Rana Wael

Posted on Sep 3, 2023

Django Authentication for APIs

#django #restframework #restapi #jwt

1. Use rest_framework

Used for the response "instead of regular json response"

Installation

Install package pip install djangorestframework

Then add in settings

INSTALLED_APPS = [
    ...
    'rest_framework',
]

2. Use simple jwt

To deal with authentication with access and refresh token

Installation

install pacakge pip install djangorestframework-simplejwt

Then add in settings:

REST_FRAMEWORK = {
    ...
    'DEFAULT_AUTHENTICATION_CLASSES': (
        ...
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    )
    ...
}

Steps:

Use these endpoints to get the access and refresh tokens

path('api/token/', TokenObtainPairView.as_view(), name='token_obtain_pair')

This api is post method to login with user then gives us the access and refresh tokens

Access token store info. about the user that is encoded

path('api/token/refresh/', TokenRefreshView.as_view(), name='token_refresh')

This api is post method to give it the refresh token then generates and gives us the new access token

Customize jwt

SIMPLE_JWT = {
    "ACCESS_TOKEN_LIFETIME": timedelta(minutes=5),
 #Custom the lifetime of access token
    "REFRESH_TOKEN_LIFETIME": timedelta(days=1),
# Custom the lifetime of refresh token
  ....
}

SIMPLE_JWT = {
  ....
"ROTATE_REFRESH_TOKENS": True,
...
}

Use it when we need the user stay logged in even if the refresh token is expired (stay logged in if the user still opened the browser)

Generate new refresh token every time using refresh token api (to generate new access token)

Create rolling window and generate new refresh token

When making this boolean value (True), the endpoint of refresh token will give response new access and refresh tokens instead of new access token only

SIMPLE_JWT = {
  ....
 "BLACKLIST_AFTER_ROTATION": True
  ...
}

Use it when using ”ROTATE_REFRESH_TOKENS” to block the old refresh tokens when generate new refresh token (to use the new refresh token only and block the old ones)

You need to add 'rest_framework_simplejwt.token_blacklist', to your INSTALLED_APPS in the settings file to use this setting

Customize Token Claims

Used to customize the decoded token returned to the user (more information about him)

from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
from rest_framework_simplejwt.views import TokenObtainPairView


class MyTokenObtainPairSerializer(TokenObtainPairSerializer):
@classmethod
def get_token(cls, user):
  token = super().get_token(user)
  # custom claims
  token['username'] = user.username

return token

class MyTokenObtainPairView(TokenObtainPairView):
  serializer_class = MyTokenObtainPairSerializer

3. Use CORS

Adds cross origin resource sharing(cors) headers to responses
It allows our resources to be accessed on other domains

Installation

Install pacakge python -m pip install django-cors-headers

Then add to settings:

INSTALLED_APPS = [
    ...,
    "corsheaders",
    ...,
]
...
MIDDLEWARE = [
    ...,
    "corsheaders.middleware.CorsMiddleware",
    "django.middleware.common.CommonMiddleware",
    ...,
]
CORS_ALLOW_ALL_ORIGINS= True # To make any domain can access our project
## or
CORS_ALLOWED_ORIGINS = [‘allowed_urls‘, ...] # List of urls that we want to allow to our api

DEV Community

Django Authentication for APIs

1. Use rest_framework

Installation

2. Use simple jwt

Installation

Steps:

3. Use CORS

Installation

Top comments (0)

Read next

Personal Finance Management App with Django, HTMX, Alpine, Tailwind, and Plaid

Mastering Spring Boot MVC and REST APIs: A Comprehensive Guide

Getting Started with Insomnia: How to Export and Publish Collections

How to get the `verbose_name` of an attribute of a model.