Authentication in Django DRF viewset (app)

[davidyytan]

This is a django-allauth headless question.

Given that I authenticate over _allauth/app/v1/auth/loginand extract the session token and prove that the authentication is successful on _allauth/app/v1/auth/session using said token,

{
    "status": 200,
    "data": {
        "user": {
            "id": 1,
            "display": "root",
            "has_usable_password": true,
            "email": "[email protected]",
            "username": "root"
        },
        "methods": [
            {
                "method": "password",
                "at": 1718956007.074115,
                "username": "root"
            }
        ]
    },
    "meta": {
        "is_authenticated": true
    }
}

How can my DRF viewset return True for request.user.is_authenticated. Currently no matter what I do, the session header that I pass into the get request do not get translated into an authenticated user but they do exist as headers (can print them).

views.py

class DocumentViewSet(viewsets.ModelViewSet):
    
    queryset = Document.objects.all()
    serializer_class = DocumentSerializer

    def list(self, request, *args, **kwargs):
        print(request.user.is_authenticated)
        print(request.headers)
        return super().list(request, *args, **kwargs)

settings.py

from pathlib import Path

# Build paths inside the project like this: BASE_DIR / 'subdir'.
BASE_DIR = Path(__file__).resolve().parent.parent


# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/5.0/howto/deployment/checklist/

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'abcde'

# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True

ALLOWED_HOSTS = []


# Application definition

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'rest_framework',                                               # djangorestframework
    'allauth',                                                      # django-allauth
    'allauth.account',                                              # django-allauth
    'allauth.headless',                                             # django-allauth
    'allauth.socialaccount',                                        # django-allauth
    'allauth.mfa',                                                  # django-allauth
    'allauth.usersessions',                                         # django-allauth
    
    'rest',                                                         # rest
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'allauth.account.middleware.AccountMiddleware',                 # django-allauth
]

ROOT_URLCONF = 'core.urls'

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [],
        'APP_DIRS': True,
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                'django.contrib.messages.context_processors.messages',
            ],
        },
    },
]

WSGI_APPLICATION = 'core.wsgi.application'


# Database
# https://docs.djangoproject.com/en/5.0/ref/settings/#databases

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.sqlite3',
        'NAME': BASE_DIR / 'db.sqlite3',
    }
}


# Password validation
# https://docs.djangoproject.com/en/5.0/ref/settings/#auth-password-validators

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]


# Internationalization
# https://docs.djangoproject.com/en/5.0/topics/i18n/

LANGUAGE_CODE = 'en-us'

TIME_ZONE = 'UTC'

USE_I18N = True

USE_TZ = True


# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/5.0/howto/static-files/

STATIC_URL = 'static/'

# Default primary key field type
# https://docs.djangoproject.com/en/5.0/ref/settings/#default-auto-field

DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'

# djangorestframework settings
REST_FRAMEWORK = {
    # Use Django's standard `django.contrib.auth` permissions,
    # or allow read-only access for unauthenticated users.
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
    ],

    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.BasicAuthentication',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.TokenAuthentication',
    ],
}



# django-allauth settings
AUTHENTICATION_BACKENDS = [
    # Needed to login by username in Django admin, regardless of `allauth`
    'django.contrib.auth.backends.ModelBackend',
    # `allauth` specific authentication methods, such as login by email
    'allauth.account.auth_backends.AuthenticationBackend',
]

# django-allauth settings
# These are the URLs to be implemented by your single-page application.
HEADLESS_FRONTEND_URLS = {
    "account_confirm_email": "https://app.project.org/account/verify-email/{key}",
    "account_reset_password_from_key": "https://app.org/account/password/reset/key/{key}",
    "account_signup": "https://app.org/account/signup",
}

I searched through github issues, discussions, reddit etc. Couldnt find a solution. Tried adding 'rest_framework.authentication.BasicAuthentication', 'rest_framework.authentication.SessionAuthentication', 'rest_framework.authentication.TokenAuthentication' in DEFAULT_AUTHENTICATION_CLASSES, didnt work.

[pennersr]

Given that you are using using the /app endpoints, you are aiming for app based usage, meaning, cookies play no role and header tokens are needed to pinpoint the user. You have:

    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.BasicAuthentication',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.TokenAuthentication',
    ],

None of those are capable of mapping the X-Session-Token header to a user. So, either you need to add an authentication class there that understands X-Session-Token, or, you need to configure allauth so that it generates an access token that DRF understands.

As for the former, you will need to create a class as documented here https://www.django-rest-framework.org/api-guide/authentication/#custom-authentication and add that to your DEFAULT_AUTHENTICATION_CLASSES.

As for the latter, you can setup an allauth HEADLESS_TOKEN_STRATEGY that creates an access token that DRF understands. Something along the lines of ( ⚠️ untested example code):

class DRFTokenStrategy(SessionTokenStrategy):
    def create_access_token(self, request):
        from rest_framework.authtoken.models import Token
        token, created = Token.objects.get_or_create(user=request.user)
        return token.key

When the user authenticates, that token.key is communicated to your app and once your app passes that access token along the DRF TokenAuthentication will be able to authenticate.

[davidyytan]

Thanks for your quick reply. It is working well!
Is it recommended to use default DRF token strategy or should I try to implement like a SimpleJWT for token management.

[pennersr]

My 2cts -- keep things as simple and stupid as possible and pick boring technology. Unless there are requirements where your project is split across multiple smaller services that need to authenticate in a stateless fashion, JWTs typically do not provide any benefit.

[davidyytan]

Thank you! Will consider your comment and revisit it only when we need it.

[davidyytan]

Hi pennersr. I have decided to move towards the simplejwt package for more fine tuned control over the jwt tokens like refresh and access tokens and an easy way to set expiry etc. How can I get the implmentation of the token strategy to work correctly.

from allauth.headless.tokens.sessions import SessionTokenStrategy
from rest_framework.authtoken.models import Token
from rest_framework_simplejwt.tokens import RefreshToken

class SimpleJWTTokenStrategy(SessionTokenStrategy):
    def create_access_token(self, request):
        refresh = RefreshToken.for_user(request.user)
        return str(refresh.access_token)
        # return {
        #     'refresh': str(refresh),
        #     'access': str(refresh.access_token),
        # }

class DRFTokenStrategy(SessionTokenStrategy):
    def create_access_token(self, request):
        token, created = Token.objects.get_or_create(user=request.user)
        return token.key

Currently this is my code for SimpleJWTTokenStrategy and it works for new (simple-jwt) access token but there is no way to tell django allauth about my new (simple-jwt) refresh token. Is there a better way of implementing this instead of parking the access and refresh token under the access key?

Thanks in advance. Your help is greatly appreciated!

[pennersr]

That is currently lacking. Filed as: #3997

[pennersr]

Support for this is added via e60d1ab

[davidyytan]

thanks! working well! closing this.