Our current version of the API processes all the incoming requests without requiring any kind of authentication. Django REST Framework allows us to easily use different authentication schemes to identify the user that originated the request or the token that signed the request. Then, we can use these credentials to apply the permission and throttling policies that will determine whether the request must be permitted or not.

Similar to other configurations, we can set the authentication schemes globally and then override them if necessary in a class-based view or a function view. A list of classes specifies the authentication schemes. Django REST framework will use all the specified classes in the list to authenticate a request before running the code for the view. The first class in the list that generates a successful authentication, in case we specify more than one class, will be responsible for setting the values for the following two properties:

After a successful authentication, we can use the request.user property in our class-based view methods that receive the request parameter to retrieve additional information about the user that generated the request.

Django REST Framework provides the following three authentication classes in the rest_framework.authentication module. All of them are subclasses of the BaseAuthentication class:

First, we will use a combination of BasicAuthentication and SessionAuthentication. We could also take advantage of the TokenAuthentication class later. Make sure you quit the Django's development server. Remember that you just need to press Ctrl + C in the terminal or command-prompt window in which it is running.

Open the gamesapi/settings.py file and add the highlighted lines to the dictionary named REST_FRAMEWORK with a key-value pair that configures the global default authentication classes. The code file for the sample is included in the restful_python_chapter_03_04 folder, as shown:

REST_FRAMEWORK = { 
    'DEFAULT_PAGINATION_CLASS': 
    'games.pagination.LimitOffsetPaginationWithMaxLimit', 
    'PAGE_SIZE': 5, 
    'DEFAULT_AUTHENTICATION_CLASSES': ( 
        'rest_framework.authentication.BasicAuthentication', 
        'rest_framework.authentication.SessionAuthentication', 
        ) 
} 

The value for the DEFAULT_AUTHENTICATION_CLASSES settings key specifies a global setting with a tuple of string whose values indicate the classes that we want to use for authentication.

Permissions use the authentication information included in the request.user and request.auth properties to determine whether the request should be granted or denied access. Permissions allow us to control which classes of users will be granted or denied access to the different features or parts of our API.

For example, we will use the permissions features in Django REST framework to allow the authenticated users to create games. Unauthenticated users will only be allowed read-only access to games. Only the user that created the game will be able to make changes to this game, and therefore, we will make the necessary changes in our API to make a game have an owner user. We will use predefined permission classes and a customized permission class to define the explained permission policies.

Throttling also determines whether the request must be authorized. Throttles control the rate of requests that users can make to our API. For example, we want to limit unauthenticated users to a maximum of 5 requests per hour. We want to restrict authenticated users to a maximum of 20 requests to the games related views per day.