2012-09-02 00:24:33 +04:00
<!DOCTYPE html>
< html lang = "en" > < head > < meta http-equiv = "Content-Type" content = "text/html; charset=UTF-8" >
< meta charset = "utf-8" >
< title > Django REST framework< / title >
2012-10-05 18:26:53 +04:00
< link href = "http://tomchristie.github.com/django-rest-framework/img/favicon.ico" rel = "icon" type = "image/x-icon" >
2012-09-02 00:24:33 +04:00
< meta name = "viewport" content = "width=device-width, initial-scale=1.0" >
< meta name = "description" content = "" >
< meta name = "author" content = "" >
<!-- Le styles -->
2012-09-08 23:24:07 +04:00
< link href = "http://tomchristie.github.com/django-rest-framework/css/prettify.css" rel = "stylesheet" >
2012-09-02 00:37:41 +04:00
< link href = "http://tomchristie.github.com/django-rest-framework/css/bootstrap.css" rel = "stylesheet" >
< link href = "http://tomchristie.github.com/django-rest-framework/css/bootstrap-responsive.css" rel = "stylesheet" >
2012-09-13 12:40:09 +04:00
< link href = "http://tomchristie.github.com/django-rest-framework/css/default.css" rel = "stylesheet" >
2012-09-02 00:24:33 +04:00
<!-- Le HTML5 shim, for IE6 - 8 support of HTML5 elements -->
<!-- [if lt IE 9]>
< script src = "http://html5shim.googlecode.com/svn/trunk/html5.js" > < / script >
<![endif]-->
2012-10-01 19:27:59 +04:00
< body onload = "prettyPrint()" class = "authentication-page" >
2012-09-02 00:24:33 +04:00
2012-10-05 22:27:27 +04:00
< div class = "wrapper" >
2012-09-02 00:24:33 +04:00
< div class = "navbar navbar-inverse navbar-fixed-top" >
< div class = "navbar-inner" >
< div class = "container-fluid" >
2012-09-12 16:12:00 +04:00
< a class = "repo-link btn btn-primary btn-small" href = "https://github.com/tomchristie/django-rest-framework/tree/restframework2" > GitHub< / a >
2012-09-02 00:24:33 +04:00
< a class = "btn btn-navbar" data-toggle = "collapse" data-target = ".nav-collapse" >
< span class = "icon-bar" > < / span >
< span class = "icon-bar" > < / span >
< span class = "icon-bar" > < / span >
< / a >
2012-09-02 00:37:41 +04:00
< a class = "brand" href = "http://tomchristie.github.com/django-rest-framework" > Django REST framework< / a >
2012-09-02 00:24:33 +04:00
< div class = "nav-collapse collapse" >
< ul class = "nav" >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework" > Home< / a > < / li >
2012-09-02 00:24:33 +04:00
< li class = "dropdown" >
< a href = "#" class = "dropdown-toggle" data-toggle = "dropdown" > Tutorial < b class = "caret" > < / b > < / a >
< ul class = "dropdown-menu" >
2012-10-09 15:01:56 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/quickstart" > Quickstart< / a > < / li >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/1-serialization" > 1 - Serialization< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/2-requests-and-responses" > 2 - Requests and responses< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/3-class-based-views" > 3 - Class based views< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/4-authentication-permissions-and-throttling" > 4 - Authentication, permissions and throttling< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/5-relationships-and-hyperlinked-apis" > 5 - Relationships and hyperlinked APIs< / a > < / li >
2012-10-10 12:36:47 +04:00
<!-- <li><a href="http://tomchristie.github.com/django - rest - framework/tutorial/6 - resource - orientated - projects">6 - Resource orientated projects</a></li> -->
2012-09-02 00:24:33 +04:00
< / ul >
< / li >
< li class = "dropdown" >
< a href = "#" class = "dropdown-toggle" data-toggle = "dropdown" > API Guide < b class = "caret" > < / b > < / a >
< ul class = "dropdown-menu" >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/requests" > Requests< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/responses" > Responses< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/views" > Views< / a > < / li >
2012-09-12 13:14:01 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/generic-views" > Generic views< / a > < / li >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/parsers" > Parsers< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/renderers" > Renderers< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/serializers" > Serializers< / a > < / li >
2012-10-05 20:10:33 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/fields" > Serializer fields< / a > < / li >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/authentication" > Authentication< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/permissions" > Permissions< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/throttling" > Throttling< / a > < / li >
2012-10-01 19:27:59 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/pagination" > Pagination< / a > < / li >
2012-09-12 13:14:01 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/content-negotiation" > Content negotiation< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/format-suffixes" > Format suffixes< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/reverse" > Returning URLs< / a > < / li >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/exceptions" > Exceptions< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/status-codes" > Status codes< / a > < / li >
2012-09-05 16:05:36 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/settings" > Settings< / a > < / li >
2012-09-02 00:24:33 +04:00
< / ul >
< / li >
< li class = "dropdown" >
< a href = "#" class = "dropdown-toggle" data-toggle = "dropdown" > Topics < b class = "caret" > < / b > < / a >
< ul class = "dropdown-menu" >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/csrf" > Working with AJAX and CSRF< / a > < / li >
2012-10-13 18:09:05 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/browser-enhancements" > Browser enhancements< / a > < / li >
2012-10-13 18:35:46 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/browsable-api" > The Browsable API< / a > < / li >
2012-10-08 15:19:26 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/rest-hypermedia-hateoas" > REST, Hypermedia & HATEOAS< / a > < / li >
2012-09-05 16:05:36 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/contributing" > Contributing to REST framework< / a > < / li >
2012-10-08 15:19:26 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/migration" > 2.0 Migration Guide< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/changelog" > Change Log< / a > < / li >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/credits" > Credits< / a > < / li >
2012-09-02 00:24:33 +04:00
< / ul >
< / li >
< / ul >
< ul class = "nav pull-right" >
2012-10-09 17:13:19 +04:00
<!-- TODO
2012-09-08 11:03:30 +04:00
< li class = "dropdown" >
< a href = "#" class = "dropdown-toggle" data-toggle = "dropdown" > Version: 2.0.0 < b class = "caret" > < / b > < / a >
< ul class = "dropdown-menu" >
< li > < a href = "#" > Trunk< / a > < / li >
< li > < a href = "#" > 2.0.0< / a > < / li >
< / ul >
< / li >
2012-10-09 17:13:19 +04:00
-->
2012-09-08 11:03:30 +04:00
< / ul >
2012-09-02 00:24:33 +04:00
< / div > <!-- /.nav - collapse -->
< / div >
< / div >
< / div >
2012-10-05 22:27:27 +04:00
< div class = "body-content" >
< div class = "container-fluid" >
< div class = "row-fluid" >
2012-10-05 16:22:18 +04:00
2012-10-05 22:27:27 +04:00
< div class = "span3" >
2012-10-08 15:19:26 +04:00
<!-- TODO
< p style = "margin-top: -12px" >
< a class = "btn btn-mini btn-primary" style = "width: 60px" > « previous< / a >
< a class = "btn btn-mini btn-primary" style = "float: right; margin-right: 8px; width: 60px;" > next » < / a >
< / p >
-->
2012-10-05 22:27:27 +04:00
< div id = "table-of-contents" >
< ul class = "nav nav-list side-nav well sidebar-nav-fixed" >
< li class = "main" > < a href = "#authentication" > Authentication< / a > < / li >
2012-09-06 00:14:24 +04:00
< li > < a href = "#how-authentication-is-determined" > How authentication is determined< / a > < / li >
2012-09-05 16:05:36 +04:00
< li > < a href = "#setting-the-authentication-policy" > Setting the authentication policy< / a > < / li >
2012-09-13 12:40:09 +04:00
< li > < a href = "#basicauthentication" > BasicAuthentication< / a > < / li >
2012-09-08 11:03:30 +04:00
< li > < a href = "#tokenauthentication" > TokenAuthentication< / a > < / li >
2012-09-05 16:05:36 +04:00
< li > < a href = "#oauthauthentication" > OAuthAuthentication< / a > < / li >
< li > < a href = "#sessionauthentication" > SessionAuthentication< / a > < / li >
< li > < a href = "#custom-authentication-policies" > Custom authentication policies< / a > < / li >
2012-09-02 00:24:33 +04:00
2012-10-05 22:27:27 +04:00
< / ul >
< / div >
2012-09-08 11:03:30 +04:00
< / div >
2012-09-02 00:24:33 +04:00
2012-10-05 22:27:27 +04:00
< div id = "main-content" class = "span9" >
< p > < a class = "github" href = "https://github.com/tomchristie/django-rest-framework/blob/restframework2/rest_framework/authentication.py" > < span class = "label label-info" > authentication.py< / span > < / a > < / p >
2012-09-09 01:06:49 +04:00
< h1 id = "authentication" > Authentication< / h1 >
2012-09-12 13:14:01 +04:00
< blockquote >
< p > Auth needs to be pluggable.< / p >
< p > — Jacob Kaplan-Moss, < a href = "http://jacobian.org/writing/rest-worst-practices/" > "REST worst practices"< / a > < / p >
< / blockquote >
2012-09-05 21:26:37 +04:00
< p > Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with. The < a href = "permissions" > permission< / a > and < a href = "throttling" > throttling< / a > policies can then use those credentials to determine if the request should be permitted.< / p >
2012-09-05 16:05:36 +04:00
< p > REST framework provides a number of authentication policies out of the box, and also allows you to implement custom policies.< / p >
< p > Authentication will run the first time either the < code > request.user< / code > or < code > request.auth< / code > properties are accessed, and determines how those properties are initialized.< / p >
2012-09-06 00:14:24 +04:00
< p > The < code > request.user< / code > property will typically be set to an instance of the < code > contrib.auth< / code > package's < code > User< / code > class.< / p >
2012-09-08 11:03:30 +04:00
< p > The < code > request.auth< / code > property is used for any additional authentication information, for example, it may be used to represent an authentication token that the request was signed with.< / p >
2012-09-06 00:14:24 +04:00
< h2 id = "how-authentication-is-determined" > How authentication is determined< / h2 >
2012-09-13 12:40:09 +04:00
< p > The authentication policy is always defined as a list of classes. REST framework will attempt to authenticate with each class in the list, and will set < code > request.user< / code > and < code > request.auth< / code > using the return value of the first class that successfully authenticates.< / p >
2012-09-06 00:14:24 +04:00
< p > If no class authenticates, < code > request.user< / code > will be set to an instance of < code > django.contrib.auth.models.AnonymousUser< / code > , and < code > request.auth< / code > will be set to < code > None< / code > .< / p >
< p > The value of < code > request.user< / code > and < code > request.auth< / code > for unauthenticated requests can be modified using the < code > UNAUTHENTICATED_USER< / code > and < code > UNAUTHENTICATED_TOKEN< / code > settings.< / p >
2012-09-05 16:05:36 +04:00
< h2 id = "setting-the-authentication-policy" > Setting the authentication policy< / h2 >
2012-09-06 00:14:24 +04:00
< p > The default authentication policy may be set globally, using the < code > DEFAULT_AUTHENTICATION< / code > setting. For example.< / p >
2012-09-20 16:07:16 +04:00
< pre class = "prettyprint lang-py" > < code > REST_FRAMEWORK = {
2012-09-06 00:14:24 +04:00
'DEFAULT_AUTHENTICATION': (
2012-09-20 16:07:16 +04:00
'rest_framework.authentication.UserBasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
2012-09-05 16:05:36 +04:00
)
}
< / code > < / pre >
< p > You can also set the authentication policy on a per-view basis, using the < code > APIView< / code > class based views.< / p >
2012-09-08 23:24:07 +04:00
< pre class = "prettyprint lang-py" > < code > class ExampleView(APIView):
2012-09-06 00:14:24 +04:00
authentication_classes = (SessionAuthentication, UserBasicAuthentication)
2012-10-01 19:27:59 +04:00
permission_classes = (IsAuthenticated,)
2012-09-02 00:24:33 +04:00
2012-09-05 16:05:36 +04:00
def get(self, request, format=None):
2012-09-02 00:24:33 +04:00
content = {
2012-09-08 11:03:30 +04:00
'user': unicode(request.user), # `django.contrib.auth.User` instance.
2012-09-05 16:05:36 +04:00
'auth': unicode(request.auth), # None
2012-09-02 00:24:33 +04:00
}
return Response(content)
< / code > < / pre >
2012-09-05 16:05:36 +04:00
< p > Or, if you're using the < code > @api_view< / code > decorator with function based views.< / p >
2012-10-05 18:26:53 +04:00
< pre class = "prettyprint lang-py" > < code > @api_view(('GET',)),
@authentication_classes((SessionAuthentication, UserBasicAuthentication))
@permissions_classes((IsAuthenticated,))
2012-09-05 16:05:36 +04:00
def example_view(request, format=None):
content = {
2012-09-08 11:03:30 +04:00
'user': unicode(request.user), # `django.contrib.auth.User` instance.
2012-09-05 16:05:36 +04:00
'auth': unicode(request.auth), # None
}
return Response(content)
< / code > < / pre >
2012-09-13 12:40:09 +04:00
< h2 id = "basicauthentication" > BasicAuthentication< / h2 >
< p > This policy uses < a href = "http://tools.ietf.org/html/rfc2617" > HTTP Basic Authentication< / a > , signed against a user's username and password. Basic authentication is generally only appropriate for testing.< / p >
< p > If successfully authenticated, < code > BasicAuthentication< / code > provides the following credentials.< / p >
2012-09-05 16:05:36 +04:00
< ul >
< li > < code > request.user< / code > will be a < code > django.contrib.auth.models.User< / code > instance.< / li >
< li > < code > request.auth< / code > will be < code > None< / code > .< / li >
< / ul >
2012-09-13 12:40:09 +04:00
< p > < strong > Note:< / strong > If you use < code > BasicAuthentication< / code > in production you must ensure that your API is only available over < code > https< / code > only. You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.< / p >
2012-09-08 11:03:30 +04:00
< h2 id = "tokenauthentication" > TokenAuthentication< / h2 >
2012-09-13 12:40:09 +04:00
< p > This policy uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients.< / p >
2012-09-20 16:07:16 +04:00
< p > To use the < code > TokenAuthentication< / code > policy, include < code > rest_framework.authtoken< / code > in your < code > INSTALLED_APPS< / code > setting.< / p >
2012-09-13 12:40:09 +04:00
< p > You'll also need to create tokens for your users.< / p >
2012-09-20 16:07:16 +04:00
< pre class = "prettyprint lang-py" > < code > from rest_framework.authtoken.models import Token
2012-09-13 12:40:09 +04:00
token = Token.objects.create(user=...)
print token.key
< / code > < / pre >
< p > For clients to authenticate, the token key should be included in the < code > Authorization< / code > HTTP header. The key should be prefixed by the string literal "Token", with whitespace seperating the two strings. For example:< / p >
< pre class = "prettyprint lang-py" > < code > Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b
2012-09-08 11:03:30 +04:00
< / code > < / pre >
< p > If successfully authenticated, < code > TokenAuthentication< / code > provides the following credentials.< / p >
2012-09-05 16:05:36 +04:00
< ul >
< li > < code > request.user< / code > will be a < code > django.contrib.auth.models.User< / code > instance.< / li >
2012-09-20 16:07:16 +04:00
< li > < code > request.auth< / code > will be a < code > rest_framework.tokenauth.models.BasicToken< / code > instance.< / li >
2012-09-05 16:05:36 +04:00
< / ul >
2012-09-13 12:40:09 +04:00
< p > < strong > Note:< / strong > If you use < code > TokenAuthentication< / code > in production you must ensure that your API is only available over < code > https< / code > only.< / p >
2012-09-05 16:05:36 +04:00
< h2 id = "oauthauthentication" > OAuthAuthentication< / h2 >
< p > This policy uses the < a href = "http://oauth.net/2/" > OAuth 2.0< / a > protocol to authenticate requests. OAuth is appropriate for server-server setups, such as when you want to allow a third-party service to access your API on a user's behalf.< / p >
< p > If successfully authenticated, < code > OAuthAuthentication< / code > provides the following credentials.< / p >
< ul >
< li > < code > request.user< / code > will be a < code > django.contrib.auth.models.User< / code > instance.< / li >
2012-09-20 16:07:16 +04:00
< li > < code > request.auth< / code > will be a < code > rest_framework.models.OAuthToken< / code > instance.< / li >
2012-09-05 16:05:36 +04:00
< / ul >
< h2 id = "sessionauthentication" > SessionAuthentication< / h2 >
< p > This policy uses Django's default session backend for authentication. Session authentication is appropriate for AJAX clients that are running in the same session context as your website.< / p >
< p > If successfully authenticated, < code > SessionAuthentication< / code > provides the following credentials.< / p >
< ul >
< li > < code > request.user< / code > will be a < code > django.contrib.auth.models.User< / code > instance.< / li >
< li > < code > request.auth< / code > will be < code > None< / code > .< / li >
< / ul >
< h2 id = "custom-authentication-policies" > Custom authentication policies< / h2 >
2012-09-12 13:14:01 +04:00
< p > To implement a custom authentication policy, subclass < code > BaseAuthentication< / code > and override the < code > .authenticate(self, request)< / code > method. The method should return a two-tuple of < code > (user, auth)< / code > if authentication succeeds, or < code > None< / code > otherwise.< / p >
2012-10-05 22:27:27 +04:00
< / div > <!-- /span -->
< / div > <!-- /row -->
< / div > <!-- /.fluid - container -->
< / div > <!-- /.body content -->
2012-09-02 00:24:33 +04:00
2012-10-05 18:26:53 +04:00
< div id = "push" > < / div >
2012-10-05 22:27:27 +04:00
< / div > <!-- /.wrapper -->
2012-10-05 18:26:53 +04:00
2012-10-05 22:27:27 +04:00
< footer class = "span12" >
2012-10-05 22:33:52 +04:00
< p > Sponsored by < a href = "http://dabapps.com/" > DabApps< / a > .< / a > < / p >
2012-10-05 22:27:27 +04:00
< / footer >
2012-10-05 18:26:53 +04:00
2012-09-02 00:24:33 +04:00
<!-- Le javascript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
2012-09-08 11:03:30 +04:00
< script src = "http://tomchristie.github.com/django-rest-framework/js/jquery-1.8.1-min.js" > < / script >
2012-10-05 16:22:18 +04:00
< script src = "http://tomchristie.github.com/django-rest-framework/js/prettify-1.0.js" > < / script >
< script src = "http://tomchristie.github.com/django-rest-framework/js/bootstrap-2.1.1-min.js" > < / script >
2012-09-02 00:24:33 +04:00
< script >
2012-09-08 11:03:30 +04:00
//$('.side-nav').scrollspy()
var shiftWindow = function() { scrollBy(0, -50) };
if (location.hash) shiftWindow();
window.addEventListener("hashchange", shiftWindow);
2012-09-12 13:14:01 +04:00
2012-09-17 23:21:26 +04:00
$('.dropdown-menu').on('click touchstart', function(event) {
2012-09-12 13:14:01 +04:00
event.stopPropagation();
});
2012-09-02 00:24:33 +04:00
< / script >
2012-10-01 19:27:59 +04:00
< / body > < / html >