DEV Community

Why is Django REST Framework lying to me?

rhymes on June 21, 2018

One thing about frameworks is that they work well when you follow the tutorials and the conventions, they usually don't when you try to step a litt...
Collapse
 
kieronjmckenna profile image
kieronjmckenna

Great Article, the amount of stack overflow articles I've read linking the rest framework section on session authentication (which has no mention of implementation), as well as answers saying put my JWT in local storage and forget about it, had left me feeling defeated using the rest framework and a SPA.

Suprising for a framework that is touted as having fantastic docs...

Two years on, have you found a cleaner solution?

Collapse
 
rhymes profile image
rhymes

Hi! Unfortunately I'm not actively working on that project anymore.

I'm a bit surprised two years later there's still not a solution for that :D

Collapse
 
makiten profile image
Donald

I did a lot of Vue + Django projects in 2017 and early 2018. I used different libraries with DRF for JWT, but if I remember correctly, I could use an authenticate method in a view. One project I'm pretty sure I used the login view, another I think I did something custom.

Collapse
 
rhymes profile image
rhymes

Thanks, I'll try to research a bit how to do it with REST.

Collapse
 
rhymes profile image
rhymes

I've updated the post with my temporary solution.

Collapse
 
kenclary profile image
kenclary • Edited

(apologies for the thread necromancy)

I ran into this exact problem, trying to get an SPA to use DRF's session authentication. The docs for this only suggest it could work, but never really say how. I got lucky with some googling, and thought I would share.

1) I needed to write a new login view. I basically copied one from testdriven.io/courses/real-time-ap... after much searching. I also copied from there for sign up and logout views.
2) On the backend, I included {% csrf_token %} in the index.html template that bootstraps the SPA, so that the SPA gets the cookie when it loads.
3) On the frontend, I made sure to include the CSRF cookie as a 'X-CSRFToken' header.

Collapse
 
ryselis profile image
Karolis Ryselis

It seems to me you could just use Django's login view

Collapse
 
mtbsickrider profile image
Enrique Jose Padilla
Collapse
 
rhymes profile image
rhymes

I've updated the post with my temporary solution.

Collapse
 
rhymes profile image
rhymes

But how? :-)

Collapse
 
eisenheimjelid profile image
Jelid Leon

I used Basic Auth without CSRF, and did work for me. But you can implement JWT Auth in your Django project medium.com/netscape/full-stack-dja...

Collapse
 
rhymes profile image
rhymes • Edited

Thanks for the heads up! I wanted to avoid JWT, that's why I was trying to simply use the django session cookie as a token.

I think I've succeeded, I just need to read a bit more about DRF so I can clean up the code (and maybe remove django-rest-auth as a dependency)

Collapse
 
wilkmoura profile image
Wilkinson Tavares

I appreciate your piece on this,

I'm building a system using Django/DRF as backend and React Js as frontend.
The backend uses an already existent database, user and auth models.
Figure out auth in SPA is tricky... store tokens in localstorage or sessionstorage isn't the safest practice but is the fastest to get it done, imho this is why many devs do it this way.

I totally agree with you, implement the session cookie should be easy as it seems to me the right solution for this problem.

Collapse
 
rhymes profile image
rhymes

Yeah, probably if they lowered the bar on how to use standard sessions they would be used more. A lot of doc is also JWT first which doesn't always help.

Collapse
 
imcatta profile image
imcatta

Hi! I'm not a django rest expert, but i think i figured out what's wrong.
The SessionAuthentication class is not used to sign in the user, but to check if a request comes from an authenticated user.
To login using regular session cookie you're supposed to use the standard LoginView class

Collapse
 
rhymes profile image
rhymes

Thanks for the comment! I figured SessionAuthentication wasn't the correct one, after a few trials.

The only issue I see using directly LoginView is that it entails a server side template. That's why I didn't use it. Check the update in the post about it.

I'm still a little surprised about how complicated is this but it could be 100% because I'm not a Django expert either.

Collapse
 
iamidan profile image
IamIdan

As of today, have you found a better way to deal with it? ALtho not so bad of a solution, it is still an ugly one...