1

I'm using a django resting framework for my backend and react for my front end. I've set the front end so when logging in the client receives a JSON token after being fully authenticated. However, my backend - specifically the APIs are not receiving this JSON token.

Here is what my url conf looks like:

router = SimpleRouter()
router.register(r'accounts', accountsviews.UserViewSet, 'list')
router.register(r'groups', accountsviews.GroupViewSet)

urlpatterns = [
    url(r'^admin/', admin.site.urls),
    url(r'^message/', homeviews.message, name="message"),
    url(r'^stocks_api/', stocksviews.StockList.as_view()),       
    url(r'^passwordreset/', homeviews.passwordreset.as_view(), name='passwordreset'),
    url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework')),
    url(r'^api-token-auth/', obtain_jwt_token),
    url(r'^api-token-refresh/', refresh_jwt_token),
    url(r'^api-token-verify/', verify_jwt_token), 
    url(r'^reset/done/$', passwordviews.reset_done, name='password_reset_done'),
    url(r'^reset/(?P<token>[\w:-]+)/$', passwordviews.reset,
        name='password_reset_reset'),
    url(r'^', include(router.urls)),
    url(r'^', homeviews.home, name='home'),
]

urlpatterns = format_suffix_patterns(urlpatterns)

I feel like the issues might be because my apis (stocks_api, accounts_api, and groups_api) are not nested inside r'^', homeviews.home. If so, how would I go about making JWT global and not just specific for a url?

PeepingHog
  • 175
  • 1
  • 2
  • 7

2 Answers2

0

You are probably saving the JWT token in a cookie on the client, For that cookie to be accessible across your domain you need to set the path to "/". In JavaScript it's something like this document.cookie = "jwt_token=yourtokenhashhere;path=/;domain=yourdomain.com"; . I don't know how django sets cookies ...but it should be something similar. Search for the part of your code that sends the token to the client and make sure you set the path to / for the token cookie.

Iansen
  • 1,268
  • 1
  • 10
  • 14
  • so this is my code for saving the JWT token on the client: localStorage.setItem('jwt', jwt) – PeepingHog Nov 15 '16 at 20:05
  • You need to pass the token along with every request that needs it. So when you make a new request that needs authentication just add your local token in a header, POST or GET param; then read and verify it on the server. The token will not get passed along if it's not stored in a cookie. – Iansen Nov 15 '16 at 21:22
  • I've set it so the jwt is now stored as a cookie. It's visible in the api page now. Question is, if I were to set authentication for my api using jwt, how would I go about that? The default authentication classes I've set for DRF is 'rest_framework_jwt.authentication.JSONWebTokenAuthentication'. Would I have to make a custom one that decodes the cookie and then decodes the JWT? – PeepingHog Nov 15 '16 at 22:03
0

Because your client stores the JWT token in local storage, Django can only know if the user is authenticated via request.user.is_authenicated. You can contain your JWT in the headers of every request in the front end then access it via Django's meta field. request.META['JWT'] the downside is that it needs to be in every request.

Alternatively, you can store the jwt in a cookie. You have to modify your auth code, so that after a user has successfully authenticated and generated a jwt token, before returning that jwt token you want to store it in a session. request.session['jwt_token'] then can access the token in any view throughout your app.

Auth, view pseudo code

def obtain_jwt_token(self, request):
    jwt_token = jwt_authenticate(request.user, request.DATA['password'])
    request.session['JWT'] = jwt_token
    return (jwt_token)
Community
  • 1
  • 1
Dap
  • 2,309
  • 5
  • 32
  • 44
  • does the jwt have to be stored as a session cookie? can it be a regular cookie? If so, after I've set the jwt to be stored in a regular cookie, how do I let my api authenticate this jwt cookie? My DRF authentication class is set to 'rest_framework_jwt.authentication.JSONWebTokenAuthentication', – PeepingHog Nov 15 '16 at 22:01