Sending requests from swagger docs or postman fails

florimondmanca / djangorestframework-api-key

🔐 API key permissions for Django REST Framework

https://florimondmanca.github.io/djangorestframework-api-key/

MIT License

678 stars 104 forks source link

Sending requests from swagger docs or postman fails #142

Closed yovelcohen closed 4 years ago

yovelcohen commented 4 years ago

I have a rather odd problem.

I'm using the package to generate keys for my API.

When I'm in DRF's browsable API and I'm using mod header to add the API Key it works as expected.

But when sending a request using postman or the swagger docs I generated it won't authorize.

I wrote in my view a custom error handling which raises a custom msg if the user is not authenticated.

Using the same key as the same in mod header raises my error.

florimondmanca commented 4 years ago

Hi!

Related: https://github.com/florimondmanca/djangorestframework-api-key/issues/111 (resolved by regenerating the API key, but I don't think this applies here since you're able to use the API key from the browsable API).

Questions:

Does it work using curl, httpie, or whichever other HTTP client?
(Sounds silly, but…) Did you correctly add your Authorization header in your Postman / Swagger docs configuration?

yovelcohen commented 4 years ago

curl won't work as well.

curl -X POST "https://scr-rivendell.herokuapp.com/events/new_event/" -H "accept: application/json" -H "Authorization: Api-Key uNBpKiYm.1K00Sl5og99LloWVESHWpVPDEr84eV0i" -H "Content-Type: application/json" -d "{ \"time_stamp\": \"2020-07-17T15:54:00Z\", \"result\": 2, \"cow\": \"2413\", \"camera\": 1, \"farm_id\": 2}"

yovelcohen commented 4 years ago

the same applies for local server, works in the browsable API with mod header but request via postman/curl fails.

yovelcohen commented 4 years ago

Okay, I figured out what made that happen, not sure why though.

I'm using the create mixin and overriding the default create method in my view.

Once I deleted that and used the built-in create it works!

I would definitely test that more once I get the chance and report back the results!

Many thanks anyway and thank you for this great package.

florimondmanca commented 4 years ago

Cool. :-)

I assume the permission checking logic is run via the default .create() implementation... Seems like you could run .check_permissions() yourself though, see https://www.django-rest-framework.org/api-guide/views/#api-policy-implementation-methods

API policy implementation methods The following methods are called before dispatching to the handler method. [...] .check_permissions(self, request)

Closing for now since this seems like a generic DRF usage problem... Thanks!