Django, DRF Token authentication doesn't work, get Anonymous User

Question

I'm quite new to Django. I want to make some authorization for mobile. I've read docs below: http://www.django-rest-framework.org/api-guide/authentication/#setting-the-authentication-scheme Although I've read and done as it is written thoroughly it does not work. I have obtained a token for one of user but when I want to authenticate with this token there is no result and I get AnonymousUser.

{"token": "e2a9b561fc24a65b607135857d304747a36d0e8d"}

curl -X GET http://<ip:port>/trainer/logToken/ -H "Authorization: Token e2a9b561fc24a65b607135857d304747a36d0e8d"

Results in:

AnonymousUser

My settings.py:

INSTALLED_APPS = (
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'rest_framework',
'rest_framework.authtoken',
'trainer',)

REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
    'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_AUTHENTICATION_CLASSES': (
    'rest_framework.authentication.TokenAuthentication',
    'rest_framework.authentication.BasicAuthentication',
)

View:

def logToken(request):
    return HttpResponse(request.user)

Any ideas? I tried to log using Basic Authentication but with no result as well

EDIT: When I execute:

curl -viL -H "Authorization: Token e2a9b561fc24a65b607135857d304747a36d0e8d" http://<ip:port>/trainer/logToken/

I get:

    * About to connect() to <IP> port 8000 (#0)
    *   Trying <IP>...
    * Adding handle: conn: 0x25b82c0
    * Adding handle: send: 0
    * Adding handle: recv: 0
    * Curl_addHandleToPipeline: length: 1
    * - Conn 0 (0x25b82c0) send_pipe: 1, recv_pipe: 0
    * Connected to <IP> (<IP>) port 8000 (#0)
    > GET /trainer/logToken/ HTTP/1.1
    > User-Agent: curl/7.30.0
    > Host: <IP>:8000
    > Accept: */*
    > Authorization: Token e2a9b561fc24a65b607135857d304747a36d0e8d
    >
    * HTTP 1.0, assume close after body
    < HTTP/1.0 200 OK
    HTTP/1.0 200 OK
    < Date: Thu, 26 Nov 2015 20:52:36 GMT
    Date: Thu, 26 Nov 2015 20:52:36 GMT
    < Server: WSGIServer/0.2 CPython/3.4.2
    Server: WSGIServer/0.2 CPython/3.4.2
    < X-Frame-Options: SAMEORIGIN
    X-Frame-Options: SAMEORIGIN
    < Content-Type: text/html; charset=utf-8
    Content-Type: text/html; charset=utf-8
    < Vary: Cookie
    Vary: Cookie

    <
    AnonymousUser* Closing connection 0

Line below is added by default

  django.contrib.auth.middleware.AuthenticationMiddleware to your MIDDLEWARE_CLASSES

EDIT2:

I added one line to my view and now it looks as below:

@api_view(['GET'])
def logToken(request):
    return HttpResponse(request.user)

and it works, but I have no idea why?

Answer 1

Without the api_view decorator, it's a regular Django view. DRF embeds its own authentication and permission system as to avoid things such as requiring a CSRF even if you are posting data in JSON.

The counter part is that DRF extends the Django request in the APIView performing authentication, authorization, throttling and a few other things there. Note that the api_view decorator wraps an APIView around your function.

Therefore, with the decorator, you'll have the DRF system active while without it simply won't work.