5

The API requests will be sent by anonymous users. No Login/register functionality is present.

I need to authenticate the API requests, one primitive way I tried was to send an auth key in each request. This auth key, I is saved in the Angular frontend as a constant.

There must be a better and more sophisticated way, kindly help!

Improve this question

2 Answers 2

Reset to default
14

Django REST framework largely assumes that requests are authenticated based on a user, but they do provide support for authentication anonymous requests. While this largely breaks from the assumption that "authentication" means "verifying a (Django) user is genuine", Django REST framework does allow it to happen and just substitutes the AnonymousUser instead.

Authentication in DRF can define both the request.user (the authenticated user) and request.auth (generally the token used, if applicable) properties on the request. So for your authentication, you would be holding on to tokens you have created (in a model or somewhere else) and those would be validated instead of the user credentials, and you would just end up not setting the user.

from django.contrib.auth.models import AnonymousUser
from rest_framework import authentication
from rest_framework import exceptions

class ExampleAuthentication(authentication.BaseAuthentication):
    def authenticate(self, request):
        auth = authentication.get_authorization_header(request)

        if not auth or auth[0].lower() != b'token':
            return None

        if len(auth) == 1:
            msg = _('Invalid token header. No credentials provided.')
            raise exceptions.AuthenticationFailed(msg)
        elif len(auth) > 2:
            msg = _('Invalid token header. Credentials string should not contain spaces.')
            raise exceptions.AuthenticationFailed(msg)

        try:
            token = Token.objects.get(token=auth[1])
        except Token.DoesNotExist:
            raise exceptions.AuthenticationFailed('No such token')

        return (AnonymousUser(), token)

This example assumes that you have a Token model which stores the tokens that will be authenticated. The token objects will be set to request.auth if the request was authenticated properly.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Note that if a custom authentication returns None then AnonymousUser will be the default user applied to the request; and if you're using the IsAuthenticated permission, an anonymous user won't be authenticated. Note that this question uses a custom AnonymousUser to authenticate a specific device.
0

Read the rest api docs on authentication and their tutorial - they offer a solid intro to the options.

Improve this answer

2 Comments

Thanks, I did look into the docs, all the auth schemes are based on the assumption that the requests originate from a user, is there a way to authenticate requests that do not have any user associated with them?
Given, “authentication is the process of confirming the identity of a person”, I don't really understand what you mean by authenticating requests that have no identity associated with them?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.