stackoom
  简体   繁体   中英

Django Rest Framework + React JWT authentication, 403 Forbidden on protected views

 原文  2020-05-13 15:22:02       django/ reactjs/ django-rest-framework/ jwt-auth

Question

I'm trying to make a CRUD website with DRF + react, i've somewhat followed this tutorial for authentication

https://hackernoon.com/110percent-complete-jwt-authentication-with-django-and-react-2020-iejq34ta (with some differences since i'm using DRF and React completely separatedly)

authentication is fine, i can already login, logout and signup, however any view that requires the permission "IsAuthenticated" gets me a 403 Forbidden, i've tried to also get the data through postman using the headers: Accept: application/json Authorization: JWT "myaccesstoken" but i also get a 403 with "detail": "You do not have permission to perform this action."

Here's some of the code

Settings.py
REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.BasicAuthentication', (#I've already tried commenting out basic and session auth)
    )
}

SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': timedelta(minutes=5),
    'REFRESH_TOKEN_LIFETIME': timedelta(days=14),
    'ROTATE_REFRESH_TOKENS': True,
    'BLACKLIST_AFTER_ROTATION': True,
    'ALGORITHM': 'HS256',
    'SIGNING_KEY': SECRET_KEY,
    'VERIFYING_KEY': None,
    'AUTH_HEADER_TYPES': ('JWT ',),
    'USER_ID_FIELD': 'username',
    'USER_ID_CLAIM': 'user_id',
    'AUTH_TOKEN_CLASSES': ('rest_framework_simplejwt.tokens.AccessToken',),
    'TOKEN_TYPE_CLAIM': 'token_type',
}

CORS_ORIGIN_ALLOW_ALL = True

And the protected view

views.py
class PostList(generics.ListCreateAPIView):
    permission_classes = (IsAuthenticated,) (#I've tried with or without this)
    authentication_classes = () (# if i take this out i get a 401 insteand of a 403)
    queryset = Post.objects.all()
    serializer_class = PostSerializer

I'm not showing any of the react code since i think the problem is in the DRF part since i can't make the GET request succesfully on PostMan either, if i change the settings to AllowAny i can make the GET requests in both places just fine

1 answers

solution1
 2  2020-08-30 10:54:32

I have the same problem. It seems that REST_FRAMEWORK settings, for default authentication (specifically rest_framework_simplejwt) does not work. I don't know why...

Try to directly import JWTAuthentication class in your authentication_classes tuple like:

from rest_framework_simplejwt.authentication import JWTAuthentication
class PostList(generics.ListCreateAPIView):
    permission_classes = (IsAuthenticated,)
    authentication_classes = (JWTAuthentication)
    queryset = Post.objects.all()
    serializer_class = PostSerializer

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question JWT authentication in django rest framework Django, React and Rest Framework JWT authentication header missing Django Rest Framework JWT Authentication Test Django-rest-framework - JWT authentication Problem with JWT authentication in django-rest-framework Django rest framework JWT and custom authentication backend Django Rest-framework, JWT authentication Django Rest Framework not accepting JWT Authentication Token JWT and custom authentication in Django Rest Framework Django Rest Framework avoid authentication JWT
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM