1

I am new to django. I have a project that mobiles can have interaction with server using a token. In settings.py I have:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.TokenAuthentication',
    ),
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'UPLOADED_FILES_USE_URL': False,

    'DEFAULT_PAGINATION_CLASS': None,
    'PAGE_SIZE': DEFAULT_PAGE_SIZE,  # For views using PageNumberPagination
}

but when using postman I send a request with an invalid token, istead of 401 (unauthorized), 403 (forbidden) is returning. Is there anything special I can do to fix this?

tnx

Improve this question
5
  • show the view atleast Commented Feb 7, 2018 at 6:05
  • seems to be csrf issue.. try adding csrf_exempt Commented Feb 7, 2018 at 6:06
  • the problem is I don't know how is that working. there is no view specified for this, or at least I couldn't find one. @Exprator Commented Feb 7, 2018 at 6:06
  • he is asking about your method to which you are hitting Commented Feb 7, 2018 at 6:10
  • he's asking to show your respective views.py Commented Feb 7, 2018 at 6:38

2 Answers 2

Reset to default
2

As stated by the documentation:

The kind of response that will be used depends on the authentication scheme. Although multiple authentication schemes may be in use, only one scheme may be used to determine the type of response. The first authentication class set on the view is used when determining the type of response.

Adds this extract from SessionAuthentication

Unauthenticated responses that are denied permission will result in an HTTP 403 Forbidden response.

And you have your answer.

Either move TokenAuthentication as first DEFAULT_AUTHENTICATION_CLASSES or document the current behavior.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You still can define a custom exception handler that would send a HTTP_401_UNAUTHORIZED exception when AuthenticationFailed or NotAuthenticated exceptions occur.

Official documentation

You can do it like so (from this answer on a GitHub issue):

from rest_framework import exceptions
from rest_framework import status
from rest_framework.views import exception_handler


def custom_exception_handler(exc, context):
    response = exception_handler(exc, context)
    if isinstance(exc, (exceptions.AuthenticationFailed, exceptions.NotAuthenticated)):
        response.status_code = status.HTTP_401_UNAUTHORIZED
    return response

and configure it in your REST_FRAMEWORK settings :

REST_FRAMEWORK = {
    # ...
    'EXCEPTION_HANDLER': 'path.to.your.custom_exception_handler',
    # ...
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.