I'm building a project with Python/Django 1.7.1 and the Django REST Framework.
I have two subdomains for the project:
- api.myproject.com
- www.myproject.com
The WWW-host contains the website on which users can login. The REST backend is located on the API-host.
I configured Django REST Framework like this:
REST_FRAMEWORK = {
'PAGINATE_BY': 10,
'PAGINATE_BY_PARAM': None,
'MAX_PAGINATE_BY': 10,
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.TokenAuthentication',
),
}
In essence: I'm using session-based authentication for AJAX on the WWW-host and token-based authentication for an Android application.
Now here is the problem. A user that's logged in on the WWW-host can use the REST API on the API-host, because the session-authentication is enabled. On the WWW-host there is JavaScript running that's making API calls to the API-host. This works fine, but when a user is logged in to the WWW-host and then opens up a new tab and goes to the API-host, the user can just SEE the REST API and it's not my intention of doing this.
Is there anyway to not show the REST API on the API-host when a user is logged in on the WWW-host?
I configured the session cookie domain and CSRF cookie domain like this:
DOMAIN = 'myproject.com'
SESSION_COOKIE_DOMAIN = '.' + DOMAIN
CSRF_COOKIE_DOMAIN = SESSION_COOKIE_DOMAIN
I modified this to:
DOMAIN = 'myproject.com'
SESSION_COOKIE_DOMAIN = 'www.' + DOMAIN
CSRF_COOKIE_DOMAIN = SESSION_COOKIE_DOMAIN
But when trying this, the REST API is not available through session authentication when a user is logged in on the WWW-host, because the cookie is only set for the WWW-host...
Any tips for my problem? :-)
Thanks in advance!
Kind regards, K.
