0

I am new to django and I am trying to add permissions from DRF to my project. Ever since I have set DEFAULT_AUTHENTICATION_CLASSES for REST_FRAMEWORK in django settings.py, all the requests are going to the authenticate method of my DEFAULT_AUTHENTICATION_CLASSES irrespective of what permission I set to my view. Later it is coming to my view. So here is the settings I have added:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'authentication.customauth.CustomAuthBackend',
    ]
}

And here is my authentication.customauth.CustomAuthBackend:

class CustomAuthBackend(BaseAuthentication):
    def authenticate(self, request):
        user = AuthUtils.get_user_from_token(request)

        if user is None:
            raise AuthenticationFailed('User not found')

        request.user = user
        return user, None

    @staticmethod
    def authenticate_with_password(request):
        email = request.data.get('email')
        role = "CONSUMER" if request.data.get('role') is None else request.data.get('role')
        password = request.data.get('password')

        user = User.objects.filter(email=email, role=role).first()

        if password is not None and user is not None and user.check_password(password):
            return user

The views that actually should be called without authentication have @permission_classes([AllowAny]) permission. Say this login view:

@api_view(['POST'])
@permission_classes([AllowAny])
def login(request):
    user = request.user

    if user and user.is_active:
        serializer = UserSerializer(user)
        tokens_map = AuthUtils.generate_token(request=request, user=user)
        return Response({'success': True, 'user': serializer.data, 'tokens': tokens_map})

    return Response(data={'success': False, 'message': 'User not found'}, status=status.HTTP_404_NOT_FOUND)

With my understanding I think if permission class is rest_framework.permissions.AllowAny no authenticate method should not be called before calling my view.

suvodipMondal
  • 656
  • 10
  • 27
  • [Authentication](https://www.django-rest-framework.org/api-guide/authentication/#authentication) always runs at the very start of the view, before the permission and throttling checks occur, and before any other code is allowed to proceed. – Niko Jun 11 '23 at 14:41
  • I see. But what about AllowAny permission @Niko? Here I have set permission on my view but still authenticate method is being called. – suvodipMondal Jun 11 '23 at 14:45
  • [Authentication](https://www.django-rest-framework.org/api-guide/authentication/#authentication) and [Permissions](https://www.django-rest-framework.org/api-guide/permissions/#permissions) are two different things. As I quoted on my previous comment, `authentication` still runs, before `permissions` check. If you want to override it (your global setting) then I think you can use `@authentication_classes([])` decorator. – Niko Jun 11 '23 at 14:53
  • @Niko I tried with `authentication_classes` decorator, still the flow doesn't comes on the view first. :( – suvodipMondal Jun 11 '23 at 15:11

0 Answers0