django rest framework - understanding authenticati

2019-01-29 03:39发布

I am a beginner to django rest framework (and to REST in general) and I have a server side which (for now) has a UserViewSet which allows to register new users and I can POST to the url from my android app just fine (I get 201 CREATED).

I read a lot about it, but I don't seem to fully the understand the concept of Login and Authentication in REST frameworks and specifically in django rest framework, and how it works.

Do you "Log in" (like in facebook for example) and then you can make requests?

What I understand\heard off:

you can Login to a API\website using your username and password (assuming off course that you have registered as a user and you are in the user database).

After you are Logged in - you will be able to make requests to views that allow access only to logged in\authenticated users.

  • Is that somewhat correct? I mean, is there a "Log in" url where you login and that's it? you are authenticated?

  • Also read somewhere that there isn't actually a login url, and you have to add your username and password to each request and then the request has to check if your details are in the User database?

To sum up, I am not really sure how does authentication/logging in (same thing?) happens in django REST framework... and would really appreciate a good explanation or an example..

Thanks a lot!

1条回答
来,给爷笑一个
2楼-- · 2019-01-29 04:16

In a normal web application (removing the API from the question), a user would "log" in with their credentials (username/password, social tokens, etc.) and would receive a session cookie (assigned by Django) that allows them to authenticate in future requests on behalf of a user (realistically, themselves). This session cookie stays on their system for a limited period of time (two weeks by default) and allows them to freely use the website without authenticating again. If the session cookie needs to be removed, such that the person can no longer authenticate, the web application typically destroys the session cookie (or clears the session) which effectives "logs them out".

In the case of an API, it all depends on how the authentication works.

  • SessionAuthentication works just like as described above, as it uses Django's internal session system.
  • TokenAuthentication remembers the authentication information through a database-backed token (which is transmitted in the Authorization header) instead of a session cookie.
  • BasicAuthentication authenticates on every session (no persistent session) by passing the username and password on every request (base64 encoded through the Authorization header).
  • Other authentication methods generally work in the same way as TokenAuthentication.

So, here are some answers to specific questions which were raised

Do you "Log in" (like in facebook for example) and then you can make requests?

Using BasicAuthentication, you "log in" on every request by providing your credentials. With token-based authentication (TokenAuthentication, OAuth 2, JWT, etc.), you "log in" to receive the initial token and then your authorization is confirmed on every request.

Also read somewhere that there isn't actually a login url, and you have to add your username and password to each request and then the request has to check if your details are in the User database?

This is basic access authentication which you can use in DRF using the BasicAuthentication class.

查看更多
登录 后发表回答