I have an API in TastyPie thats consumed on the same domain. I only want to allow requests to come from my server.
TastyPie has a number of different Authentication options, however I cannot use Session Authentication because no one logs in and a API Key could be view in my script.
So I was thinking that I could somehow validate the post with a with Django csrf token. Is this possible any examples (I've search) or is there an option I have missed?
This answer provides the following method to getting the request IP address:
def get_client_ip(request):
x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
if x_forwarded_for:
ip = x_forwarded_for.split(',')[0]
else:
ip = request.META.get('REMOTE_ADDR')
return ip
You could try coupling this with a custom Authentication
class as follows:
class IpAuthentication(Authentication):
def is_authenticated(self, request, **kwargs):
return get_client_ip(request) in SETTINGS.ALLOWED_IPS:
You would have to populate your own SETTINGS.ALLOWED_IPS
list. This however is not a foolproof method as IP addresses can be faked.