mirror of
https://github.com/encode/django-rest-framework.git
synced 2024-12-04 23:44:07 +03:00
234 lines
14 KiB
HTML
234 lines
14 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
|
<meta charset="utf-8">
|
|
<title>Django REST framework</title>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta name="description" content="">
|
|
<meta name="author" content="">
|
|
|
|
<!-- Le styles -->
|
|
<link href="http://tomchristie.github.com/django-rest-framework/css/bootstrap.css" rel="stylesheet">
|
|
<style type="text/css">
|
|
body {
|
|
padding-top: 60px;
|
|
padding-bottom: 40px;
|
|
}
|
|
.sidebar-nav {
|
|
padding: 9px 0;
|
|
}
|
|
.nav-list li.main {
|
|
font-weight: bold;
|
|
}
|
|
blockquote {
|
|
font-family: Georgia, serif;
|
|
font-size: 18px;
|
|
font-style: italic;
|
|
margin: 0.25em 0;
|
|
padding: 0.25em 40px;
|
|
line-height: 1.45;
|
|
position: relative;
|
|
color: #383838;
|
|
border-left: none;
|
|
}
|
|
|
|
blockquote:before {
|
|
display: block;
|
|
content: "\201C";
|
|
font-size: 80px;
|
|
position: absolute;
|
|
left: -10px;
|
|
top: -20px;
|
|
color: #7a7a7a;
|
|
}
|
|
|
|
blockquote p:last-child {
|
|
color: #999999;
|
|
font-size: 14px;
|
|
display: block;
|
|
margin-top: 5px;
|
|
}
|
|
</style>
|
|
<link href="http://tomchristie.github.com/django-rest-framework/css/bootstrap-responsive.css" rel="stylesheet">
|
|
|
|
<!-- Le HTML5 shim, for IE6-8 support of HTML5 elements -->
|
|
<!--[if lt IE 9]>
|
|
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
|
<![endif]-->
|
|
<body>
|
|
|
|
<div class="navbar navbar-inverse navbar-fixed-top">
|
|
<div class="navbar-inner">
|
|
<div class="container-fluid">
|
|
<a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
|
|
<span class="icon-bar"></span>
|
|
<span class="icon-bar"></span>
|
|
<span class="icon-bar"></span>
|
|
</a>
|
|
<a class="brand" href="http://tomchristie.github.com/django-rest-framework">Django REST framework</a>
|
|
<div class="nav-collapse collapse">
|
|
<ul class="nav">
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework">Home</a></li>
|
|
<li class="dropdown">
|
|
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Tutorial <b class="caret"></b></a>
|
|
<ul class="dropdown-menu">
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/1-serialization">1 - Serialization</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/2-requests-and-responses">2 - Requests and responses</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/3-class-based-views">3 - Class based views</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/4-authentication-permissions-and-throttling">4 - Authentication, permissions and throttling</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/5-relationships-and-hyperlinked-apis">5 - Relationships and hyperlinked APIs</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/6-resource-orientated-projects">6 - Resource orientated projects</a></li>
|
|
</ul>
|
|
</li>
|
|
<li class="dropdown">
|
|
<a href="#" class="dropdown-toggle" data-toggle="dropdown">API Guide <b class="caret"></b></a>
|
|
<ul class="dropdown-menu">
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/requests">Requests</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/responses">Responses</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/views">Views</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/parsers">Parsers</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/renderers">Renderers</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/serializers">Serializers</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/authentication">Authentication</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/permissions">Permissions</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/throttling">Throttling</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/exceptions">Exceptions</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/status-codes">Status codes</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/reverse">Returning URLs</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/settings">Settings</a></li>
|
|
</ul>
|
|
</li>
|
|
<li class="dropdown">
|
|
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Topics <b class="caret"></b></a>
|
|
<ul class="dropdown-menu">
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/topics/csrf">Working with AJAX and CSRF</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/topics/formoverloading">Browser based PUT, PATCH and DELETE</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/topics/contributing">Contributing to REST framework</a></li>
|
|
<li><a href="http://tomchristie.github.com/django-rest-framework/topics/credits">Credits</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<ul class="nav pull-right">
|
|
<li class="dropdown">
|
|
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Version: 2.0.0 <b class="caret"></b></a>
|
|
<ul class="dropdown-menu">
|
|
<li><a href="#">Trunk</a></li>
|
|
<li><a href="#">2.0.0</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div><!--/.nav-collapse -->
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<div class="container-fluid">
|
|
<div class="row-fluid">
|
|
<div class="span3">
|
|
<div class="well affix span3">
|
|
<ul class="nav nav-list side-nav">
|
|
<li class="main"><a href="#authentication">Authentication</a></li>
|
|
<li><a href="#how-authentication-is-determined">How authentication is determined</a></li>
|
|
<li><a href="#setting-the-authentication-policy">Setting the authentication policy</a></li>
|
|
<li><a href="#userbasicauthentication">UserBasicAuthentication</a></li>
|
|
<li><a href="#tokenbasicauthentication">TokenBasicAuthentication</a></li>
|
|
<li><a href="#oauthauthentication">OAuthAuthentication</a></li>
|
|
<li><a href="#sessionauthentication">SessionAuthentication</a></li>
|
|
<li><a href="#custom-authentication-policies">Custom authentication policies</a></li>
|
|
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
|
|
<div class="span9">
|
|
<h1 id="authentication">Authentication</h1>
|
|
<p>Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with. The <a href="permissions">permission</a> and <a href="throttling">throttling</a> policies can then use those credentials to determine if the request should be permitted.</p>
|
|
<p>REST framework provides a number of authentication policies out of the box, and also allows you to implement custom policies.</p>
|
|
<p>Authentication will run the first time either the <code>request.user</code> or <code>request.auth</code> properties are accessed, and determines how those properties are initialized.</p>
|
|
<p>The <code>request.user</code> property will typically be set to an instance of the <code>contrib.auth</code> package's <code>User</code> class.</p>
|
|
<p>The <code>request.auth</code> property is used for any additional authentication information, for example, it may be used to represent an authentication token that the request was signed with.<br />
|
|
</p>
|
|
<h2 id="how-authentication-is-determined">How authentication is determined</h2>
|
|
<p>Authentication is always set as a list of classes. REST framework will attempt to authenticate with each class in the list, and will set <code>request.user</code> and <code>request.auth</code> using the return value of the first class that successfully authenticates.</p>
|
|
<p>If no class authenticates, <code>request.user</code> will be set to an instance of <code>django.contrib.auth.models.AnonymousUser</code>, and <code>request.auth</code> will be set to <code>None</code>.</p>
|
|
<p>The value of <code>request.user</code> and <code>request.auth</code> for unauthenticated requests can be modified using the <code>UNAUTHENTICATED_USER</code> and <code>UNAUTHENTICATED_TOKEN</code> settings.</p>
|
|
<h2 id="setting-the-authentication-policy">Setting the authentication policy</h2>
|
|
<p>The default authentication policy may be set globally, using the <code>DEFAULT_AUTHENTICATION</code> setting. For example.</p>
|
|
<pre><code>API_SETTINGS = {
|
|
'DEFAULT_AUTHENTICATION': (
|
|
'djangorestframework.authentication.UserBasicAuthentication',
|
|
'djangorestframework.authentication.SessionAuthentication',
|
|
)
|
|
}
|
|
</code></pre>
|
|
<p>You can also set the authentication policy on a per-view basis, using the <code>APIView</code> class based views.</p>
|
|
<pre><code>class ExampleView(APIView):
|
|
authentication_classes = (SessionAuthentication, UserBasicAuthentication)
|
|
|
|
def get(self, request, format=None):
|
|
content = {
|
|
'user': unicode(request.user), # `django.contrib.auth.User` instance.
|
|
'auth': unicode(request.auth), # None
|
|
}
|
|
return Response(content)
|
|
</code></pre>
|
|
<p>Or, if you're using the <code>@api_view</code> decorator with function based views.</p>
|
|
<pre><code>@api_view(
|
|
allowed=('GET',),
|
|
authentication_classes=(SessionAuthentication, UserBasicAuthentication)
|
|
)
|
|
def example_view(request, format=None):
|
|
content = {
|
|
'user': unicode(request.user), # `django.contrib.auth.User` instance.
|
|
'auth': unicode(request.auth), # None
|
|
}
|
|
return Response(content)
|
|
</code></pre>
|
|
<h2 id="userbasicauthentication">UserBasicAuthentication</h2>
|
|
<p>This policy uses <a href="http://tools.ietf.org/html/rfc2617">HTTP Basic Authentication</a>, signed against a user's username and password. User basic authentication is generally only appropriate for testing.</p>
|
|
<p><strong>Note:</strong> If you run <code>UserBasicAuthentication</code> in production your API must be <code>https</code> only, or it will be completely insecure. You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.</p>
|
|
<p>If successfully authenticated, <code>UserBasicAuthentication</code> provides the following credentials.</p>
|
|
<ul>
|
|
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
|
|
<li><code>request.auth</code> will be <code>None</code>.</li>
|
|
</ul>
|
|
<h2 id="tokenbasicauthentication">TokenBasicAuthentication</h2>
|
|
<p>This policy uses <a href="http://tools.ietf.org/html/rfc2617">HTTP Basic Authentication</a>, signed against a token key and secret. Token basic authentication is appropriate for client-server setups, such as native desktop and mobile clients.</p>
|
|
<p><strong>Note:</strong> If you run <code>TokenBasicAuthentication</code> in production your API must be <code>https</code> only, or it will be completely insecure.</p>
|
|
<p>If successfully authenticated, <code>TokenBasicAuthentication</code> provides the following credentials.</p>
|
|
<ul>
|
|
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
|
|
<li><code>request.auth</code> will be a <code>djangorestframework.models.BasicToken</code> instance.</li>
|
|
</ul>
|
|
<h2 id="oauthauthentication">OAuthAuthentication</h2>
|
|
<p>This policy uses the <a href="http://oauth.net/2/">OAuth 2.0</a> protocol to authenticate requests. OAuth is appropriate for server-server setups, such as when you want to allow a third-party service to access your API on a user's behalf.</p>
|
|
<p>If successfully authenticated, <code>OAuthAuthentication</code> provides the following credentials.</p>
|
|
<ul>
|
|
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
|
|
<li><code>request.auth</code> will be a <code>djangorestframework.models.OAuthToken</code> instance.</li>
|
|
</ul>
|
|
<h2 id="sessionauthentication">SessionAuthentication</h2>
|
|
<p>This policy uses Django's default session backend for authentication. Session authentication is appropriate for AJAX clients that are running in the same session context as your website.</p>
|
|
<p>If successfully authenticated, <code>SessionAuthentication</code> provides the following credentials.</p>
|
|
<ul>
|
|
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
|
|
<li><code>request.auth</code> will be <code>None</code>.</li>
|
|
</ul>
|
|
<h2 id="custom-authentication-policies">Custom authentication policies</h2>
|
|
<p>To implement a custom authentication policy, subclass <code>BaseAuthentication</code> and override the <code>authenticate(self, request)</code> method. The method should return a two-tuple of <code>(user, auth)</code> if authentication succeeds, or <code>None</code> otherwise.</p>
|
|
</div><!--/span-->
|
|
</div><!--/row-->
|
|
</div><!--/.fluid-container-->
|
|
|
|
<!-- Le javascript
|
|
================================================== -->
|
|
<!-- Placed at the end of the document so the pages load faster -->
|
|
<script src="http://tomchristie.github.com/django-rest-framework/js/jquery.js"></script>
|
|
<script src="http://tomchristie.github.com/django-rest-framework/js/bootstrap-dropdown.js"></script>
|
|
<script src="http://tomchristie.github.com/django-rest-framework/js/bootstrap-scrollspy.js"></script>
|
|
<script>
|
|
//$('.side-nav').scrollspy()
|
|
var shiftWindow = function() { scrollBy(0, -50) };
|
|
if (location.hash) shiftWindow();
|
|
window.addEventListener("hashchange", shiftWindow);
|
|
</script>
|
|
</body></html> |