1

I want to use DRF's rest_framework.authentication.BasicAuthentication to develop my SPA with a dev server while consuming data from a locally running backend.

I included rest_framework.authentication.BasicAuthentication in settings.py. I have a view which requires Permission (guardian.mixins.PermissionRequiredMixin):

class WidgetDetail(PermissionRequiredMixin, RetrieveAPIView):
    serializer_class = WidgetSerializer
    permission_required = "widget.view_widget"
    return_403 = True

If I try to GET the widget using basic auth, the view returns an error 403. Using the debugger, I can see that when PermissionRequiredMixin.check_permissions() is run, request.user is AnonymousUser rather than the user provided by basic auth as DRF's documentation indicates.

Why is the user provided by basic auth not identified when permissions are checked?

nehalem
  • 397
  • 2
  • 20
  • It means `BasicAuthentication` didn't find the user. Are you sending the correct credentials? – Brian Destura Aug 25 '21 at 01:17
  • Yes, I am certain about that. What puzzles me is that if I set a breakpoint [here](https://github.com/encode/django-rest-framework/blob/master/rest_framework/authentication.py#L64) I can see that the function is never called when requesting `WidgetDetail` view. I guess I get something fundamentally wrong about authentication, but I just don't know what. – nehalem Aug 25 '21 at 07:04
  • Hmm can you share your rest framework settings and a sample request with the basic auth header? – Brian Destura Aug 25 '21 at 07:22
  • Sure, although there isn't much to share. My rest framework settings are simply `REST_FRAMEWORK = {"DEFAULT_AUTHENTICATION_CLASSES": ("rest_framework.authentication.BasicAuthentication")}` and the sample request contains the `'Authorization': 'Basic ZmY6MTIz',` which corresponds to the user 'ff' with password '123'. – nehalem Aug 25 '21 at 14:22

0 Answers0