JWTCookieAuthentication and SessionAuthentication not working together.

iMerica / dj-rest-auth

Authentication for Django Rest Framework

https://dj-rest-auth.readthedocs.io/en/latest/index.html

MIT License

1.62k stars 302 forks source link

JWTCookieAuthentication and SessionAuthentication not working together. #235

Open haccks opened 3 years ago

haccks commented 3 years ago

I am using both of these authentication classes in settings.py file as DEFAULT_AUTHENTICATION_CLASSES.

'DEFAULT_AUTHENTICATION_CLASSES': [
        'dj_rest_auth.jwt_auth.JWTCookieAuthentication',
        'rest_framework.authentication.SessionAuthentication',
    ],

With this setting if I use browsable API then I get this error:

HTTP 401 Unauthorized
Allow: POST, OPTIONS
Content-Type: application/json
Vary: Accept
WWW-Authenticate: Bearer realm="api"

{
    "detail": "Given token not valid for any token type",
    "code": "token_not_valid",
    "messages": [
        {
            "token_class": "AccessToken",
            "token_type": "access",
            "message": "Token has wrong type"
        }
    ]
}

NPGiorgi commented 3 years ago

Not sure if this is the best way, but to my understanding for some reason the Login API is requesting credentials. My solution was to override the default class and remove any authentication requirements.

from dj_rest_auth.views import LoginView

class Login(LoginView):
    authentication_classes = []

And in the urls file

# ...

urlpatterns = [
    path("auth/login/", core_api.Login.as_view()),
    path("auth/", include("dj_rest_auth.urls")),
]

# ...

johnckealy commented 3 years ago

I found that I can get this to work only if I use DRF's Token Authentication as well:

    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.TokenAuthentication',
        'dj_rest_auth.jwt_auth.JWTCookieAuthentication'
    ),

I think Simple JWT must rely on this code to work.

LennyLip commented 3 years ago

It seems this app can work with JWT Token or DRF Token Auth only. If I tried to use DRF SessionAuthentication only I got server errors.

REST_USE_JWT = False

...
'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.SessionAuthentication',
    ),
...

INSTALLED_APPS = [
    ...
    'rest_framework',
    #'rest_framework.authtoken'
]

error:


File "/usr/local/lib/python3.7/dist-packages/dj_rest_auth/views.py" in post
  127.         self.login()

File "/usr/local/lib/python3.7/dist-packages/dj_rest_auth/views.py" in login
  79.                 self.serializer,

File "/usr/local/lib/python3.7/dist-packages/dj_rest_auth/utils.py" in default_create_token
  16.     token, _ = token_model.objects.get_or_create(user=user)

Exception Type: AttributeError at /api/v1/profiles/rest-auth/login/
Exception Value: type object 'Token' has no attribute 'objects'

haccks commented 3 weeks ago

I am still facing this problem with version 5.1.0. Any workaround?

haccks commented 2 weeks ago

I am not sure why, but switching the order of these classes seem to work for now

'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.SessionAuthentication',
        'dj_rest_auth.jwt_auth.JWTCookieAuthentication',
    ],