DEV Community

Django Rest Framework custom JWT authentication

Ahmed Atalla on May 12, 2020

This article is not a tutorial or a guide, it is more like a request for code review and validate the implementation from more experienced Django ...
Collapse
 
benjilewis profile image
Benji Lewis • Edited

Hey Ahmed, I really appreciated this awesome and thorough article! I have one question, which is around the refresh_token_view. You are importing "safe_jwt", I assume that this is subapp within projects. I'm interested to know what the model in here is responsible for? And also, what the function of the app is?

Collapse
 
a_atalla profile image
Ahmed Atalla

Thnaks for the kind words
safe_jwt was just a fancy name for accounts app when i was testing on my own, i just forgot to clean up
and the model UserTokenVersion is a method i was trying to revoke the token but i wasn't sure about it so i just mentioned it at the end and forget to clean from my code ... my apologize for this

Collapse
 
mosenturm profile image
Andreas Kaiser

Thanks for this article especially the CSRF description!

Collapse
 
cankush625 profile image
Ankush Chavan

Its a great article. I really appreciate it!
Can you tell how to pass the csrftoken to the request headers using X-CSRFTOKEN key? I can access it by setting the X-CSRFTOKEN key in the Postman but I would like to know how to achieve the same through the code.
Thank you!

Collapse
 
azmi989 profile image
azmi989

Hey Ahmed, appreciate the hard work
im wondering what to do with the refresh token, how the frontend (im using react) utilze it i mean if i set up (remember me) option on login what would be my next step, i cant read an httponly cookie from the fronten so what to do?
thanx

Collapse
 
pathapatisivayya profile image
Pathapati Sivaiah

generate_refresh_token method what is meaning token_version please tell me what pass data

Collapse
 
yong0011 profile image
Chanon Sae-lee

Do you know the answer yet?

Collapse
 
a_atalla profile image
Ahmed Atalla

this is an un-used parameter, you can ignore it
i was testing something to expire the token but forget to remove it

Collapse
 
yogeeshap profile image
yogeeshap

Initially while requesting we are not passing access token token to login api from client side , this line authorization_heaader = request.headers.get('Authorization') in authentication.py will fail. it returns just 'Bearer' no token with it.
and it returns 'Token prefix missing' with 403 error.

Collapse
 
luckyjd profile image
Narusunday

Really helpful, thank you so much. Exactly what i need for now <3

Collapse
 
kayvman1 profile image
Kayvman1

Thank you very much for this post. My api for mobile was not as secure as it should have been. Keep up the good work and good luck to you

Collapse
 
mohamedyousof profile image
MohamedYousof

Great article, keep up 👍

Collapse
 
a_atalla profile image
Ahmed Atalla

Thanks

Collapse
 
alimp5 profile image
alimp5

Tnx a lot :X
a great step by step tutorial with excellent detail :x
tnx again.

Collapse
 
skyshy0707 profile image
skyshy0707 • Edited

Hi!)

Citate: "which is a short life jwt (maybe 5 mins) and send it in the response body"

Can we generate a token without a date of expirience ? Assume, if i'd refresh my token when i want to do it.

Collapse
 
jaypowar00 profile image
jaypowar00

that really helped me... Thanks🔥

Collapse
 
nitesh5695 profile image
nitesh5695

Thankyou, you saved me.

Collapse
 
yoyoo profile image
yoyoo

'Settings' object has no attribute 'REFRESH_TOKEN_SECRET'
Am getting the following error once I try to login what would I be doing the wrong way

Collapse
 
a_atalla profile image
Ahmed Atalla • Edited

you have to set it yourself in settings.py file

REFRESH_TOKEN_SECRET='you secret string'
Enter fullscreen mode Exit fullscreen mode
Collapse
 
yoyoo profile image
yoyoo

By the way, Great article, keep up

Collapse
 
doubleaix profile image
Aix

great article!!

Collapse
 
a_atalla profile image
Ahmed Atalla

Thanks

Collapse
 
pathapatisivayya profile image
Pathapati Sivaiah

permission_classes = (IsAuthenticated,) is not working

{
"detail": "You do not have permission to perform this action."
}

please help any one

Collapse
 
waledmet profile image
waledmet

post work with me fro postman
but not work from axios
and i add X-CSRFTOKEN in header in postman & axios
but not work in axios

Collapse
 
waledmet profile image
waledmet

thank you ahmed
good work
but i need to ask two question
1- custom JWT authentication with custom user table
how use refresh token
2-how do custom PERMISSION

Collapse
 
doubleaix profile image
Aix • Edited

I have a question to ask.
If I put JWT in cookie from server to client, and the client takes JWT from cookie to headers for every request, do I need CSRF token additionally?

Collapse
 
a_atalla profile image
Ahmed Atalla • Edited

the client can't read the httponly cookie, only the server can read it

Collapse
 
abedkiloo profile image
Abednego Kilonzo Wambua

Hello @ahmed Atala am getting this error can you help out 'Settings' object has no attribute 'REFRESH_TOKEN_SECRET'

Collapse
 
a_atalla profile image
Ahmed Atalla

you have to set it your self in settings.p file

REFRESH_TOKEN_SECRET='you secret string'
Collapse
 
gujju_boy42 profile image
Dipak Pawar
Collapse
 
abedkiloo profile image
Abednego Kilonzo Wambua

Hello am getting this error when autheniticating.. DecodeError Not enough segments can you please help

Collapse
 
perennialautodidact profile image
Keegan Good

I hope you solved your problem. If you wouldn't mind posting some code, it'd be a little easier to debug.