DRF always returning "Authentication credentials were not provided"

Question

Update: Removed the set_header Token from the Nginx config. Realised this wasn't helping the problem. I feel like the problem is that Django isn't getting the correct headers and they're getting "lost" somewhere.

I'm trying to create a REST api for a secret santa project. I have it set so that a user has to be authenticated before they can make certain calls. This works fine on my local machine, but doesn't seem to work when it's hosted anywhere.

I have tried it on Heroku and on an ubuntu server. However, I'd prefer to get it working on the Ubuntu server. I'm using gunicorn and nginx to server the app but I'm getting "Authentication credentials were not provided" on all calls that require authentication. I'm using TokenAuthentication and passing my token in the Authorization header with the prefix Token.

Any help is greatly appreciated.

settings.py

REST_FRAMEWORK = {
    'PAGINATE_BY': 30,
    'PAGINATE_BY_PARAM': 'per_page',
    'MAX_PAGINATE_BY': 1000,
    "DATETIME_FORMAT": "%Y-%m-%dT%H:%M:%S%z",
    'DEFAULT_RENDERER_CLASSES': (
        'rest_framework.renderers.JSONRenderer',
        'rest_framework.renderers.BrowsableAPIRenderer',
    ),
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',
    ],
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.TokenAuthentication',
    ),
}

views.py

class RoomViewSet(mixins.RetrieveModelMixin,
              viewsets.GenericViewSet):
"""
Creates, Updates, and retrives Rooms
"""

queryset = Room.objects.all()
serializer_class = RoomSerializer
permission_classes = (IsAuthenticated, )
lookup_field = 'slug'

gunicorn.conf

description "Gunicorn application server handling myproject"

start on runlevel [2345]
stop on runlevel [!2345]

respawn
setuid dannywilson
setgid www-data
chdir /storage/sites/secret_santa/

exec santa/bin/gunicorn --pythonpath="$PWD/secret_santa" --bind=unix:"$PWD/secret_santa/gunicorn.sock" wsgi:application

nginx config

upstream test_server {
    server unix:/storage/sites/secret_santa/secret_santa/gunicorn.sock;
}

server {
    listen 80;
    server_name webaddress;

    access_log /storage/sites/_logs/secret_santa_api/nginx-access.log;
    error_log /storage/sites/_logs/secret_santa_api/nginx-error.log;

    location / {

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_ignore_headers Cache-Control Expires Pragma;

        if (!-f $request_filename) {
            proxy_pass http://test_server;
            break;
        }

    }
}

Answer 1

This may help you (from django rest framework documentation):

Note that if deploying to Apache using mod_wsgi, the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level.

If you are deploying to Apache, and using any non-session based authentication, you will need to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the WSGIPassAuthorization directive in the appropriate context and setting it to 'On'.

# this can go in either server config, virtual host, directory or .htaccess
WSGIPassAuthorization On

Answer 2

it because of the following config:

REST_FRAMEWORK = {
........
'DEFAULT_PERMISSION_CLASSES': [
    'rest_framework.permissions.IsAuthenticated',],
'DEFAULT_AUTHENTICATION_CLASSES': (
    'rest_framework.authentication.TokenAuthentication',),
}

if you do not need authentication remove this two config, otherwise if you want to use TokenAuthentication you need to add rest_framework.authtoken to installed apps:

INSTALLED_APPS = (
...
'rest_framework.authtoken'
)

then follow the instructions in TokenAuthentication

Answer 3

Two things strikes me here:

• "proxy_set_header Token $http_token;" but I don't think $http_token is defined.
• using "Token" instead of "Authorization" for the header. The Documentation mentions "For clients to authenticate, the token key should be included in the Authorization HTTP header."