Customization of the Authorization Header in authentication.py #9463

HtmlMak · 2024-07-09T07:58:02Z

HtmlMak
Jul 9, 2024

In the file authentication.py of the Django REST Framework, located at this line, it would be beneficial to introduce the ability to customize the authorization header.

Currently, the authorization header is hardcoded, which can be limiting in scenarios where the application is secured with additional basic authentication, such as in test environments. By allowing the authorization header to be configurable, it would provide greater flexibility for various use cases and simplify the process of adjusting the header as needed.

browniebroke · 2024-07-09T08:28:43Z

browniebroke
Jul 9, 2024

I may have misunderstood what you're asking for, but there is another class for basic auth:

django-rest-framework/rest_framework/authentication.py

Lines 53 to 59 in ccfe0a9

    
           class BasicAuthentication(BaseAuthentication): 
        
               """ 
        
               HTTP Basic authentication against username/password. 
        
               """ 
        
               www_authenticate_realm = 'api' 
        
               def authenticate(self, request):

If you need something more advanced/custom, it should be pretty simple to write your own auth class, you should make sure it extends the BaseAuthentication class which define the interface you need to follow:

django-rest-framework/rest_framework/authentication.py

Lines 33 to 50 in ccfe0a9

    
           class BaseAuthentication: 
        
               """ 
        
               All authentication classes should extend BaseAuthentication. 
        
               """ 
        
               def authenticate(self, request): 
        
                   """ 
        
                   Authenticate the request and return a two-tuple of (user, token). 
        
                   """ 
        
                   raise NotImplementedError(".authenticate() must be overridden.") 
        
               def authenticate_header(self, request): 
        
                   """ 
        
                   Return a string to be used as the value of the `WWW-Authenticate` 
        
                   header in a `401 Unauthenticated` response, or `None` if the 
        
                   authentication scheme should return `403 Permission Denied` responses. 
        
                   """ 
        
                   pass

1 reply

HtmlMak Jul 9, 2024
Author

Yes, I did just that. The issue is that I had to completely copy the code of the authenticate method only because get_authorization_header is outside the class and cannot be overridden.

To provide some context: my application uses TokenAuthentication, which by default relies on the Authorization header. This works well in production. However, our test environments are secured with additional basic authentication by nginx to prevent unauthorized access.

My solution:

My idea:
Change request.META.get("HTTP_AUTHORIZATION", b"") to request.META.get(settings.AUTH_HEADER, b"")

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Customization of the Authorization Header in authentication.py #9463

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Customization of the Authorization Header in authentication.py #9463

HtmlMak Jul 9, 2024

Replies: 1 comment · 1 reply

browniebroke Jul 9, 2024

HtmlMak Jul 9, 2024 Author

HtmlMak
Jul 9, 2024

Replies: 1 comment 1 reply

browniebroke
Jul 9, 2024

HtmlMak Jul 9, 2024
Author