2

I am creating a project in django for my mobile app. The django project is the API backend for the mobile App. I have created a signup for the user model using django rest framework. The signup API works fine. Now, i want to let only the request from my mobile app to be served. For this i created an oauth application Authorization grant type " client-credentials "

class UserSerializer(ModelSerializer):
email = serializers.EmailField(
        required=True,
        validators=[UniqueValidator(queryset=User.objects.all())]
        )
username = serializers.CharField(
    validators=[UniqueValidator(queryset=User.objects.all())]
    )
password = serializers.CharField(min_length=8)

def create(self, validated_data):
    user = User.objects.create_user(validated_data['username'], validated_data['email'],
         validated_data['password'])
    return user

class Meta:
    model = User
    fields = ('id', 'username', 'email', 'password')
    read_only_fields = ('id',)
    write_only_fields = ('password',)

This is the user serializer and the view is 

class UserCreateAPIView(CreateAPIView):
    queryset = User.objects.all()
    serializer_class = UserSerializer
    permission_classes = (IsAuthenticatedOrCreate, TokenHasScope)

But the problem is I can make direct calls to the signup api without using the toke. How to make sure that the User Create API is called when only the token is passed or the post request to be valid when the token is passed.

Prabin Bhandari
  • 143
  • 3
  • 9
  • can you put the REST_FRAMEWORK default authentication classes and permission classes (settings.py) in the question .. the issue is with the authentication/permission you have provided. – Saji Xavier Dec 06 '17 at 04:43
  • what is 'IsAuthenticatedOrCreate' permission ? it is allowing user request for creation without authentication. – Saji Xavier Dec 06 '17 at 04:52
  • @SajiXavier IsAuthenticatedOrCreate is a permission class that i have created that allows authenticated user to login and unauthenticated users to signup class IsAuthenticatedOrCreate(permissions.IsAuthenticated): def has_permission(self, request, view): if request.method == 'POST': return True return super(IsAuthenticatedOrCreate, self).has_permission(request, view) – Prabin Bhandari Dec 06 '17 at 09:35
  • oauth is used only for authentication and you need to define appropriate permission based on the authentication state. So if you are allowing users to signup without authentication, Signup API will be available without token. Please try with 'IsAuthenticated' – Saji Xavier Dec 06 '17 at 10:12

1 Answers1

1

You can simply create an application with grant type Client Credentials, and set your permission class as :

permission_classes = [TokenHasReadWriteScope]

For your other APIs, which require user authentication and authorization, you can issue another client with grant type Resource Owner Password Based, and set your permission class as :

permission_classes = [TokenHasReadWriteScope, YourCustomPermission]

Or, if you need both client credentials as well as resource owner password based (For eg, your signup api may need only client credentials but editing personal information of user may require resource owner password based grant). For this you can create custom application model and allow both for the client. http://django-oauth-toolkit.readthedocs.io/en/latest/advanced_topics.html?highlight=extending%20

Sagar Adhikari
  • 1,312
  • 1
  • 10
  • 17
  • Hey could you help me with a similar problem : https://stackoverflow.com/questions/55351275/django-oauth-toolkit-generating-access-tokens-for-multiple-resources-services – Syed Ammar Mustafa Mar 31 '19 at 18:31