Heads up! To view this whole video, sign in with your Courses Plus account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
Learn how to secure your views with REST framework’s TokenAuthentication.
[SOUND] Welcome back.
0:04
Up to this point, I've relied on Django's
authentication system to handle, well,
0:05
authentication for the API.
0:10
The session authentication that I've
been using is best when I'm dealing with
0:11
clients that are running in the same
session context as the website.
0:14
Usually these would be AJAX clients.
0:18
For example maybe I'm building a REST
framework API for my courses and
0:20
a JavaScript app that will consume
my API and display those courses.
0:24
This JavaScript app could be inside a
Django template and all communication with
0:28
the API would be within the same
context as the rest of the website.
0:32
What happens when I go to build a mobile
app that needs data from my API?
0:35
I only need the data,
not the HTML and CSS.
0:39
Session authentication isn't going to work
very well in this scenario because there's
0:42
no session to take advantage of,
so what can I use instead?
0:45
Token-based authentication would
probably be a good choice.
0:49
Token auth takes advantage of
a simple HTTP authentication method.
0:52
Instead of making the user log in and
keep a session around,
0:56
a user is assigned a token which is
usually a randomly generated string,
0:59
which they give to the server
to prove who they are.
1:02
REST framework has built-in support for
both session and token authentication.
1:05
There are also third party packages
that had other authentication types too
1:09
like OAuth.
1:13
Check the teacher's notes for a link
to the documentation on authentication,
1:14
which lists recommended
third-party packages.
1:17
For now though, let me jump back into
Workspaces to start getting this new
1:19
authentication scheme set up.
1:22
Okay, to use the token based auth,
I've gotta come over here to Sessions and
1:25
I have to add one new thing
to my installed apps.
1:30
I'm gonna add rest_framework.authtoken and
1:34
that makes the auth token stuff
available and then I'm gonna
1:39
come all the way back down here to my
REST framework dictionary and inside
1:44
here I have this default authentication
classes and I'm gonna change instead of
1:49
session authentication I'm gonna change
over here to token authentication.
1:53
So I have to run migrations now
because I added that new project,
1:59
I have that new app.
2:05
So manage.py migrate and
2:06
that will create my token table,
so that's cool, and
2:12
so now I need to generate a token for
my admin user.
2:17
I'm gonna pop in here to my shell
2:20
and, all right, cool, and so
let's handle all of this stuff.
2:27
Now, normally if you were doing this, you
would have something set up to where you
2:32
automatically created a token
whenever a user signed up.
2:37
I don't have that set up at the moment.
2:40
So, I'm not doing that.
2:42
I'm gonna do this the manual way.
2:44
All right, so import Token, and then from
django.contrib.auth.models import User.
2:47
And my user is gonna be User.objects.get(
2:54
id=1) cuz it's my first one,
I know who it is.
3:01
Let's check and make sure.
3:05
Yep, that's me.
3:06
All right, so
then token = Token.objects.create
3:08
where the user is equal to that user.
3:12
And if I check out the key,
then I get this nice big string.
3:16
So what I'm gonna do is I'm actually
gonna take and I wanna copy that.
3:23
Copy and down here in the workspace I
have this file it's called README.txt.
3:27
And if you check it out I
put in here the username and
3:34
password for that default user.
3:37
And I'm gonna put in the token
that was generated for me.
3:38
If you're using the Workspaces,
you should have this database, and
3:42
it should have that same token,
things should work fine.
3:47
If it doesn't, then you need to find out
what the token key is and hold on to that.
3:50
Now I'm gonna keep a hold of this because
I need to have it while I'm making
3:56
requests to the API here in a little bit.
3:59
If you're like man, I lost it.
4:02
I don't know what to do.
4:04
Let me get out of here and
let me run my server.
4:05
Then what you can do is you
can hop into your admin and
4:14
if you compare to tokens and
you can see the token right.
4:20
Come right over here.
4:27
This is the key.
4:29
I would just copy and paste that.
4:30
So super handy and you can use this to of
course create new tokens for other users.
4:33
All right, so
with the token authentication configured,
4:38
I need a way to test my API endpoints and
I can't, I can I can do this but
4:41
I'm not authed because I
don't have the token, right?
4:48
And even if I log in,
which I am logged in,
4:54
cuz I'm able to get an admin here, it
doesn't work because I don't have a token,
4:57
so I need a way to test this and
I'm gonna do that by using Postman.
5:01
So I will go to getpostman.com and
there is a Chrome app and
5:06
there is a Mac app, and I actually
already have the Chrome app installed but
5:12
if you don't have it installed, you
just click this link and it'll be up and
5:16
running and everything's cool.
5:20
So I already have that installed.
5:23
Let's see, how do I go about getting,
go to my apps.
5:25
There we go, and Postman, re-enable them.
5:29
All right, cool.
5:35
So I don't want to sign up.
5:36
All right, so this is Postman and Postman
is pretty similar to using a web browser.
5:38
But you will put your URLs into here.
5:45
And I'm actually gonna go ahead,
and let's just do that.
5:49
Notice this is a GET request.
5:53
I'll send that, and
there's my data that comes back.
5:55
This should look pretty similar,
pretty familiar.
5:59
It's pretty much the same
thing it was before.
6:01
Let's see about posting one.
6:04
So I will post to that,
and I'm gonna click here.
6:07
And see how we have Auth,
Headers, Body, blah blah blah?
6:11
Okay, I'm gonna click on Body and
6:13
in form-data, I can go ahead and
put in my information.
6:15
So I'll do title,
let's add Python testing.
6:20
I'm gonna click OK got it cuz
I'm tired of seeing that.
6:28
And for URL I'm gonna put in
6:34
httpsteamtreehouse.com/library/pythontest-
ing.
6:35
All right so
that's pretty much what I want.
6:39
So I'm doing this here instead of
passing in raw JSON I could do raw
6:42
JSON right here in a raw But like this it
just sends it in like it's form data and
6:47
the API knows how to handle that.
6:51
So I'm gonna go and I'm gonna click
the Send button which will send a POST and
6:53
I got a 401 unauthorized, of course,
as I should've cuz I'm not authenticated.
6:59
And I get that Authentication
credentials were not provided.
7:04
So yeah, I actually wanted that!
7:08
I wanted that to happen
because I'm not authorized.
7:10
You might be thinking
it is authorization but
7:14
these are not the authorizations
that we need to use.
7:17
It's actually here in Headers and
7:20
I need to add a new key
which is Authorization and
7:22
my value is going to be Token, a space,
and then my key, which, that's not my key.
7:25
Let's go back over here to my readme,
copy the key, and paste it in there.
7:33
All right, cool.
7:42
So now I have my token,
I have my authorization.
7:43
If I hit Send, I should get a 201.
7:46
Let me try.
7:48
And yap 201 and I get back my Python
testing and that there are no reviews.
7:50
So awesome, the token auth
is working just like I want.
7:55
Token authentication is now the default.
7:59
Using Postman let me test the API
going forward pretty easily.
8:01
Something to keep in mind though is
that requests from other domains require
8:06
a bit of setup.
8:09
Feel free to Google for CORS or
Cross Origin Resource Sharing or
8:10
try the teacher's notes.
8:14
Get a snack take a walk and then join me
in the next video where I'll dig a little
8:16
deeper into authorization and permissions.
8:20
You need to sign up for Treehouse in order to download course files.
Sign up