Protected views can be accessed without any authentication token

Using Django Forms & APIs
1

GITHUB Repo: https://github.com/ShouravAhmed/django-react-practice-code/tree/main/Django/djtodo

I have implemented a simple To-do app for testing JWT authentication in Django.
Here I have used simple-jwt: https://django-rest-framework-simplejwt.readthedocs.io/

And for OTP-based authentication, I have created a custom user model and also overridden the TokenObtainPairSerializer from simple-jwt.

Token routes are working fine but the issue i am facing is

// -------------------------------------------------------------
// views.py
// @ removed
// -------------------------------------------------------------
authentication_classes([TokenAuthentication])
permission_classes([IsAuthenticated])
api_view(['GET'])
def get_todos(request):
    resp = {'status': 200, 'message': 'success'}
    try:
        todos = Todo.objects.all()
        serializer = TodoSerializer(todos, many=True)
        resp['count'] = len(serializer.data)
        resp['data'] = serializer.data

    except Exception as e:
        resp['status'] = 400
        resp['message'] = 'Exception Occered'
        resp['exception'] = str(e)

    return Response(resp)
// -------------------------------------------------------------

// -------------------------------------------------------------
// urls.py
// -------------------------------------------------------------
path('get-todos/', get_todos, name='get_todos'),
// -------------------------------------------------------------

This route is being accessed without providing an authentication token.

2

When you are posting code here, enclose the code between lines of three backtick - ` characters. This means you’ll have a line of ```, then your code, then another line of ```. This forces the forum software to keep your code properly formatted and you don’t need to edit or modify the code for posting. You may want to edit your original post for this.

1 Like
3

It appears to me that according to the docs, you need to put the authentication_classes and permission_classes decorators after the api_view decorator.

1 Like
4

Thank you so much :slightly_smiling_face:
It worked!
Now It’s not being accessed without authentication
but Django should have given some warning messages on that :smiling_face_with_tear:

5

It really can’t.

The most direct reason is that the Django Rest Framework is a third-party package, and there’s no way that Django could provide that sort of source-code support for all the third-party packages available. This isn’t Django’s issue to address.