Simplify authentication of REST framework

cfe-lab / Kive

Archival and automation of bioinformatic pipelines and data

https://cfe-lab.github.io/Kive

BSD 3-Clause "New" or "Revised" License

8 stars 1 forks source link

Simplify authentication of REST framework #310

Open donkirkby opened 9 years ago

donkirkby commented 9 years ago

We currently have a token system for the REST framework, but I think it's simpler to just make calling applications use session authentication. That way we don't have to manage the authentication tokens separately from user names and passwords. We should also configure the application to use SSL so that user names and passwords are not sent in the clear.

[x] Remove TokenAuthentication from the authentication_classes decorator on all the REST calls.
[x] Remove rest_framework.authtoken from INSTALLED_APPS.
[x] Add a migration to drop the authentication tokens table.
[ ] Configure SSL. Figure out if we can use a certificate that won't scare users.

jjh13 commented 9 years ago

I can take the first three points immediately.

jjh13 commented 9 years ago

I'm having issues making a migration for this. We can't seem to make migrations for the DRF app, since we don't have access to its directory. The correct thing to do would be to create a custom migration that drops the table. But since we no longer include the auth token app, I'm not sure if we can do a DeleteModel for that table? Thoughts?

donkirkby commented 9 years ago

The best I can see is to tell the developers to roll back the authtoken app's migration before removing it from INSTALLED_APPS. In case others, like me, didn't know about the magic zero, here's the syntax to completely roll back the authtoken app's migrations:

./manage.py migrate authtoken zero

If somebody doesn't do this, it's no big deal. The unused table will sit in their database, and they can either leave it there, drop it manually, or put rest_framework.authtoken back in INSTALLED_APPS long enough to roll back the migration.