Skip to main content

Web API permissions for the Django REST Framework

Project description

djangorestframework-api-key

travis python-version django-version drf-version

🔐 Web API permissions for the Django REST Framework.

This project is based on (yet not a fork of) the unmaintained django-rest-framework-api-key project.

Supported versions

  • Python: 3.4, 3.5, 3.6, 3.7
  • Django: 1.11 (except on Python 3.7), 2.0, 2.1 (except on Python 3.4)
  • Django REST Framework: 3.8+

Features

Allow clients that are not supposed to have a user account (e.g. external services) to safely use your API.

Intended to be:

  • 🚀 Simple to use: create, manage and revoke API keys via the admin site.
  • 🔒 Safe: the key is only visible at creation and never shown again.

Caveats

API Keys ≠ Security: depending on your situation, you should probably not rely on API keys only to authenticate/authorize your clients. Doing so shifts the responsability of information security on your clients. This induces risks, especially if detaining an API key gives access to confidential information or write operations.

As a general advice, allow only those who require resources to access those specific resources. If your non-user client only needs to access a specific endpoint, add API permissions on that endpoint only.

Install

  • Install from PyPI:
$ pip install djangorestframework-api-key
  • Add the app to your INSTALLED_APPS:
# settings.py

INSTALLED_APPS = [
  # ...,
  'rest_framework',
  'rest_framework_api_key',
]

Run the included migrations:

$ python manage.py migrate

Usage

Set permission classes

This package provides permission classes to allow external clients to use your API.

  • HasAPIKey: this permission class requires all clients to provide a valid API key, regardless of whether they provide authentication details.
  • HasAPIKeyOrIsAuthenticated: if you want to allow clients to provide either an API key or authentication credentials, use this permission class instead.

As with every permission class, you can either use them globally:

# settings.py

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework_api_key.permissions.HasAPIKey',
    ]
}

or on a per-view basis:

# views.py
from rest_framework_api_key.permissions import HasAPIKey
from rest_framework.views import APIView

class UserListView(APIView):
    permission_classes = (HasAPIKey,)
    # ...

Refer to DRF Docs - Setting the permission policy for more information on using permission classes.

Make authorized requests

Once API key permissions are enabled on your API, clients can pass their API key via the Api-Key header (this is customizable, see Settings):

$ curl -H 'Api-Key: YOUR_API_KEY_HERE' http://localhost:8000/my-resource/

Settings

API_KEY_HEADER:

  • Name of the header which clients use to pass their API key.
  • Default value: HTTP_API_KEY (which means clients should use the Api-Key header — see the docs on HttpRequest.META).

Example project

See the example project for example usage in the context of a Django project.

Development

Install

Installing locally requires Pipenv and Python 3.7.

  1. Fork the repo
  2. Clone it on your local
  3. Install dependencies with Pipenv: $ pipenv install --dev
  4. Activate using $ pipenv shell

Tests

Run the tests using:

$ python runtests.py

Generating migrations

This package includes migrations. To update them in case of changes without setting up a Django project, run:

$ python makemigrations.py rest_framework_api_key

CI/CD - Releases

Travis CI is in use to automatically:

  • Test the package on supported versions of Python and Django.
  • Release tagged commits to PyPI

See .travis.yml for further details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

djangorestframework-api-key-0.1.1.tar.gz (7.2 kB view details)

Uploaded Source

Built Distribution

File details

Details for the file djangorestframework-api-key-0.1.1.tar.gz.

File metadata

  • Download URL: djangorestframework-api-key-0.1.1.tar.gz
  • Upload date:
  • Size: 7.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.19.1 setuptools/40.4.2 requests-toolbelt/0.8.0 tqdm/4.26.0 CPython/3.7.0

File hashes

Hashes for djangorestframework-api-key-0.1.1.tar.gz
Algorithm Hash digest
SHA256 4367b4a7a8e27e17c805609410eef52d12ebd4355b1d3653d9e933a2aef56f60
MD5 b2945f001f7a1ec70ad0ec7df571ab55
BLAKE2b-256 c31c2ce2c25a51b182282d3e933ccfd453c223dd1d5e3743e0d2cba797638b11

See more details on using hashes here.

File details

Details for the file djangorestframework_api_key-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: djangorestframework_api_key-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 11.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.19.1 setuptools/40.4.2 requests-toolbelt/0.8.0 tqdm/4.26.0 CPython/3.7.0

File hashes

Hashes for djangorestframework_api_key-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 ab2ca9b7ce15c1d0b4842c67b9195863b38313470be6eb5197a8633309d5957b
MD5 8b350cd96df1d0c67605844c1e415acc
BLAKE2b-256 943646cd8af74d78178732004d7d4e0b8fee663b4400a27fe472a71ce4e27559

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page