Reputation: 1723
Django: Authorization using query parameters
I'm writing a chat app where registered users can send messages to each other.
One of the components of this is a Django-based Messaging microservice, which has an API for sending and receiving messages. For simplicity, there are only two URLs:
# List all messages in Thread "thread_id"
GET /threads/<int:thread_id>/messages/?user_id=123
# Send a message as user "user_id" to Thread "thread_id"
POST /threads/<int:thread_id>/messages/?user_id=123
This service is only visible internally, so there's no potential for spoofing user_ids.
Authorization is based on user_id, which is passed to the service as a query param and processed like so:
views.py:
class MessagesViewClass(django.views.View):
def get(request, thread_id):
# If this user is not part of this thread
user_id = request.GET.get('user_id')
if this_user_not_part_of_this_thread(user_id, thread_id):
raise Some403Exception()
else:
process_response_normally()
Right now, I'm validating via a query parameter. Is there a more conventional or canonical way of handling authorization of this type?
Upvotes: 0
Views: 92
Answers (1)
Reputation: 2018
Since only logged in user is allowed to view and receive messages, there is no need to send the user_id in the query parameters. You can use request.user.id to get the user id of the logged in user.
Upvotes: 4
Related Questions
- How to change permission based on request.query_params in Django rest frameworks?
- Django Microservices authentication
- How can I authenticate a user with a query parameter on any url?
- How do I access the request params in order to authenticate an user
- Run a Django QuerySet when user authenticated
- Django Authentication through API
- Token based authentication with Django REST Framework
- Check authorization for each request in django
- Django user authorization
- django authorization