Open terrameijar opened 11 months ago
I suggest that we start with token based auth. I want to work on his ticket.
@maunga-et thanks. If I remember correctly, work on this has been started and the auth currently uses HTTP auth.
Do you mind explaining why you're suggesting we go with token auth and how you would implement it?
@terrameijar He is mentioning token-based authentication because HTTP auth will authenticate DRF's browsable API but will not authenticate the API endpoints for a different origin. It is not possible to authenticate the API endpoints from a different client other than the browsable API via HTTP Auth.
If @maunga-et however, wants to implement token authentication, he should implement 2 endpoints that authenticate a mobile client via Authorization headers and another for web clients(React) via HTTP only cookies.
@terrameijar it makes it easy to integrate with our clients(web and mobile) and also serves to protect private endpoints. We can use simplejwt for that.
Users should have the ability to log in and out of the website. The backend has this functionality ready and the API endpoints for auth are
api-auth/login/
andapi-auth/logout
. The backend currently supports basic HTTP username and password authentication.@IamTyrone let's start with basic HTTP authentication to get the ball rolling and move to something else like server-side tokens or JWT later. What do you think?
CC @mpumzee , do you have any thoughts on auth?