How to use TokenAuthentication for API in django-rest-framework

Peter picture Peter · Jul 10, 2013 · Viewed 37.6k times · Source

I have a django project, using django-rest-framework to create api.

Want to use token base authentication system so api call for (put, post, delete) will only execute for authorized user.

I installed 'rest_framework.authtoken' and created token for each users.

So, now from django.contrib.auth.backends authenticate, it returns user, with auth_token as attribute. (when loged in successfully).

Now my question is how can I send the token with post request to my api and at api side how can I verify if token is valid and belongs to the correct user?

Are there any methods in app rest_framework.authtoken to validate given user and its token? not found this very useful!

Update (changes I made): Added this in my settings.py:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.BasicAuthentication',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.TokenAuthentication',
    )
}

Also sending Token in my header but its still not working:

if new_form.is_valid:
    payload= {"createNewUser":
              { "users": request.POST["newusers"],
                "email": request.POST["newemail"]
                }
              }

    headers =  {'content-type' : 'application/json', 
                'Authorization': 'Token 6b929e47f278068fe6ac8235cda09707a3aa7ba1'}

    r = requests.post('http://localhost:8000/api/v1.0/user_list',
                      data=json.dumps(payload),
                      headers=headers, verify=False)

Answer

Tom Christie picture Tom Christie · Jul 10, 2013

"how can I send the token with post request to my api"

From the docs...

For clients to authenticate, the token key should be included in the Authorization HTTP header. The key should be prefixed by the string literal "Token", with whitespace separating the two strings. For example:

Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b

"at api side how can I verify if token is valid and belongs to the correct user?"

You don't need to do anything, just access request.user to return the authenticated user - REST framework will deal with returning a '401 Unauthorized' response to any incorrect authentication.