7

If my webservice (powered by Django Rest Framework, v2.3.8) is inside a location protected by Nginx's HTTP Basic Authentication, like so:

location / {
            auth_basic           "Restricted access";
            auth_basic_user_file /path/to/htpasswd;

            uwsgi_pass django;
            include /etc/uwsgi/config/uwsgi_params;
    }

Then, when a user authenticate and tries to access the API, the following response is obtained for all views:

{"detail": "Invalid username/password"}

Does Django Rest Framework pick up the HTTP Authorization header (meant for Nginx) even though the view requires no authentication? If so, how should I go about this?

Any help would be greatly appreciated.

Ikalou
  • 71
  • 3

2 Answers2

8

By default, Django Rest Framework has two authentication classes, see here. 

REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
    'rest_framework.authentication.SessionAuthentication',
    'rest_framework.authentication.BasicAuthentication'
)}

You can disable the rest framework authentication if you don't need it. 

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': ()
}

Or you can remove only BasicAuthentication as it will work in your case.

REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
    'rest_framework.authentication.SessionAuthentication'
)}
chhantyal
  • 10,570
  • 6
  • 45
  • 71
ottojiang
  • 91
  • 3
2

As noted in another post, you must add a comma next to the authentication class or it can throw a TypeError. 

'DEFAULT_PERMISSION_CLASSES': (
    'rest_framework.authentication.SessionAuthentication', #comma added here
)

Source: https://stackoverflow.com/a/22697034/5687330

Community
  • 1
  • 1
Marc Aubin
  • 31
  • 2