Our current version of the API processes all the incoming requests without requiring any kind of authentication. Django REST Framework allows us to easily use different authentication schemes to identify the user that originated the request or the token that signed the request. Then, we can use these credentials to apply the permission and throttling policies that will determine whether the request must be permitted or not.
Similar to other configurations, we can set the authentication schemes globally and then override them if necessary in a class-based view or a function view. A list of classes specifies the authentication schemes. Django REST framework will use all the specified classes in the list to authenticate a request before running the code for the view. The first class in the list that generates a successful authentication, in case we specify more than one class, will be responsible for setting the values for the following two properties:
request.user
: The user model instance. We will use an instance of the django.contrib.auth.User
class, that is, a Django User
instance, in our examples.request.auth
: Additional authentication information, such as an authentication token.After a successful authentication, we can use the request.user
property in our class-based view methods that receive the request
parameter to retrieve additional information about the user that generated the request.
Django REST Framework provides the following three authentication classes in the rest_framework.authentication
module. All of them are subclasses of the BaseAuthentication
class:
BasicAuthentication
: Provides an HTTP Basic authentication against username and password. If we use in production, we must make sure that the API is only available over HTTPS.SessionAuthentication
: Works with Django's session framework for authentication.TokenAuthentication
: Provides a simple token based authentication. The request must include the token generated for a user in the Authorization
HTTP header with "Token "
as a prefix for the token.First, we will use a combination of BasicAuthentication
and SessionAuthentication
. We could also take advantage of the TokenAuthentication
class later. Make sure you quit the Django's development server. Remember that you just need to press
Ctrl
+
C
in the terminal or command-prompt window in which it is running.
Open the gamesapi/settings.py
file and add the highlighted lines to the dictionary named REST_FRAMEWORK
with a key-value pair that configures the global default authentication classes. The code file for the sample is included in the restful_python_chapter_03_04
folder, as shown:
REST_FRAMEWORK = {
'DEFAULT_PAGINATION_CLASS':
'games.pagination.LimitOffsetPaginationWithMaxLimit',
'PAGE_SIZE': 5,
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
)
}
The value for the DEFAULT_AUTHENTICATION_CLASSES
settings key specifies a global setting with a tuple of string whose values indicate the classes that we want to use for authentication.
Permissions use the authentication information included in the request.user
and request.auth
properties to determine whether the request should be granted or denied access. Permissions allow us to control which classes of users will be granted or denied access to the different features or parts of our API.
For example, we will use the permissions features in Django REST framework to allow the authenticated users to create games. Unauthenticated users will only be allowed read-only access to games. Only the user that created the game will be able to make changes to this game, and therefore, we will make the necessary changes in our API to make a game have an owner user. We will use predefined permission classes and a customized permission class to define the explained permission policies.
Throttling also determines whether the request must be authorized. Throttles control the rate of requests that users can make to our API. For example, we want to limit unauthenticated users to a maximum of 5 requests per hour. We want to restrict authenticated users to a maximum of 20 requests to the games related views per day.
3.14.251.128