Django Authentication with Djoser.
Introduction
An API(Application Programming Interface) is an interface that allows two applications to communicate. REST API is an API that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services.
No organization or individual would want their data leaked. Securing APIs ensures that the data that is being transferred between the different applications are well protected and “falls in the hand” of the intended individuals.
There are different ways to secure APIs. We will cover securing APIs using Djoser which is a token-based authentication method.
Token based authentication
A token is a secret phrase used to verify identities. When a user sends a request to an authentication service, the authentication service confirms the users’ identity and checks the permissions of the user. It then issues a token that enables the user to access the application.
Steps involved in token based authentication
- Initial request — the user request which provides a form of identification. It does not require a token.
- Verification — the service checks the credentials given by the user and checks for permissions.
- Token generation — using the credentials and permission of the user a token is generated that enables a user to access the application.
- Persistency — the token is preserved to ensure that the user does not need to provide credentials over and over again.
Securing Django API’s with Djoser
Djoser is a token-based authentication library for Django. It is used to generate tokens during authentication. It provides basic views for different functionalities.
We will cover the various steps involved in successfully securing your APIs. We will create a Django project and secure its APIs with Djoser. This article assumes you have python installed on your machine. If not please ensure you have.
Creating a virtual environment
Make a project folder in a directory of your choice. Navigate to that folder and create the environment using the first command given below and activate the environment using the second command:
cmd1: python -m venv django-djoser
cmd2: django-djoser\Scripts\activate
django-djoser is the name of the virtual environment to be used.
Creating a django project
cmd1: Installing Django,
cmd2: Creating a django project. django_djoser is the name of our project. You can give it a name of your choice.
cmd3: Creating a django app.
cmd1: pip install Django
cmd2: django-admin startproject django_djoser
cmd3: python manage.py startapp account
Once you have created the Django app you need to add the app in the INSTALLED_APPS on your settings.py file. The settings files are found in your main projects folder.
To run our django project we use : python manage.py runserver
To make migrations: python manage.py makemigrations
To migrate: python manage.py migrate
To create a superuser(admin): python manage.py createsuperuser
Installing djoser
pip install djoser
pip install djangorestframework
Configuring djoser
First step is adding djoser and rest framework to the INSTALLED_APPS as third party apps.
Next step is to add urls to our projects. This is done in the urls.py file of our main projects folder.
We will use JSON Web Token authentication for backend authentication. With this we will need to configure some setting and install other dependencies. We will first install the jwt dependency, then configure REST_FRAMEWORK settings to use jwt as the default authentication class, then configure the JWT settings to use JWT as the authorization header.
pip install djangorestframework_simplejwt
With the configurations we can now run our project. Make sure to migrate.
Djoser Endpoints
Djoser offers a variety of endpoints as listed below. Make sure to include the auth path before hitting the endpoints e.g. http://127.0.0.1:8000/auth/users/:
/users/
/users/me/
/users/confirm/
/users/resend_activation/
/users/set_password/
/users/reset_password/
/users/reset_password_confirm/
/users/set_username/
/users/reset_username/
/users/reset_username_confirm/
/jwt/create/
/jwt/refresh/
/jwt/verify/
We will cover a few of them. We will create a superuser to use for testing our endpoints.
- /users/- this endpoint shows all the available users. When you run the project and hit the endpoint you will get a 401(Unauthorized) error. For you to be authorized you will need a token which can be generated using the /jwt/create/ endpoint. /jwt/refresh/ refreshes the tokens. Supply a username and password so as to generate the token. Copy the access token.
To use the access token and get authorized we will have to add it as a request header. We will use Modheader
Once the token is generated and added to the request headers the admin is able to view users.
We can also customize the djoser serializers. Djoser has several built in serializers. You can check them out in the documentation. We will use the example of the creating user serializer to customize the serializer using the following steps.
Step 1: In our projects app(account) create a serializers.py file and add the following code which will add additional fields when creating a user:
Step 2: Configure Djoser setting in the settings.py file of our main project so as to override Djoser's built in serializer
2. /users/me/ — this returns the currently logged in user
We can also customize the User List to display the fields of our choice in the same way we customized the create user. The djoser serializer we will use in this case is the UserSerializer
Conclusion
Securing API’s is one of the most important practices when building the REST API’s
Make sure to remove the token in request headers used for testing so as not to mess authorization in other applications.
Resources
You can get the project in this GitHub repository. Connect with me on LinkedIn and follow me on Twitter. Happy coding.