I am using Djoser for authentication in my WebApp and it is pretty fine. However, I'm concerned about some endpoints, like
auth/users
which returns all users if a token is passed. I won't be using this endpoint and will disable it in frontend as I don't want my users to use it as well. But still, I'm concerned. How can I disable these unused endpoints provided by Djoser?
It's not easily possible to completely disable the endpoints. Maybe restricting this endpoint for admin only will be sufficient?
You could try setting rest_framework.permissions.IsAdminUser
permission for user_list
view.
Something like this should work:
DJOSER = {
'PERMISSIONS': {
'user_list': ['rest_framework.permissions.IsAdminUser'],
}
}