search

manosim / django-rest-framework-api-key

An extra layer of authentication for Web APIs made with Django REST Framework
BSD 2-Clause "Simplified" License
92 stars 30 forks source link

API KEY isn't checked at all in Django 1.11 / Python 3.5 #16

Open marianobrc opened 6 years ago

marianobrc commented 6 years ago

I've added it to installed apps:

`OTHER_APPS = [ 'custom_user', 'rest_framework', 'rest_framework.authtoken', 'rest_framework_api_key', 'rest_framework_bulk', 'djoser', 'storages', # To store files in DO Spaces 'django_extensions', # To generate models graphs

'rest_framework_swagger',

#'rest_framework_docs',

]`

My middlewares are:

MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ]

DRF config

REST_FRAMEWORK = { 'DEFAULT_PERMISSION_CLASSES': ( # Global API Key to protect the API 'rest_framework_api_key.permissions.HasAPIAccess', ), 'DEFAULT_AUTHENTICATION_CLASSES': ( # Token authentication for users 'rest_framework.authentication.TokenAuthentication', ), }

I've generated the API KEY from the admin, but I can send any request without the header and it's accepted anyway. I've tried adding the header too:

Api-Key: de0db181c02016016d8ef37dd3f31491ceec0ef2

But i can set any key or remove the header and all the requests are accepted any time. Am i misssing something? Should I add any extra middleware?

Thanks

flexpeace commented 6 years ago

I think the documentation didn't cover that aspect. This is how to get it to work correctly

  1. Import this from rest_framework_api_key.permissions import HasAPIAccess
  2. Add permission_classes =( HasAPIAccess, ) to any of your API views