djcrud_api

Optional Bearer token authentication for API clients. This package does not provide CRUD JSON endpoints — use djcrud_drf for REST APIs.

Features

  • Bearer token authentication (no session cookie, no CSRF on token requests)

  • Login endpoint to exchange username/password for a short-lived token

  • Token management HTML UI at /api/token/

Routes

djcrud_api registers login and token routes on djcrud_drf.router when djcrud_drf is installed (see DRF API):

URL

View

/api/login/

ApiLoginView — username/password → 1-hour token

/api/token/

TokenRouter — manage API tokens (HTML)

Enable the package

Add djcrud_api to INSTALLED_APPS and register the Bearer middleware (required for token auth and CSRF exemption). Full steps are in DRF API:

MIDDLEWARE = [
    "django.middleware.security.SecurityMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    "djcrud_api.middleware.BearerCsrfMiddleware",   # before CSRF
    "django.middleware.locale.LocaleMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "djcrud_api.middleware.BearerUserMiddleware",     # after session auth
    "django.middleware.messages.middleware.MessageMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
]

Run migrations after enabling the app:

python manage.py migrate

Upgrading from djmvc_api

If the database already applied djmvc_api or djmvc_swagger migrations, djcrud_api migrations 0002 and 0003 rename the token table and rewrite django_migrations app labels automatically. See Database upgrade (djmvc_api → djcrud_api) in Migrating from djmvc.

Bearer authentication

Obtaining a token

curl -X POST http://localhost:8000/api/login/ \
  -H 'Content-Type: application/json' \
  -d '{"username": "su", "password": "su"}'

Using a token with djcrud_drf:

curl http://localhost:8000/api/product/ \
  -H 'Authorization: Bearer <token>'

API reference (modules)

class djcrud_api.views.ApiLoginView(**kwargs)[source]

Bases: View

Exchange username/password for a short-lived Bearer token.

Constructor. Called in the URLconf; can contain helpful extra keyword arguments, and other things.

has_permission()[source]

Return whether the current user may access this view.

dispatch(request, *args, **kwargs)

Redirect anonymous users to login; return 403 when permission denied.

class djcrud_api.views.TokenCreateView(**kwargs)[source]

Bases: CreateView

Create a named API token via HTML form (raw key shown once).

Constructor. Called in the URLconf; can contain helpful extra keyword arguments, and other things.

form_valid(form)[source]

Log creation when LogMixin is active.

get_success_url()[source]

Redirect target after successful submit (next POST field or /).

class djcrud_api.views.TokenRouter[source]

Bases: ModelRouter

model

alias of Token

get_queryset(*, user, model, action, perm, obj=None)[source]

Return rows visible to user via the permission registry, then all rows.

class djcrud_api.views.ApiRouter[source]

Bases: Router

class djcrud_api.models.Token(*args, **kwargs)[source]

Bases: Model

Bearer token for JSON API access without session or CSRF.

classmethod generate(user, name, expires=None)[source]

Create a token row and return (instance, raw_key) (shown once).

classmethod authenticate(raw_key)[source]

Return a valid token for raw_key, or None.

exception DoesNotExist

Bases: ObjectDoesNotExist

exception MultipleObjectsReturned

Bases: MultipleObjectsReturned

exception NotUpdated

Bases: ObjectNotUpdated, DatabaseError

Bearer token middleware for djcrud_api.

BearerCsrfMiddleware must run before django.middleware.csrf.CsrfViewMiddleware. BearerUserMiddleware must run after django.contrib.auth.middleware.AuthenticationMiddleware.

djcrud_api.middleware.parse_bearer_header(request)[source]

Return the Bearer token from Authorization, or None.

djcrud_api.middleware.lookup_token(raw_key)[source]

Validate raw_key and return the Token, or None.

class djcrud_api.middleware.BearerCsrfMiddleware(get_response)[source]

Bases: object

Skip CSRF when a valid Bearer token is present.

class djcrud_api.middleware.BearerUserMiddleware(get_response)[source]

Bases: object

Authenticate the request from a stashed Bearer token.