djcrud_api¶
Optional Bearer token authentication for API clients. This package does not provide CRUD JSON endpoints — use djcrud_drf for REST APIs.
Features¶
Bearer token authentication (no session cookie, no CSRF on token requests)
Login endpoint to exchange username/password for a short-lived token
Token management HTML UI at
/api/token/
Routes¶
djcrud_api registers login and token routes on djcrud_drf.router
when djcrud_drf is installed (see DRF API):
URL |
View |
|---|---|
|
|
|
|
Enable the package¶
Add djcrud_api to INSTALLED_APPS and register the Bearer middleware
(required for token auth and CSRF exemption). Full steps are in
DRF API:
MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
"djcrud_api.middleware.BearerCsrfMiddleware", # before CSRF
"django.middleware.locale.LocaleMiddleware",
"django.middleware.common.CommonMiddleware",
"django.middleware.csrf.CsrfViewMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
"djcrud_api.middleware.BearerUserMiddleware", # after session auth
"django.middleware.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
]
Run migrations after enabling the app:
python manage.py migrate
Upgrading from djmvc_api¶
If the database already applied djmvc_api or djmvc_swagger migrations,
djcrud_api migrations 0002 and 0003 rename the token table and
rewrite django_migrations app labels automatically. See
Database upgrade (djmvc_api → djcrud_api) in Migrating from djmvc.
Bearer authentication¶
Obtaining a token¶
curl -X POST http://localhost:8000/api/login/ \
-H 'Content-Type: application/json' \
-d '{"username": "su", "password": "su"}'
Using a token with djcrud_drf:
curl http://localhost:8000/api/product/ \
-H 'Authorization: Bearer <token>'
API reference (modules)¶
- class djcrud_api.views.ApiLoginView(**kwargs)[source]¶
Bases:
ViewExchange username/password for a short-lived Bearer token.
Constructor. Called in the URLconf; can contain helpful extra keyword arguments, and other things.
- dispatch(request, *args, **kwargs)¶
Redirect anonymous users to login; return 403 when permission denied.
- class djcrud_api.views.TokenCreateView(**kwargs)[source]¶
Bases:
CreateViewCreate a named API token via HTML form (raw key shown once).
Constructor. Called in the URLconf; can contain helpful extra keyword arguments, and other things.
- class djcrud_api.views.TokenRouter[source]¶
Bases:
ModelRouter
- class djcrud_api.models.Token(*args, **kwargs)[source]¶
Bases:
ModelBearer token for JSON API access without session or CSRF.
- classmethod generate(user, name, expires=None)[source]¶
Create a token row and return
(instance, raw_key)(shown once).
- exception DoesNotExist¶
Bases:
ObjectDoesNotExist
- exception MultipleObjectsReturned¶
Bases:
MultipleObjectsReturned
- exception NotUpdated¶
Bases:
ObjectNotUpdated,DatabaseError
Bearer token middleware for djcrud_api.
BearerCsrfMiddleware must run before
django.middleware.csrf.CsrfViewMiddleware.
BearerUserMiddleware must run after
django.contrib.auth.middleware.AuthenticationMiddleware.
- djcrud_api.middleware.parse_bearer_header(request)[source]¶
Return the Bearer token from
Authorization, orNone.
- djcrud_api.middleware.lookup_token(raw_key)[source]¶
Validate raw_key and return the
Token, orNone.