3

I am relatively new to REST Framework for django. I was creating a simple app to login the users and I tried using Token Authentication. My concern is the tokens are created for each users and they are fixed (Do not change with time) and basically 1 user has 1 token mapped to him/her.

In case of a database breach or when the token is compromised wouldn't it be very easy for the hacker to just login my sending the authorization header?

I have some experience with django default session authentication which seems much more secure when comparing to the htoken auth of REST Framework. REST Frameworks implementation seems a little flawed or am I missing something?

Which one should I use in a production application?

(Note:- I am asking specifically for Rest Framework's default implementation of token auth not general token authentication.)

Verain_the_great
  • 153
  • 1
  • 1
  • 6
  • `In case of a database breach` -- in this scenario, what authentication you have will not matter. – Brian Destura Jul 24 '21 at 13:35
  • 1
    `or when the token is compromised` -- when a token is compromised, it would be the same as the username and password being compromised right? Except tokens can expire, and can sometimes tell the app what permissions you get to use so its kinda more secure – Brian Destura Jul 24 '21 at 13:35
  • The passwords are not directly stored in the database unlike the token. The passwords are hashed. And im asking particularly about rest frameworks default implementation of tokens which i dont think expire – Verain_the_great Jul 24 '21 at 13:36
  • The tokens aren't either (and if its being done, it shouldn't) – Brian Destura Jul 24 '21 at 13:37
  • I think you misunderstood the question, im not talking about token authentication in general, im talking about Rest frameworks default implementation of token auth. – Verain_the_great Jul 24 '21 at 13:38
  • I see. Yes it does create a token that is mapped to a user, but has no way to expire. Will follow this question. Can you update the question to specifically mention DRF's own [TokenAuthentication](https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication) – Brian Destura Jul 24 '21 at 14:07

0 Answers0