Authentication and Authorisation with Django-Tastypie

Once you have your lovely RESTful API based on django-tastypie up and running you need to think very long and hard about which bits of the potential API surface needs to be available and to whom.

Choosing The Right Option

There is no specific guidance for how individual sites should be configured (although this page is a good start). However, I would certainly recommend not using something like this:

from django.contrib.auth.models import User
from tastypie.authentication import BasicAuthentication
from tastypie.authorization import DjangoAuthorization
from tastypie.resources import ModelResource

class UserResource(ModelResource):
    class Meta:
        queryset = User.objects.all()
        resource_name = 'auth/user'
        # Add it here.
        authentication = Authentication()
        authorization = Authorization()
        allowed_methods = ['get', 'put', 'post', 'delete']

on anything that goes anywhere near the open internet!

So what can/should we do? According to the documentation there are several options.

Authentication

In other words, how will your user base identify themselves to your API.


  

    Level
    Description
    Setting
  

  
  

    None
    The client doesn't send any information. In this mode django-tastypie let's all operations through.
    Authentication
  

  

    simple
    The user identifies themselves via [HTTP Basic Auth](http://en.wikipedia.org/wiki/Basic_access_authentication).
    BasicAuthentication
  

  

    API Key
    When the user is added to your site a unique API key is generated for them. This key is sent along with their user name with every request.
    ApiKeyAuthentication
  

  

    Digest
    This authentication scheme uses [HTTP Digest Auth](http://en.wikipedia.org/wiki/Digest_access_authentication) to check a user’s credentials.
    DigestAuthentication
  

  

    OAuth
    The users credentials are verified against a 3rd parties authentication system.
    OAuthAuthentication

My suggestions would be if you are using the REST API from a web-site, the probably Digest or OAuth is the way to go - since the user is probably present and using a standard browser. If, however, the user is likely to be another site or some kind of automated tool where user authentication is likely to be an issue then use the API key method.

Authorisation

Once your users have authenticated against your site, they site protects itself by restricting what the user can and can’t do.

Level Description Setting
None The system doesn't perform any checks and all requests are allowed. Authorisation
Read-only Only reading of data is allowed, i.e. HTTP GET methods only. This is the default. ReadOnlyAuthorization
Django The most advanced form. Works in conjunction with the admin permissions of your site. DjangoAuthorization

It is also possible to provide your own custom authorisation class.

It is very difficult to suggest any help here since the choice is very specific to your site and what you want your users to be able to do. The main guidance I could offer would be only allow read/write access where absolutely needed. So perhaps don’t allow users to be created or deleted using the API.

Resource Restrictions

There are also ways of restricting the kinds of operations allowed on a particular resource.

Setting Description Example
allowed_methods Controls what list & detail REST methods the Resource should respond to. Default is None, which means delegate to the more specific list_allowed_methods & detail_allowed_methods options. allowed_methods = ['get', 'post', 'put']
list_allowed_methods Determines the methods allowed against an entire resource. list_allowed_methods = ['get', 'post']
detail_allowed_methods Determines the methods allowed against an individual value of a resource. list_allowed_methods = ['get']
excludes Excludes specific fields from usage via the API excludes = ['email', 'password', 'is_superuser']
throttle Restricts the number of calls which can be made against a specific resource. throttle = BaseThrottle(throttle_at=100)

Here you want to be as restrictive as possible:

o Use the ‘exclude’ tag to restrict access to sensitive fields such as passwords. o Throttle access to your API - especially for creational items.

Tags: django, django-tastypie, rest, python, authentication, authorisation
blog comments powered by Disqus