djangodjango-rest-frameworkdjango-rest-authdjango-rest-framework-simplejwt

How to use both simple jwt token authentication and BasicAuthentication?

I have an DRF api and I have implemented the simplejwt authentication system. It works well. It is usefull when I want to connect my api from external script (I don't need to store credential and just use the token).

However I also want to be able to use the DRF interface login when i reach my api from browser so I have implemented also the Basic and SessionAuthentication. Is it the good way to do that ?

in my settings.py

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework_simplejwt.authentication.JWTAuthentication',
        'rest_framework.authentication.BasicAuthentication',
        'rest_framework.authentication.SessionAuthentication',
    ]
}

SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': timedelta(days=1), 
}

in my api views.py

from rest_framework.permissions import IsAuthenticated
from rest_framework.authentication import SessionAuthentication, BasicAuthentication
from rest_framework.decorators import permission_classes, authentication_classes

# Create your views here.
@api_view(['GET'])
#@authentication_classes([SessionAuthentication, BasicAuthentication])
@permission_classes([IsAuthenticated])
def get_all(request):
    
    # as a token is used, the user with this token is know in the requets
    user = request.user
    # show only mesures of user having the token provided
    mesures = Mesure.objects.filter(user_id=user.id)
    serializer = MesureSerializer(mesures, many=True)
    
    return Response(serializer.data)

In my urls.py

from rest_framework_simplejwt.views import TokenObtainPairView, TokenRefreshView

urlpatterns = [
    path('mesures/', views.get_all),
    path('mesure-add/', views.add_mesure),
    path('token/', TokenObtainPairView.as_view(), name='obtain_tokens'),
    path('token/refresh/', TokenRefreshView.as_view(), name='refresh_token'),
    path('api-auth/', include('rest_framework.urls'))
]

As you can see I had to comment the @authentication_classes decorator to make it work for both with token and login. Do you believe this is a good way to proceed ?

Solution

  • You should be fine with this because as per the DRF documentation -

    Because we now have a set of permissions on the API, we need to authenticate our requests to it if we want to edit any snippets. We haven't set up any authentication classes, so the defaults are currently applied, which are SessionAuthentication and BasicAuthentication.

    Source: Authenticating with the API

    Ref: Line 109: rest_framework/views.py and Line 40: rest_framework/settings.py