DRF login security

Nanush · August 29, 2021, 6:01pm

I am developing an API that will be consumed by a mobile application.
The DRF’s documentation (Authentication - Django REST framework) says: “Warning: Always use Django’s standard login view when creating login pages. This will ensure your login views are properly protected.”

I have the following in a custom view:

# ...
user = authenticate(username=data['username'], password=data['password'])
if user:
    login(request, user)
else:
    # ...

Is this insecure?

CodenameTim · August 30, 2021, 6:46pm

Hi Nanush,

The context around that message is that you should be using CSRF validation when using session authentication via AJAX.

Topic		Replies	Views
Having trouble with session authentication and Django Rest Framework Using Django	0	1574	August 24, 2022
Django rest framework - authentication Using Django	4	663	May 22, 2020
Is DRF authtoken authorization secure enough for cross origin SPA? Using Django	0	587	April 5, 2021
How to authenticate Django REST Framework API calls from a (Vue) JS client using Session Authentication and HttpOnly cookies Show & Tell	1	8800	November 27, 2020
Clear things up pls Using Django	4	742	July 25, 2020

DRF login security

Related topics