almost 8 years ago

How to use Django REST Framework's Token Based Authentication

To enable token based authentication using DRF, the following steps need to be done (I am using Django 1.8.5 and DRF 3.2.4):

  1. Do the following things BEFORE you create the superuser. Otherwise, the superuser does not get his/her token created.

  2. Go to settings.py and add the following:

INSTALLED_APPS = (
    'rest_framework',
    'rest_framework.authtoken',
    'myapp',
)

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.TokenAuthentication',
    )
}
  1. Add the following code in myapp's models.py:
from django.db.models.signals import post_save
from django.dispatch import receiver
from rest_framework.authtoken.models import Token
from django.conf import settings

# This code is triggered whenever a new user has been created and saved to the database

@receiver(post_save, sender=settings.AUTH_USER_MODEL)
def create_auth_token(sender, instance=None, created=False, **kwargs):
    if created:
        Token.objects.create(user=instance)

Alternatively, if you want to be more explicit, create a file named signals.py under myapp project. Put the code above in it, then in init.py, write import signals

  1. Open up a console window, navigate to your project dir, and enter the following command:
python manage.py migrate
python manage.py makemigrations

Take a look in your database, a table named authtoken_token should be created with the following fields: key (this is the token value), created (the datetime it was created), user_id (a foreign key that references the auth_user table's id column)

  1. create a superuser with python manage.py createsuperuser. Now, take a look at the authtoken_token table in your DB with select * from authtoken_token;, you should see a new entry has been added.

  2. Using curl or a much simpler alternative httpie to test access to your api, I am using httpie:

http GET 127.0.0.1:8000/whatever 'Authorization: Token your_token_value'

That's it. From now on, for any API access, you need to include the following value in the HTTP header (pay attention to the whitespaces):

Authorization: Token your_token_value
  1. (Optional) DRF also provides the ability to return a user's token if you supply the username and password. All you have to do is to include the following in urls.py:
from rest_framework.authtoken import views

urlpatterns = [
    ...
    url(r'^api-token-auth/', views.obtain_auth_token),
]

Using httpie to verify:

http POST 127.0.0.1:8000/api-token-auth/ username='admin' password='whatever'

In the return body, you should see this:

{
    "token": "blah_blah_blah"
}

Improvements

DRF's token implementation lacks a few important features:

  • Tokens do not rotate
  • Tokens do not expire
  • The same token is shared among all the clients (PC browsers, smartphones, tablets, etc.)

The Django Oauth Toolkit should be considered as a step up.

← Understanding the Basics of Webpack Javascript's Bitwise Not operator (tilde) →
 
comments powered by Disqus