DRF Viewset authentication class is not working properly #8378

JaisPiyush · 2022-02-23T13:07:06Z

JaisPiyush
Feb 23, 2022

Problem

DRF ModelViewSet is not authenticating a request through all classes, instead it directly calls view after first authentication class.

Steps to Reproduce

Code not be considered exact, it's abstract form of my working code

UserAuthentication

class UserAuthentication(authentications.BaseAuthentication):
    def authenticate(self, request):
          print("Doing user auth")
          if not "X_TOKEN" in request.META:
              return None
          try:
              user = User.objects.get(token=request.META.get("X_TOKEN")
          except User.DoesNotExists:
              raise expectipons.AuthenticationFailed(detail="No user found")
          setattr(request, "user", user)
           return (user, None)

ProjectAuthentication

class ProjectAuthentication(authentications.BaseAuthentication):
    def authenticate(self, request):
         print("Doing project auth")
          if  not hasattr(request, "user"):
              return None
          try:
              project = Project.objects.get(user=request.user)
          except Project.DoesNotExists:
              raise expectipons.AuthenticationFailed(detail="No project found")
          setattr(request, "project", project)
           return (project, None)

The viewsets

class ProjectViewset(ModelViewSet):
       authentication_classes = [UserAuthentication, ProjectAuthenticaion]
       .....

class ProjectViewsetRever(ModelViewSet):
      authentication_classes = [ProjectAuthentication, UserAuthentication]
      ....

Test stdout

[ProjectViewset]
Doing user auth

[ProjectViewsetRever]
Doing project auth

Answered by JaisPiyush

Feb 24, 2022

After going through documentation and source code of DRF, I understood it's an architecture decision. Authentication class will traverse through the authentication_classes list until it receive expected (user, auth) tuple, and will stop traversal immediately after the first auth class providing such values.

Instead like permission_classes which works like perm_class_A && perm_class_B && perm_class_C. Auth classes works like
auth_class_A || auth_class_B || auth_class_C

View full answer

JaisPiyush · 2022-02-24T03:48:42Z

JaisPiyush
Feb 24, 2022
Author

After going through documentation and source code of DRF, I understood it's an architecture decision. Authentication class will traverse through the authentication_classes list until it receive expected (user, auth) tuple, and will stop traversal immediately after the first auth class providing such values.

Instead like permission_classes which works like perm_class_A && perm_class_B && perm_class_C. Auth classes works like
auth_class_A || auth_class_B || auth_class_C

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

DRF Viewset authentication class is not working properly #8378

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

DRF Viewset authentication class is not working properly #8378

Uh oh!

JaisPiyush Feb 23, 2022

Problem

Steps to Reproduce

UserAuthentication

ProjectAuthentication

The viewsets

Test stdout

Replies: 1 comment

Uh oh!

JaisPiyush Feb 24, 2022 Author

JaisPiyush
Feb 23, 2022

JaisPiyush
Feb 24, 2022
Author