CODEWITHSUNDEEP
djangodjango-rest-frameworkdjango-views
Noa
Noa

Reputation: 1216

Django-rest-framework api permission AllowAny authentication failed

I have someViews like below:

class SomeView(generics.ListAPIView):
    serializer_class = SomeSerializer
    permission_classes = [AllowAny]

settings.py:

REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
    'rest_framework.permissions.AllowAny',

),
...
'DEFAULT_AUTHENTICATION_CLASSES': (
    'rest_framework_simplejwt.authentication.JWTAuthentication',
),
...

}

And When I request without any Authorization header it works fine. But When I add Bearer Authorization header it response

"detail": "Given token not valid for any token type",
"code": "token_not_valid",

I gave permission_classes=[AllowAny]. Why? I thought there is no difference between sending or not sending tokens. Because I set permission_class=[AllowAny].

In ASP.NET there is no like this problems. In ASP.NET If I set AllowAny permission this endpoint open for everyone regardless of whether you send a Token or not.

EDIT: And When I request without or with any Authorization header it works fine. But When I add wrong Authorization header it gives authorization error enter image description here

Upvotes: 2

Views: 2885

Answers (3)

Duy Tran
Duy Tran

Reputation: 53

AllowAny verify token if it sent and pass if not any. So, if you dont need to authenticate, clear permission_classes

permission_classes = ([])

Upvotes: 3

Abel Ashine
Abel Ashine

Reputation: 11

In my case, I inserted the refresh token rather than the access token. Before you do anything else, make sure you pass in the correct token.

Upvotes: 1

Oguz Vuruskaner
Oguz Vuruskaner

Reputation: 181

I've confronted with similar issue. In one project, we have SET default permission classes as IsAuthenticated.

'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAuthenticated',),

In that scenario, when given Authorization header, customer login view responses with 401. Login view should have been able to disregard Authorization header. How we solved the problem is as follows:

class CustomerLoginAPIView(GenericAPIView):
    serializer_class = LoginCustomerRequestSerializer
    authentication_classes = ([])
    permission_classes = [AllowAny]

You can also test it with given Test Case. 🙃

class TestCustomerLogin(TestCase):
  email = "[email protected]"
  password=  "123456"
  url = reverse("authorization/customer-login")

  def setUp(self) -> None:
      #Create a user
      self.user = User.objects.create_user(username=self.email,password=self.password)
      self.customer = Customer.objects.create(user=self.user,name="Test Customer")

  def tearDown(self) -> None:
      self.user.delete()
      self.customer.delete()

  def test_correct_account_with_token(self):
      token = "2c0d19194c042d7fe976fb9240915007a402b3d8228a1958b59b54daf816fb84"
      headers = {'HTTP_AUTHORIZATION': f'Token {token}'}
      body = {"email": self.email, "password": self.password}
      response = self.client.post(self.url,body,format="json",**headers)
      self.assertEqual(response.status_code, 200)

Hope it also works well in your case.

Upvotes: 3

Related Questions