Search code examples
djangodjango-rest-frameworkjwtdjango-authenticationpyjwt

Django's Token based Authentication without User model

I am using Django Token-based Authentication. (JWT Token is generated by a third-party service like AWS Cognito, we will just verify signature and expiry time).

This REST Application will not have any user models, whoever consuming the API calls needs to be authenticated by JWT token only.

class JSONWebTokenAuthentication(TokenAuthentication):
    def authenticate_credentials(self, jwtToken):
        try:
            payload = jwt.decode(jwtToken, secret_key,verify=True)
            # user = User.objects.get(username='root')
            user =  AnonymousUser()
        except (jwt.DecodeError, User.DoesNotExist):
            raise exceptions.AuthenticationFailed('Invalid token')
        except jwt.ExpiredSignatureError:
            raise exceptions.AuthenticationFailed('Token has expired')
        return (user, payload)

In Views:

@api_view(["POST"])
@authentication_classes((JSONWebTokenAuthentication,))
@permission_classes((AllowAny,))

The above process doesn't keep track of Token at all. With/Without Token, API calls are working. If I make two changes as below, it is working.

user = User.objects.get(username='root')
#user = AnonymousUser()
@permission_classes((IsAuthenticated,))

One way to do it is, to have at least one user in my app and reference that user[ This web app might scale to any number of instances when needed, so inserting the same user with the same "username" has to be automated. ]. But instead, can I eliminate "User" concept in Authentication?

Solution

  • Django REST framework largely assumes that requests are authenticated based on a user, but they do provide support for authentication anonymous requests. But it stands out from the standard assumption of "verifying (django) user is genuine" by giving anonymous user with certain permissions. The problem with your first case is permission decorator with "Allow Any".

    I suggest to have a dummy Django user. (it doesn't stop you from scaling to any number of instances as well).

    Use 

    user = User.objects.get_or_create(username='whatever')[0]

    instead of 

    user =  AnonymousUser()

    Now change the permission decorator to 

    @permission_classes((IsAuthenticated,))

    This user cannot be logged in by anyone unless you set a password, moreover logging in as this user will not give you access to your API call. The only way to access your API is by sending a valid Token.

    Hope this helps.