Web APIs for Django. 🎸
Go to file
Mahdi Rahimi c0166d95bb
Prevent small risk of Token overwrite (#9754)
* Fix #9250: Prevent token overwrite and improve security

- Fix key collision issue that could overwrite existing tokens
- Use force_insert=True only for new token instances
- Replace os.urandom with secrets.token_hex for better security
- Add comprehensive test suite to verify fix and backward compatibility
- Ensure existing tokens can still be updated without breaking changes

* Fix code style: remove trailing whitespace and unused imports

* Fix #9250: Prevent token overwrite with minimal changes

- Add force_insert=True to Token.save() for new objects to prevent overwriting existing tokens
- Revert generate_key method to original implementation (os.urandom + binascii)
- Update tests to work with original setUp() approach
- Remove verbose comments and unrelated changes per reviewer feedback

* Fix flake8 violations: remove extra blank lines and trailing whitespace

* Update tests/test_authtoken.py

Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>

* Update tests/test_authtoken.py

Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>

* Update tests/test_authtoken.py

Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>

* Fix token key regeneration behavior and add test

* Update tests/test_authtoken.py

Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>

---------

Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
2025-08-10 16:52:32 +06:00
.github Restore references to GitHub Issues and Discussions (#9757) 2025-08-09 12:44:46 +06:00
.tx restore the transifex configuration 2020-10-13 21:30:05 +02:00
docs add a new third-party package in serializers.md (#9717) 2025-08-10 10:12:11 +06:00
docs_theme Adapt docs to reflect stability-focused contribution policy 2024-04-30 18:24:21 +02:00
licenses Prefer https protocol for links in docs when available 2018-01-15 15:15:21 +01:00
requirements Fix test with Django 5 when pytz is available (#9715) 2025-07-24 08:47:47 +01:00
rest_framework Prevent small risk of Token overwrite (#9754) 2025-08-10 16:52:32 +06:00
tests Prevent small risk of Token overwrite (#9754) 2025-08-10 16:52:32 +06:00
.gitignore Update references to Travis CI after moving to Github Actions (#7909) 2021-04-12 13:14:26 +01:00
.pre-commit-config.yaml Add pyupgrade to pre-commit hooks (#9682) 2025-04-09 06:24:18 +00:00
codecov.yml Update codecov.yml 2018-10-02 16:57:49 +01:00
CONTRIBUTING.md Restore references to GitHub Issues and Discussions (#9757) 2025-08-09 12:44:46 +06:00
LICENSE.md Prefer https:// for URLs when available throughout project (#6208) 2018-10-02 08:28:58 +02:00
MANIFEST.in Upgraded Bootstrap to 3.4.1 and added CSS source maps (#8591) 2022-08-10 11:53:21 +01:00
mkdocs.yml Prepare v3.16, release notes, and announcement. (#9671) 2025-03-28 15:16:33 +01:00
PULL_REQUEST_TEMPLATE.md Adapt issue/PR template to better reflect contribution policy 2024-04-30 18:24:22 +02:00
README.md Drop Python 3.8 as EOL (#9670) 2025-03-28 13:56:54 +01:00
requirements.txt Update documentation on dependency installation (#8566) 2022-09-27 13:54:52 +01:00
runtests.py fix dist test by moving --no-pkgroot to runtests.py (#9129) 2023-10-05 12:33:53 +06:00
SECURITY.md Update SECURITY.md (#9628) 2025-01-21 15:00:02 +00:00
setup.cfg Fix typo in setup.cfg setting 2024-04-30 18:28:26 +02:00
setup.py Cleanup dependencies and conditions for unsupported Python versions (#9681) 2025-04-08 08:29:40 +00:00
tox.ini Update test matrix to use Django 5.2 stable version (#9679) 2025-04-04 11:39:11 +01:00

Django REST framework

build-status-image coverage-status-image pypi-version

Awesome web-browsable Web APIs.

Full documentation for the project is available at https://www.django-rest-framework.org/.


Funding

REST framework is a collaboratively funded project. If you use REST framework commercially we strongly encourage you to invest in its continued development by signing up for a paid plan.

The initial aim is to provide a single full-time position on REST framework. Every single sign-up makes a significant impact towards making that possible.

Many thanks to all our wonderful sponsors, and in particular to our premium backers, Sentry, Stream, Spacinov, Retool, bit.io, PostHog, CryptAPI, FEZTO, Svix, and Zuplo.


Overview

Django REST framework is a powerful and flexible toolkit for building Web APIs.

Some reasons you might want to use REST framework:

Below: Screenshot from the browsable API

Screenshot


Requirements

  • Python 3.9+
  • Django 4.2, 5.0, 5.1, 5.2

We highly recommend and only officially support the latest patch release of each Python and Django series.

Installation

Install using pip...

pip install djangorestframework

Add 'rest_framework' to your INSTALLED_APPS setting.

INSTALLED_APPS = [
    ...
    'rest_framework',
]

Example

Let's take a look at a quick example of using REST framework to build a simple model-backed API for accessing users and groups.

Startup up a new project like so...

pip install django
pip install djangorestframework
django-admin startproject example .
./manage.py migrate
./manage.py createsuperuser

Now edit the example/urls.py module in your project:

from django.contrib.auth.models import User
from django.urls import include, path
from rest_framework import routers, serializers, viewsets


# Serializers define the API representation.
class UserSerializer(serializers.HyperlinkedModelSerializer):
    class Meta:
        model = User
        fields = ['url', 'username', 'email', 'is_staff']


# ViewSets define the view behavior.
class UserViewSet(viewsets.ModelViewSet):
    queryset = User.objects.all()
    serializer_class = UserSerializer


# Routers provide a way of automatically determining the URL conf.
router = routers.DefaultRouter()
router.register(r'users', UserViewSet)

# Wire up our API using automatic URL routing.
# Additionally, we include login URLs for the browsable API.
urlpatterns = [
    path('', include(router.urls)),
    path('api-auth/', include('rest_framework.urls', namespace='rest_framework')),
]

We'd also like to configure a couple of settings for our API.

Add the following to your settings.py module:

INSTALLED_APPS = [
    ...  # Make sure to include the default installed apps here.
    'rest_framework',
]

REST_FRAMEWORK = {
    # Use Django's standard `django.contrib.auth` permissions,
    # or allow read-only access for unauthenticated users.
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
    ]
}

That's it, we're done!

./manage.py runserver

You can now open the API in your browser at http://127.0.0.1:8000/, and view your new 'users' API. If you use the Login control in the top right corner you'll also be able to add, create and delete users from the system.

You can also interact with the API using command line tools such as curl. For example, to list the users endpoint:

$ curl -H 'Accept: application/json; indent=4' -u admin:password http://127.0.0.1:8000/users/
[
    {
        "url": "http://127.0.0.1:8000/users/1/",
        "username": "admin",
        "email": "admin@example.com",
        "is_staff": true,
    }
]

Or to create a new user:

$ curl -X POST -d username=new -d email=new@example.com -d is_staff=false -H 'Accept: application/json; indent=4' -u admin:password http://127.0.0.1:8000/users/
{
    "url": "http://127.0.0.1:8000/users/2/",
    "username": "new",
    "email": "new@example.com",
    "is_staff": false,
}

Documentation & Support

Full documentation for the project is available at https://www.django-rest-framework.org/.

For questions and support, use the REST framework discussion group, or #restframework on libera.chat IRC.

Security

Please see the security policy.