIZE setting. Defaults to the same value as the PAGE_SIZE settings key.
- `cursor_query_param` - A string value indicating the name of the "cursor" query parameter. Defaults to 'cursor'.
- `ordering` - This should be a string, or list of strings, indicating the field against which the cursor based pagination will be applied. For example: ordering = 'slug'. Defaults to -created. This value may also be overridden by using OrderingFilter on the view.
- `template` - The name of a template to use when rendering pagination controls in the browsable API. May be overridden to modify the rendering style, or set to None to disable HTML pagination controls completely. Defaults to "rest_framework/pagination/previous_and_next.html".

In [None]:
# settings.py:

REST_FRAMEWORK = {
    'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.CursorPagination',
    'PAGE_SIZE': 5,  # Default page size
}


In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import StudentSerializer
from .models import Student
from rest_framework.generics import ListAPIView
from .paginations import MyCursorPagination

# Create your views here.
class StudentList(ListAPIView) :
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    pagination_class = MyCursorPagination

In [None]:
# api/pagination.py:

from rest_framework.pagination import CursorPagination

class MyCursorPagination(MCursorPagination):
    page_size = 3 # 10 record


Now if run server and hit url `studentapi/` then we will get error on webpage: 

`Field Error at /studentapi/
Cannot resolve keyword 'created' into field. Choices are: id, name, roll`

This because by default `CursorPagination` assumes we have a `created` field in our models which store timestamp and based on that field it will order cursor pagination. Since we don't have `created` field in our model then we need to explicitly specify other field to order by and for that we need specify `ordering` parameter: 

In [None]:
# api/pagination.py:

from rest_framework.pagination import CursorPagination

class MyCursorPagination(MCursorPagination):
    page_size = 3 # 10 record
    ordering = 'name' # order by
    cursor_query_param = 'cur' # now url will: http://127.0.0.1:8000/studentapi/?cur=cD0yMDI0LTAxLTAxVDAwOjAwOjAwLjAwMDAwMFo=


![image.png](attachment:635d04be-ca68-430c-b390-3a7c4696cf17.png)

# Serializers realtion

In [None]:
# api/models.py:

from django.db import models
# Create your models here.

class Singer(models.Model):
    name = models.CharField(max_Length=100)
    gender = models.CharField(max_Length=100)
    
    def __str__(self):
        return self.name
        
class Song(models.Model):
    title = models.CharField(max_Length=100)
    singer = models.Foreignkey(Singer, on_delete=models.CASCADE, related_name='song')
    duration = models.IntegerField()

    def __str__(self):
        return self.title

In [None]:
# api/admin.py:

from django. contrib import admin
from .models import Singer, Song

# Register your models here

@admin.register(Singer)
class SingerAdmin(admin.ModeLAdmin):
    list_display = ['id', 'name', 'gender']

@admin.register(Song)
class SongAdmin(admin.ModeLAdmin):
    list_display = ['id', 'title', 'singer', 'duration']

In [None]:
# api/serializers.py:

from models import Singer, Song
from rest_framework import serializers

class SongSerializer(serializers.ModelSerializer):
    class Meta:
        model = Song
        fields = ['id', 'title', 'singer', 'duration']

class SingerSerializer(serializers.ModelSerializer):
    class Meta:
        model = Singer
        fields = ['id', 'name', 'gender', 'song'] 
        # above 'song' is attribute related_name used in singer field of Singer model 

In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import SingerSerializer, SongSerializer
from rest_framework import viewsets
from .models import Singer, Song

class SingerViewSet(viewsets.ModelViewSet) :
    queryset = Singer.objects.all()
    serializer_class = SingerSerializer
    
class SonViewSet(viewsets.ModelViewSet):
    queryset = Song.objects.all()
    serializer_class = SongSerializer

In [None]:
# api/urls.py

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import SingerViewSet, SongViewSet

# Initialize the router
router = DefaultRouter()

# Register the viewsets with the router
router.register(r'singer', SingerViewSet, basename='singer')
router.register(r'song ', SongViewSet, basename='song')

# Define the URL patterns
urlpatterns = [
    # Include the router's URLs
    path('', include(router.urls)),

    # Include default authentication URLs provided by DRF
    path('auth/', include('rest_framework.urls', namesapce='rest_framework')),  # Login, logout, etc.
]


In [None]:
# project/urls.py

from django.contrib import admin
from django.urls import path, include

urlpatterns = [
    path('admin/', admin.site.urls),  # Admin URLs
    path('', include('api.urls')),  # Include the app-level urls for the API
]


Now if we hit `singer/` url we get all singer data and in `song` field we will get song id instead of song name. We can display song name by adding following changes in `serializers.py`:

In [None]:
# api/serializers.py:

from models import Singer, Song
from rest_framework import serializers

class SongSerializer(serializers.ModelSerializer):
    class Meta:
        model = Song
        fields = ['id', 'title', 'singer', 'duration']

class SingerSerializer(serializers.ModelSerializer):
    song = serializers.StringRelatedField(many=True, read_onLy=True) # updated code
    class Meta:
        model = Singer
        fields = ['id', 'name', 'gender', 'song'] 
        # above 'song' is attribute related_name used in singer field of Singer model 

Now we can see song name instead of song id. Similar to 'StringRelatedField' we also have:

- serializers.PrimaryKeyRelatedField(many=True, read_onLy=True)
- serializers.HyperlinkedRelatedField(many=True, read_onLy=True, view_name='song-detail')
- serializers.SlugRelatedField(many=True, read_onLy=True, slug_field='title')
- serializers.HyperlinkedIdentityField(view_name='song-detail')

### Foreign Key (One-to-Many)

A ForeignKey represents a one-to-many relationship. For example, if you have a Student model with a foreign key to a Class model, each student can belong to one class, but a class can have multiple students.

In [None]:
# ap/models.py:

from django.db import models

class Class(models.Model):
    name = models.CharField(max_length=100)
    
    def __str__(self):
        return self.name

class Student(models.Model):
    name = models.CharField(max_length=100)
    age = models.IntegerField()
    class_enrolled = models.ForeignKey(Class, related_name='students', on_delete=models.CASCADE)

    def __str__(self):
        return self.name

In [None]:
# api/serializers.py:

from rest_framework import serializers
from .models import Student, Class

class ClassSerializer(serializers.ModelSerializer):
    class Meta:
        model = Class
        fields = ['id', 'name']

class StudentSerializer(serializers.ModelSerializer):
    class_enrolled = ClassSerializer()

    class Meta:
        model = Student
        fields = ['id', 'name', 'age', 'class_enrolled']


**Response Example:**

    {
      "id": 1,
      "name": "John Doe",
      "age": 20,
      "class_enrolled": {
        "id": 1,
        "name": "Mathematics"
      }
    }

In this example, the Student model has a foreign key to the Class model. In the serializer, we represent this foreign key relationship by using the ClassSerializer to serialize the related Class object.

### Many-to-Many Relationship

A Many-to-Many relationship allows multiple instances of one model to be related to multiple instances of another model.

In [None]:
# api/models.py

class Course(models.Model):
    name = models.CharField(max_length=100)

    def __str__(self):
        return self.name

class Student(models.Model):
    name = models.CharField(max_length=100)
    courses = models.ManyToManyField(Course)

    def __str__(self):
        return self.name


In [None]:
# api/serializers.py:

class CourseSerializer(serializers.ModelSerializer):
    class Meta:
        model = Course
        fields = ['id', 'name']

class StudentSerializer(serializers.ModelSerializer):
    courses = CourseSerializer(many=True)

    class Meta:
        model = Student
        fields = ['id', 'name', 'courses']


**Response Example:**

    {
      "id": 1,
      "name": "John Doe",
      "courses": [
        {
          "id": 1,
          "name": "Math"
        },
        {
          "id": 2,
          "name": "Science"
        }
      ]
    }

In this case, courses is a many-to-many field, and we use a nested CourseSerializer to display the related Course instances.

### One-to-One Relationship

A One-to-One relationship is when a single instance of one model is related to a single instance of another model.

In [None]:
# api/models.py:

class Profile(models.Model):
    bio = models.TextField()
    student = models.OneToOneField(Student, on_delete=models.CASCADE)

    def __str__(self):
        return self.student.name


In [None]:
# api/serializers.py:

class ProfileSerializer(serializers.ModelSerializer):
    student = StudentSerializer()

    class Meta:
        model = Profile
        fields = ['id', 'bio', 'student']


**Response Example:**

    {
      "id": 1,
      "bio": "Loves math and science",
      "student": {
        "id": 1,
        "name": "John Doe",
        "age": 20
      }
    }

In this case, a Profile is related to a single Student via a one-to-one relationship, and the StudentSerializer is nested within the ProfileSerializer to display the related student.

### Nested Relationships (Related Data in a Serializer)

Using `PrimaryKeyRelatedField`

Sometimes, instead of embedding the entire related object in a response, you may want to represent the relationship by using just the primary key of the related object.

In [None]:
# api/models.py:

class Student(models.Model):
    name = models.CharField(max_length=100)
    age = models.IntegerField()

class Assignment(models.Model):
    student = models.ForeignKey(Student, on_delete=models.CASCADE)
    name = models.CharField(max_length=100)


In [None]:
# api/serializers.py:

class AssignmentSerializer(serializers.ModelSerializer):
    student = serializers.PrimaryKeyRelatedField(queryset=Student.objects.all())

    class Meta:
        model = Assignment
        fields = ['id', 'name', 'student']


**Response Example:**

    {
      "id": 1,
      "name": "Math Assignment",
      "student": 1
    }

Here, we use `PrimaryKeyRelatedField` to represent the student as just a primary key (ID) instead of embedding the entire Student object.

**Related Field Types in DRF:**
- `PrimaryKeyRelatedField`: Represents the related object by its primary key (ID).
- `StringRelatedField`: Displays a string representation of the related model.
- `SlugRelatedField`: Similar to `PrimaryKeyRelatedField`, but uses a slug field for relationships.
- `HyperlinkedRelatedField`: Represents the relationship with a URL instead of the primary key.
- `ManyRelatedField`: Used for many-to-many relationships.

# Hyperlinked Model Serializer

A HyperlinkedModelSerializer is similar to ModelSerializer, but instead of using primary keys for relationships, it uses hyperlinks (URLs).

In [None]:
# api/models.py:

from django.db import models
# Create your models here.

class Student(models.Model) :
    name = models.CharField(max_Length=50)
    roll = models.IntegerField()
    city = models.CharField(max_Length=50) 

In [None]:
# api/admin.py:

from django. contrib import admin
from -models import Student

# Register your models here.
@admin.register(Student)
class StudentAdmin(admin.ModelAdmin):
    list_display = ['id', 'name', 'roll', 'city']

In [None]:
# api/serializers.py:

from rest_framework import serializers
from .models import Student

class StudentSerializer(serializers.HyperLinkedModelSerializer):
    class Meta:
        model = Student
        fields = ['id', 'url', 'name', 'roll', 'city']

In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import StudentSerializer
from models import Student
from rest_framework import viewsets

class StudentModelViewSet(viewsets.ModelViewSet):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer

In [None]:
# api/urls.py

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import StudentModelViewSet

# Initialize the router
router = DefaultRouter()

# Register the viewsets with the router
router.register(r'studentapi', views.StudentModelViewSet, basename='student')

# Define the URL patterns
urlpatterns = [
    # Include the router's URLs
    path('', include(router.urls)),
]


Now when we hit `studentapi/` we will observer our data have extra field `url`.

<br>
    
**When to Use HyperlinkedModelSerializer?**
- When you want to expose resource URLs instead of raw IDs.
- When RESTful API navigation is important.
- When clients need links to access related data easily

<br>

**Another Example:**

In [None]:
# api/models.py

from django.db import models

class Singer(models.Model):
    name = models.CharField(max_length=100)
    gender = models.CharField(max_length=10)

    def __str__(self):
        return self.name

class Song(models.Model):
    title = models.CharField(max_length=100)
    singer = models.ForeignKey(Singer, related_name='songs', on_delete=models.CASCADE)
    duration = models.FloatField()

    def __str__(self):
        return self.title


In [None]:
# api/serializers.py:

from rest_framework import serializers
from .models import Singer, Song

class SingerSerializer(serializers.HyperlinkedModelSerializer):
    songs = serializers.HyperlinkedRelatedField(
        many=True,  # A singer can have multiple songs
        read_only=True,
        view_name='song-detail'  # URL pattern name for SongViewSet
    )

    class Meta:
        model = Singer
        fields = ['url', 'id', 'name', 'gender', 'songs']  # 'url' will be auto-generated

class SongSerializer(serializers.HyperlinkedModelSerializer):
    singer = serializers.HyperlinkedRelatedField(
        queryset=Singer.objects.all(),
        view_name='singer-detail'  # URL pattern name for SingerViewSet
    )

    class Meta:
        model = Song
        fields = ['url', 'id', 'title', 'singer', 'duration']


In [None]:
# api/views.py:

from rest_framework import viewsets
from .models import Singer, Song
from .serializers import SingerSerializer, SongSerializer

class SingerViewSet(viewsets.ModelViewSet):
    queryset = Singer.objects.all()
    serializer_class = SingerSerializer

class SongViewSet(viewsets.ModelViewSet):
    queryset = Song.objects.all()
    serializer_class = SongSerializer


In [None]:
# api/urls.py:

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import SingerViewSet, SongViewSet

router = DefaultRouter()
router.register(r'singers', SingerViewSet, basename='singer')
router.register(r'songs', SongViewSet, basename='song')

urlpatterns = [
    path('', include(router.urls)),
    path('auth/', include('rest_framework.urls')),  # Login/logout
]


**How It Works**

The `HyperlinkedModelSerializer` automatically includes a url field for each resource. Instead of an ID reference, related fields use hyperlinks:

**Example Response for `/api/singers/`:**

    [
        {
            "url": "http://127.0.0.1:8000/api/singers/1/",
            "id": 1,
            "name": "Arijit Singh",
            "gender": "Male",
            "songs": [
                "http://127.0.0.1:8000/api/songs/1/",
                "http://127.0.0.1:8000/api/songs/2/"
            ]
        }
    ]

**Example Response for `/api/songs/`:**

    [
        {
            "url": "http://127.0.0.1:8000/api/songs/1/",
            "id": 1,
            "title": "Tum Hi Ho",
            "singer": "http://127.0.0.1:8000/api/singers/1/",
            "duration": 4.22
        }
    ]


**Advantages of HyperlinkedModelSerializer:**
- Better RESTful API Navigation – URLs help clients navigate related resources easily.
- More Readable – Instead of raw IDs, API consumers get meaningful URLs.
- Useful for Browsable API – Helps when using Django REST Framework's web UI.

![image.png](attachment:03e3e38f-aa91-4a58-8a99-e8f732cc7b49.png)

# Nested Serializer 

A Nested Serializer allows embedding related objects inside a serializer instead of just providing a reference (like an ID or URL). This is useful when dealing with one-to-many or many-to-many relationships.

In [None]:
# api/models.py:

from django.db import models
# Create your models here.

class Singer(models.Model):
    name = models.CharField(max_Length=100)
    gender = models.CharField(max_Length=100)
    
    def __str__(self):
        return self.name
        
class Song(models.Model):
    title = models.CharField(max_Length=100)
    singer = models.Foreignkey(Singer, on_delete=models.CASCADE, related_name='song')
    duration = models.IntegerField()

    def __str__(self):
        return self.title

In [None]:
# api/admin.py:

from django. contrib import admin
from .models import Singer, Song

# Register your models here

@admin.register(Singer)
class SingerAdmin(admin.ModeLAdmin):
    list_display = ['id', 'name', 'gender']

@admin.register(Song)
class SongAdmin(admin.ModeLAdmin):
    list_display = ['id', 'title', 'singer', 'duration']

In [None]:
# api/serializers.py:

from .models import Singer, Song
from rest_framework import serializers

class SongSerializer(serializers.ModelSerializer):
    class Meta:
        model = Song
        fields = ['id', 'title', 'singer', 'duration']
        
class SingerSerializer(serializers.ModelSerializer):
    class Meta:
        model = Singer
        fields = ['id', 'name', 'gender']

In [None]:
# api/views.py:

from django. shortcuts import render
from .serializers import SingerSerializer, SongSerializer
from rest_framework import viewsets
from .models import Singer, Song

class SingerViewSet(viewsets.ModelViewSet) :
    queryset = Singer.objects.all()
    serializer_class = SingerSerializer
    
class SonViewSet(viewsets.ModelViewSet):
    queryset = Song.objects.all()
    serializer_class = SongSerializer

In [None]:
# api/urls.py

from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import SingerViewSet, SongViewSet

# Initialize the router
router = DefaultRouter()

# Register the viewsets with the router
router.register(r'singer', SingerViewSet, basename='singer')
router.register(r'song ', SongViewSet, basename='song')

# Define the URL patterns
urlpatterns = [
    # Include the router's URLs
    path('', include(router.urls)),

    # Include default authentication URLs provided by DRF
    path('auth/', include('rest_framework.urls', namesapce='rest_framework')),  # Login, logout, etc.
]


Now we hit url `song/` then we see all data of song along with singer id and if we hit `singer/` then we see singer data only but we also want song detail along singer details then we need to use nested serializers by making changes in `serializers.py`:

In [None]:
# api/serializers.py:

from .models import Singer, Song
from rest_framework import serializers

class SongSerializer(serializers.ModelSerializer):
    class Meta:
        model = Song
        fields = ['id', 'title', 'duration'] # Exclude 'singer' to avoid circular references
        
class SingerSerializer(serializers.ModelSerializer):
    songs = SongSerializer(many=True, read_only=True) # Nest the SongSerializer
    class Meta:
        model = Singer
        fields = ['id', 'name', 'gender', 'sungby'] # updated code

`songs = SongSerializer(many=True, read_only=True):`
- This embeds song details inside each singer instead of just returning song IDs.
- read_only=True ensures songs cannot be created/updated directly inside the singer.

**GET `singer/`**
    
    [
        {
            "id": 1,
            "name": "Arijit Singh",
            "gender": "Male",
            "sungs": [
                {
                    "id": 1,
                    "title": "Tum Hi Ho",
                    "duration": 4.22
                },
                {
                    "id": 2,
                    "title": "Channa Mereya",
                    "duration": 5.12
                }
            ]
        }
    ]

The songs are embedded inside the singer, eliminating the need for an extra API request to fetch songs separately.

<br>
    
**When to Use a Nested Serializer?**
- When you want to include detailed related object data instead of just IDs or URLs.
- When you need to send and receive nested data in a single request.
- When optimizing API responses for fewer requests.

### Making Nested Data Writable (Create Songs Along with Singer)

If you want to create or update related Song objects while creating a Singer, modify the serializer:

In [None]:
# api/serializers.py:

class SingerSerializer(serializers.ModelSerializer):
    songs = SongSerializer(many=True)  # Remove read_only=True

    class Meta:
        model = Singer
        fields = ['id', 'name', 'gender', 'songs']

    def create(self, validated_data):
        songs_data = validated_data.pop('songs')  # Extract nested songs
        singer = Singer.objects.create(**validated_data)  # Create Singer
        for song_data in songs_data:
            Song.objects.create(singer=singer, **song_data)  # Create each Song
        return singer


Now, you can create a Singer along with their Songs:

**POST `singer/`**

    {
        "name": "Arijit Singh",
        "gender": "Male",
        "songs": [
            {"title": "Tum Hi Ho", "duration": 4.22},
            {"title": "Channa Mereya", "duration": 5.12}
        ]
    }

This will create both the singer and their songs in one request.

![image.png](attachment:d5567c33-68fe-4d5e-950c-ce5884329a0f.png)

# Django API Project and How to Disable Browsable API in Production

Let's say we have a Django project that perform basic CRUD operation and we want to create API(fully independent) for this existing project using existing model of project. 

1. Update `settings.py` by adding `rest_framework` in `INSTALLED_APPS`
2. First we create a folder let's say 'api' inside our app folder 'enroll`(enroll is app name).
3. Create files like: `serializers.py`, `urls.py`, `views.py` inside our `api` folder which we created in first step.
4. Then write code in these files: `serializers.py`, `urls.py`, `views.py`. We can add other files as well like: 'auth.py', 'permission.py' and so on as per requirement.
5. Update `urls.py` at project level so that it will aware of `urls.py` file of `api` folder.

In [None]:
# enroll/models.py:

from django.db import models

# Create your models here.
class User(models.Model):
    name = models.CharField(max_Length=70)
    email = models.EmailField(max_Length=100)
    password = models.CharField(max_Length=100)

In [None]:
# Step1- settings.py:

INSTALLED_APPS = [
    "django.contrib.admin",
    "django.contrib.auth",
    "django.contrib.contenttypes",
    "django.contrib.sessions",
    "django.contrib.messages",
    "django.contrib.staticfiles",
    
    "rest_framework", # should be added to use DRF
    "enroll", # app name
]  

In [None]:
# Step4- enroll/api/serializers.py:

from enroll.models import User
from rest_framework import serializers

class UserSerializer (serializers.ModelSerializer):
    class Meta:
        model = User
        fields = ['id', 'name', 'email', 'password']

In [None]:
# Step4- enroll/api/views.py:

from enroll.models import User
from enroll.api.serializers import UserSerializer
from rest_framework import viewsets
from rest_framework. authentication import SessionAuthentication
from rest_framework-permissions import IsAuthenticatedOrReadOnly

class UserViewSet(viewsets.ModelViewSet):
    queryset = User objects.all()
    serializer_class = UserSerializer
    authentication_classes = [SessionAuthentication]
    permission_classes = [IsAuthenticatedOrReadOnly]

In [None]:
# Step4- enroll/api/urls.py:

from django.urls import path, include
from enroll.api import views
from rest_framework.routers import DefaultRouter

router = DefaultRouter ()
router.register('crud', views.UserViewset, basename='user')

urlpatterns = [
    path('', include(router.urls))
]

In [None]:
# Step5- project/urls.py:

from django.contrib import admin
from django.urls import path, include

urlpatterns = [
    path( 'admin/', admin.site.urls),
    path('api/', include('enroll.api.urls')) # urls of api folder
]

Now if we perform any CRUD operation through api then that will refelect in application as well and we can access that data in django application and if we perform any CRUD operation through django application then that will also refelect in api and we can access that data from api as well. 

**Disable browsable api in production:**

In [None]:
# settings.py:

REST_FRAMEWORK = {
    'DEFAULT_RENDERER_CLASSES' : ('rest_framework.renderers.JSONRenderer',)
}

# END OF DRF