The default key for TokenAuthorization is "Token". The most often used key is "Bearer". Not long ago I tried to change the authentication token name for our REST application. I found class TokenAuthentication on line 142 in authentication.py. It defines method "authenticate_header" which returns "Token" so I thought that it is possible to override this method and return "Bearer". No, it's not possible. I had to override entire class just to change token name. Am I missed something? This actually should be in settings.py file. I don't know if there is other way to define token name. If there is, please, give me link to docs. If it's not possible, I could easily create plugin that takes token name from settings file. Method "authenticate_header" seems to be not used at all. This is my modification:
class CustomTokenAuthentication(TokenAuthentication):
""" Modify default authorization header to much more common 'Bearer'.
"""
header_key = b'bearer'
def authenticate(self, request):
auth = get_authorization_header(request).split()
if not auth or auth[0].lower() != self.header_key:
return None
if len(auth) == 1:
msg = _('Invalid token header. No credentials provided.')
raise exceptions.AuthenticationFailed(msg)
elif len(auth) > 2:
msg = _(
'Invalid token header. Token string should not contain spaces.'
)
raise exceptions.AuthenticationFailed(msg)
try:
token = auth[1].decode()
except UnicodeError:
msg = _(
'Invalid token header. Token string should not contain',
'invalid characters.'
)
raise exceptions.AuthenticationFailed(msg)
return self.authenticate_credentials(token)
def authenticate_header(self, request):
return "Bearer"
The authenticate header determines if a 401
response should be used and if so what value the WWW-Authenticate
header should have.
If you want to change the behavior of the token authentication you'll just need to do so explicitly.
I've just come across the same problem.
@tomchristie would you accept a pull request that would set keyword
class variable to 'Token'
in TokenAuthorization
, and use it inside it's methods (instead of hardcoding it, as it is done now), so we can then do:
class BearerAuthentication(authentication.TokenAuthentication):
'''
Simple token based authentication using utvsapitoken.
Clients should authenticate by passing the token key in the 'Authorization'
HTTP header, prepended with the string 'Bearer '. For example:
Authorization: Bearer 956e252a-513c-48c5-92dd-bfddc364e812
'''
keyword = 'Bearer'
?
Most helpful comment
I've just come across the same problem.
@tomchristie would you accept a pull request that would set
keyword
class variable to'Token'
inTokenAuthorization
, and use it inside it's methods (instead of hardcoding it, as it is done now), so we can then do:?