Token Authentication

[SOUND] Welcome back. 0:04 Up to this point, I've relied on Django's authentication system to handle, well, 0:05 authentication for the API. 0:10 The session authentication that I've been using is best when I'm dealing with 0:11 clients that are running in the same session context as the website. 0:14 Usually these would be AJAX clients. 0:18 For example maybe I'm building a REST framework API for my courses and 0:20 a JavaScript app that will consume my API and display those courses. 0:24 This JavaScript app could be inside a Django template and all communication with 0:28 the API would be within the same context as the rest of the website. 0:32 What happens when I go to build a mobile app that needs data from my API? 0:35 I only need the data, not the HTML and CSS. 0:39 Session authentication isn't going to work very well in this scenario because there's 0:42 no session to take advantage of, so what can I use instead? 0:45 Token-based authentication would probably be a good choice. 0:49 Token auth takes advantage of a simple HTTP authentication method. 0:52 Instead of making the user log in and keep a session around, 0:56 a user is assigned a token which is usually a randomly generated string, 0:59 which they give to the server to prove who they are. 1:02 REST framework has built-in support for both session and token authentication. 1:05 There are also third party packages that had other authentication types too 1:09 like OAuth. 1:13 Check the teacher's notes for a link to the documentation on authentication, 1:14 which lists recommended third-party packages. 1:17 For now though, let me jump back into Workspaces to start getting this new 1:19 authentication scheme set up. 1:22 Okay, to use the token based auth, I've gotta come over here to Sessions and 1:25 I have to add one new thing to my installed apps. 1:30 I'm gonna add rest_framework.authtoken and 1:34 that makes the auth token stuff available and then I'm gonna 1:39 come all the way back down here to my REST framework dictionary and inside 1:44 here I have this default authentication classes and I'm gonna change instead of 1:49 session authentication I'm gonna change over here to token authentication. 1:53 So I have to run migrations now because I added that new project, 1:59 I have that new app. 2:05 So manage.py migrate and 2:06 that will create my token table, so that's cool, and 2:12 so now I need to generate a token for my admin user. 2:17 I'm gonna pop in here to my shell 2:20 and, all right, cool, and so let's handle all of this stuff. 2:27 Now, normally if you were doing this, you would have something set up to where you 2:32 automatically created a token whenever a user signed up. 2:37 I don't have that set up at the moment. 2:40 So, I'm not doing that. 2:42 I'm gonna do this the manual way. 2:44 All right, so import Token, and then from django.contrib.auth.models import User. 2:47 And my user is gonna be User.objects.get( 2:54 id=1) cuz it's my first one, I know who it is. 3:01 Let's check and make sure. 3:05 Yep, that's me. 3:06 All right, so then token = Token.objects.create 3:08 where the user is equal to that user. 3:12 And if I check out the key, then I get this nice big string. 3:16 So what I'm gonna do is I'm actually gonna take and I wanna copy that. 3:23 Copy and down here in the workspace I have this file it's called README.txt. 3:27 And if you check it out I put in here the username and 3:34 password for that default user. 3:37 And I'm gonna put in the token that was generated for me. 3:38 If you're using the Workspaces, you should have this database, and 3:42 it should have that same token, things should work fine. 3:47 If it doesn't, then you need to find out what the token key is and hold on to that. 3:50 Now I'm gonna keep a hold of this because I need to have it while I'm making 3:56 requests to the API here in a little bit. 3:59 If you're like man, I lost it. 4:02 I don't know what to do. 4:04 Let me get out of here and let me run my server. 4:05 Then what you can do is you can hop into your admin and 4:14 if you compare to tokens and you can see the token right. 4:20 Come right over here. 4:27 This is the key. 4:29 I would just copy and paste that. 4:30 So super handy and you can use this to of course create new tokens for other users. 4:33 All right, so with the token authentication configured, 4:38 I need a way to test my API endpoints and I can't, I can I can do this but 4:41 I'm not authed because I don't have the token, right? 4:48 And even if I log in, which I am logged in, 4:54 cuz I'm able to get an admin here, it doesn't work because I don't have a token, 4:57 so I need a way to test this and I'm gonna do that by using Postman. 5:01 So I will go to getpostman.com and there is a Chrome app and 5:06 there is a Mac app, and I actually already have the Chrome app installed but 5:12 if you don't have it installed, you just click this link and it'll be up and 5:16 running and everything's cool. 5:20 So I already have that installed. 5:23 Let's see, how do I go about getting, go to my apps. 5:25 There we go, and Postman, re-enable them. 5:29 All right, cool. 5:35 So I don't want to sign up. 5:36 All right, so this is Postman and Postman is pretty similar to using a web browser. 5:38 But you will put your URLs into here. 5:45 And I'm actually gonna go ahead, and let's just do that. 5:49 Notice this is a GET request. 5:53 I'll send that, and there's my data that comes back. 5:55 This should look pretty similar, pretty familiar. 5:59 It's pretty much the same thing it was before. 6:01 Let's see about posting one. 6:04 So I will post to that, and I'm gonna click here. 6:07 And see how we have Auth, Headers, Body, blah blah blah? 6:11 Okay, I'm gonna click on Body and 6:13 in form-data, I can go ahead and put in my information. 6:15 So I'll do title, let's add Python testing. 6:20 I'm gonna click OK got it cuz I'm tired of seeing that. 6:28 And for URL I'm gonna put in 6:34 httpsteamtreehouse.com/library/pythontest- ing. 6:35 All right so that's pretty much what I want. 6:39 So I'm doing this here instead of passing in raw JSON I could do raw 6:42 JSON right here in a raw But like this it just sends it in like it's form data and 6:47 the API knows how to handle that. 6:51 So I'm gonna go and I'm gonna click the Send button which will send a POST and 6:53 I got a 401 unauthorized, of course, as I should've cuz I'm not authenticated. 6:59 And I get that Authentication credentials were not provided. 7:04 So yeah, I actually wanted that! 7:08 I wanted that to happen because I'm not authorized. 7:10 You might be thinking it is authorization but 7:14 these are not the authorizations that we need to use. 7:17 It's actually here in Headers and 7:20 I need to add a new key which is Authorization and 7:22 my value is going to be Token, a space, and then my key, which, that's not my key. 7:25 Let's go back over here to my readme, copy the key, and paste it in there. 7:33 All right, cool. 7:42 So now I have my token, I have my authorization. 7:43 If I hit Send, I should get a 201. 7:46 Let me try. 7:48 And yap 201 and I get back my Python testing and that there are no reviews. 7:50 So awesome, the token auth is working just like I want. 7:55 Token authentication is now the default. 7:59 Using Postman let me test the API going forward pretty easily. 8:01 Something to keep in mind though is that requests from other domains require 8:06 a bit of setup. 8:09 Feel free to Google for CORS or Cross Origin Resource Sharing or 8:10 try the teacher's notes. 8:14 Get a snack take a walk and then join me in the next video where I'll dig a little 8:16 deeper into authorization and permissions. 8:20