I have a project that uses jwt tokens as authentication. I'm now trying to add the api-key feature.
Basically I've customized the API based on an Organization permission (in a given organization, the api-key might have admin permissions, or staff, etc). In this step, I can filter the permissions with success
I have the following viewset:
class FooViewSet(viewsets.ModelViewSet):
permission_classes = (FooPermissionsBasedOnOrganization | HasOrganizationBasedAPIKey, )
Assuming that both jwt token and api-key have staff permissions, I don't want them to be able to create resources, raising HTTP 403 forbidden.
But with api-keys, the error is 401 unauthorized...
With some debug, I've noticed the following:
Breakpoint in the APIView, method initial, line self.check_permissions(request)
In here, if the token or api-key don't have permission, will call the method self.permission_denied
The permission denied code is the following:
def permission_denied(self, request, message=None, code=None):
if request.authenticators and not request.successful_authenticator:
raise exceptions.NotAuthenticated()
raise exceptions.PermissionDenied(detail=message, code=code)
API Keys will hit on the first raise, because it's not a User to be authenticated.
Should I need a Authentication class to use with API Keys, do I need something to bypass this, or is it something that I'm not seeing bacause this shouldn't be a problem?
I have a project that uses jwt tokens as authentication. I'm now trying to add the api-key feature. Basically I've customized the API based on an Organization permission (in a given organization, the api-key might have admin permissions, or staff, etc). In this step, I can filter the permissions with success
I have the following viewset:
Assuming that both jwt token and api-key have staff permissions, I don't want them to be able to create resources, raising HTTP 403 forbidden. But with api-keys, the error is 401 unauthorized... With some debug, I've noticed the following:
initial, lineself.check_permissions(request)self.permission_deniedThe permission denied code is the following:
API Keys will hit on the first raise, because it's not a User to be authenticated.
Should I need a Authentication class to use with API Keys, do I need something to bypass this, or is it something that I'm not seeing bacause this shouldn't be a problem?
Thanks :+1: