django rest framework - understanding authentication and logging in

Question

I am a beginner to django rest framework (and to REST in general) and I have a server side which (for now) has a UserViewSet which allows to register new users and I can POST to the url from my android app just fine (I get 201 CREATED).

I read a lot about it, but I don't seem to fully the understand the concept of Login and Authentication in REST frameworks and specifically in django rest framework, and how it works.

Do you "Log in" (like in facebook for example) and then you can make requests?

What I understandheard off:

you can Login to a APIwebsite using your username and password (assuming off course that you have registered as a user and you are in the user database).

After you are Logged in - you will be able to make requests to views that allow access only to logged inauthenticated users.

• Is that somewhat correct? I mean, is there a "Log in" url where you login and that's it? you are authenticated?

• Also read somewhere that there isn't actually a login url, and you have to add your username and password to each request and then the request has to check if your details are in the User database?

To sum up, I am not really sure how does authentication/logging in (same thing?) happens in django REST framework... and would really appreciate a good explanation or an example..

Thanks a lot!

Answer 1

In a normal web application (removing the API from the question), a user would "log" in with their credentials (username/password, social tokens, etc.) and would receive a session cookie (assigned by Django) that allows them to authenticate in future requests on behalf of a user (realistically, themselves). This session cookie stays on their system for a limited period of time (two weeks by default) and allows them to freely use the website without authenticating again. If the session cookie needs to be removed, such that the person can no longer authenticate, the web application typically destroys the session cookie (or clears the session) which effectives "logs them out".

In the case of an API, it all depends on how the authentication works.

• SessionAuthentication works just like as described above, as it uses Django's internal session system.
• TokenAuthentication remembers the authentication information through a database-backed token (which is transmitted in the Authorization header) instead of a session cookie.
• BasicAuthentication authenticates on every session (no persistent session) by passing the username and password on every request (base64 encoded through the Authorization header).
• Other authentication methods generally work in the same way as TokenAuthentication.

So, here are some answers to specific questions which were raised

Do you "Log in" (like in facebook for example) and then you can make requests?

Using BasicAuthentication, you "log in" on every request by providing your credentials. With token-based authentication (TokenAuthentication, OAuth 2, JWT, etc.), you "log in" to receive the initial token and then your authorization is confirmed on every request.

Also read somewhere that there isn't actually a login url, and you have to add your username and password to each request and then the request has to check if your details are in the User database?

This is basic access authentication which you can use in DRF using the BasicAuthentication class.