1

I am using Django v1.8 and django-rest-framework v3.2.2. I have a site with a public-facing API, which is also consumed by my own site (on the same domain) as the Ajax back-end to a JavaScript application, using GET only.

I want public users of this API to be asked for a key parameter in the URL, which I will issue manually. But I also want my JavaScript application to be able to use the API, in a way that means that other users can't just steal the key and use it.

I have set up my custom key authentication as described here, and it's working well.

However, I'm unclear on how the JavaScript application should use the API. Obviously I could just pass a dedicated key parameter in the URL, but then won't other users trivially be able to spot the key and use it?

I think I need SessionAuthentication, but how do I even start to make this work? I can't see any instructions in the DRF documentation about how I need to change my JavaScript calls to use it.

Also I don't understand how SessionAuthentication allows the Ajax app to authenticate without other users being able to see and copy the authentication.

Very grateful for any advice.

Improve this question
2
  • Normally you pass the key/auth token in the authorization header not in the url. The session authentication is used when you use the default django login, you will then also be authenticated to access the api, you would need to add the session authentication to rest framework settings. Commented Nov 11, 2015 at 5:47
  • You can use either session authentication, or token authentication, or both. However, as @PieterHamman mentioned, a user needs to authenticate in order to be able to use the API. After authentication, a user need to pass the session_id/token in each request header. For a comparison between session vs token auth see: security.stackexchange.com/questions/81756/… You can also check out django-rest-framework-jwt, which is a package for drf that implements JWT and has built-in authentication. Commented Nov 11, 2015 at 6:31

1 Answer 1

Reset to default
1

I think I need SessionAuthentication, but how do I even start to make this work? I can't see any instructions in the DRF documentation about how I need to change my JavaScript calls to use it.

SessionAuthentication is the Django's one. It uses session to authenticate a user. It's mostly transparent for ajax request as the browser will send the cookie automatically. However, if you're posting data, you need to make sure you send the CSRF token in both headers and post body.

Also I don't understand how SessionAuthentication allows the Ajax app to authenticate without other users being able to see and copy the authentication.

As said above, it uses cookies for that. They are part of the headers and thus usually not seen on the urls. To make sure no-one else can steal user's session you need to run the site through https. This isn't much different from regular websites.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks. But how do I make sure only my application is allowed to use SessionAuthentication, and no-one else's? Does it just work automatically if they're on the same domain? (I'm only using GET requests.)
It's not really clear about what you're trying to do with your authentication, in particular why they would need that key parameter. As for your site, why don't you set a special token authentication for your site only ?
Thanks @Linovia. Re authentication - I want users to have to request a key before they can use the API, so that I know who they are, and can control access if they start hammering the API. Re my site - so I'd create a token just for my site, and include it in the JS header used by the Ajax API? Won't the token then be visible in the source JS?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.