Django-rest-framework: Key name in AuthToken authorization

Created on 28 Apr 2016  ·  3Comments  ·  Source: encode/django-rest-framework

The default key for TokenAuthorization is "Token". The most often used key is "Bearer". Not long ago I tried to change the authentication token name for our REST application. I found class TokenAuthentication on line 142 in authentication.py. It defines method "authenticate_header" which returns "Token" so I thought that it is possible to override this method and return "Bearer". No, it's not possible. I had to override entire class just to change token name. Am I missed something? This actually should be in settings.py file. I don't know if there is other way to define token name. If there is, please, give me link to docs. If it's not possible, I could easily create plugin that takes token name from settings file. Method "authenticate_header" seems to be not used at all. This is my modification:

class CustomTokenAuthentication(TokenAuthentication):
""" Modify default authorization header to much more common 'Bearer'.
"""
header_key = b'bearer'

def authenticate(self, request):
    auth = get_authorization_header(request).split()

    if not auth or auth[0].lower() != self.header_key:
        return None

    if len(auth) == 1:
        msg = _('Invalid token header. No credentials provided.')
        raise exceptions.AuthenticationFailed(msg)
    elif len(auth) > 2:
        msg = _(
            'Invalid token header. Token string should not contain spaces.'
        )
        raise exceptions.AuthenticationFailed(msg)

    try:
        token = auth[1].decode()
    except UnicodeError:
        msg = _(
            'Invalid token header. Token string should not contain',
            'invalid characters.'
        )
        raise exceptions.AuthenticationFailed(msg)

    return self.authenticate_credentials(token)

def authenticate_header(self, request):
    return "Bearer"
picture jpocentek

Most helpful comment

I've just come across the same problem.

@tomchristie would you accept a pull request that would set keyword class variable to 'Token' in TokenAuthorization, and use it inside it's methods (instead of hardcoding it, as it is done now), so we can then do:

class BearerAuthentication(authentication.TokenAuthentication):
    '''
    Simple token based authentication using utvsapitoken.

    Clients should authenticate by passing the token key in the 'Authorization'
    HTTP header, prepended with the string 'Bearer '.  For example:

        Authorization: Bearer 956e252a-513c-48c5-92dd-bfddc364e812
    '''
    keyword = 'Bearer'

?

picture hroncok on 3 May 2016
👍3

All 3 comments

The authenticate header determines if a 401 response should be used and if so what value the WWW-Authenticate header should have.

If you want to change the behavior of the token authentication you'll just need to do so explicitly.

tomchristie picture tomchristie on 28 Apr 2016

I've just come across the same problem.

@tomchristie would you accept a pull request that would set keyword class variable to 'Token' in TokenAuthorization, and use it inside it's methods (instead of hardcoding it, as it is done now), so we can then do:

class BearerAuthentication(authentication.TokenAuthentication):
    '''
    Simple token based authentication using utvsapitoken.

    Clients should authenticate by passing the token key in the 'Authorization'
    HTTP header, prepended with the string 'Bearer '.  For example:

        Authorization: Bearer 956e252a-513c-48c5-92dd-bfddc364e812
    '''
    keyword = 'Bearer'

?

hroncok picture hroncok on 3 May 2016
👍3

Crafted in https://github.com/tomchristie/django-rest-framework/pull/4097

hroncok picture hroncok on 3 May 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

synic picture synic  ·  3Comments
manjitkumar picture manjitkumar  ·  3Comments
MadWombat picture MadWombat  ·  4Comments
gabn88 picture gabn88  ·  3Comments
ryankask picture ryankask  ·  4Comments