HomeBlogs
Try Complier
HomeBlogsPython Complier

Django : How To Secure Your API Using JWT Authentication In Django And Django Rest Framework

Python
Django
Drf
Authentication
Jwt
Json web token
Feb 11 2023 . 5 min read
unsplashimagePhoto by Pawel Czerwinski on Unsplash

Table of Content

JWT (Json Web Token) is one of the most popular token based authentication system. A Third party package for JWT authentication is djangorestframework-simplejwt which is used to implement jwt auth in django project.

Installation


First we need to install simplejwt package in our system by just hitting this command in terminal.

pip install djangorestframework-simplejwt

Setup simpleJWT package

To setup djangorestframework-simplejwt package follow these steps :


  1. Open settings.py file and add rest_framework_simplejwt under INSTALLED_APPS.
    settings.py
    1. INSTALLED_APPS = [
    2.    ...
    3.    'rest_framework_simplejwt'
    4.    ...
    5. ]

  2. Now your django project must be configured to use the library. In settings.py, add the authentication classes:
    settings.py
    1. REST_FRAMEWORK = [
    2.    ...
    3.    'DEFAULT_AUTHENTICATION_CLASSES': (
    4.      ...
    5.       'rest_framework_simplejwt.authentication.JWTAuthentication'
    6.      ...
    7.      )
    8.    ...
    9. ]

Agenda

We are going to create three API's here :


  1. Signup Api - That will create an user.

  2. Login Api - That will generate a access and refresh token for authorised user.

  3. Student Api - That will show the student data using the access token.

1. Signup API

To create a signup API, please follow these steps :


Create a serializers.py file within your app level. Let's create a ModelSerializer for Signup.

serializers.py
  1. from rest_framework import serializers
  2. from django.contrib.auth.models import User
  3. from django.contrib.auth.hashers import make_password
  6. class SignupSerializer(serializers.ModelSerializer):
  8.     """override create method to change the password into hash."""
  9.     def create(self, validated_data):
  10.             validated_data["password"] = make_password(validated_data.get("password"))
  11.             return super(SignupSerializer, self).create(validated_data)
  13.     class Meta:
  14.             model = User
  15.             fields = ['username','password']

Here in SignupSerializer class we have override the create method and convert our string password into hash using make_password() function.



Next open a views.py file, and Let's create a APIView class for Signup.

views.py
  1. from rest_framework.views import APIView
  2. from django.contrib.auth.models import User
  3. from rest_framework.response import Response
  4. from rest_framework import status
  5. from .serializers import SignupSerializer
  8. class SignupAPIView(APIView):
  9.     """This api will handle signup"""
  11.     def post(self,request):
  12.             serializer = SignupSerializer(data = request.data)
  13.             if serializer.is_valid():
  14.                     """If the validation success, it will created a new user."""
  15.                     serializer.save()
  16.                     res = { 'status' : status.HTTP_201_CREATED }
  17.                     return Response(res, status = status.HTTP_201_CREATED)
  18.            res = { 'status' : status.HTTP_400_BAD_REQUEST, 'data' : serializer.errors }
  19.            return Response(res, status = status.HTTP_400_BAD_REQUEST)


Next open an urls.py file and let's create an endpoint for signup api.

urls.py
  1. from django.urls import path
  2. from . import views
  5. urlspatterns = [
  6.     path("api/user/signup/", views.SignupAPIView.as_view(), name="user-signup"),
  7.   ]

2. Login API

Now we will going to create a Login Api that will basically generate an access token and refresh token, so that we can use access token to access the students data.


To create a login api, follow these steps :


Open a serializers.py file and let's create a ModelSerializer for Login.

serializers.py
  1. from rest_framework import serializers
  2. from django.contrib.auth.models import User
  3. from django.contrib.auth.hashers import make_password
  6. class LoginSerializer(serializers.ModelSerializer):
  8.     username = serializers.CharField()
  10.     class Meta:
  11.             model = User
  12.             fields = ['username','password']


Next, create a helpers.py file and let's create a get_tokens_for_user() function that will generate access token and refresh token for authenticate user.

helpers.py
  1. from rest_framework_simplejwt.tokens import RefreshToken
  2. from django.contrib.auth.models import User
  3. from django.contrib.auth.hashers import make_password
  6. def get_tokens_for_user(user):
  8.        refresh = RefreshToken.for_user(user)
  10.        return {
  11.               "username": user.username,
  12.               "refresh": str(refresh),
  13.               "access": str(refresh.access_token)
  14.               }


Next, open a views.py file, and Let's create a APIView class for Login.

views.py
  1. from rest_framework.views import APIView
  2. from django.contrib.auth.models import User
  3. from rest_framework.response import Response
  4. from rest_framework import status
  5. from .serializers import LoginSerializer
  6. from .helpers import get_tokens_for_user
  7. from django.contrib.auth import authenticate
  10. class LoginAPIView(APIView):
  11.     """This api will handle login and generate access and refresh token for authenticate user."""
  13.     def post(self,request):
  14.             serializer = LoginSerializer(data = request.data)
  15.             if serializer.is_valid():
  16.                     username = serializer.validated_data["username"]
  17.                     password = serializer.validated_data["password"]
  18.                     user = authenticate(request, username=username, password=password)
  19.                     if user is not None:
  20.                         res_data = get_tokens_for_user(User.objects.get(username=username))
  21.                         response = {
  22.                                "status": status.HTTP_200_OK,
  23.                                "message": "success",
  24.                                "data": res_data
  25.                                }
  26.                         return Response(response, status = status.HTTP_200_OK)
  27.                     else :
  28.                         response = {
  29.                                "status": status.HTTP_401_UNAUTHORIZED,
  30.                                "message": "Invalid Email or Password",
  31.                                }
  32.                         return Response(response, status = status.HTTP_401_UNAUTHORIZED)
  33.             response = {
  34.                  "status": status.HTTP_400_BAD_REQUEST,
  35.                  "message": "bad request",
  36.                  "data": serializer.errors
  37.                  }
  38.             return Response(response, status = status.HTTP_400_BAD_REQUEST)


Next, open an urls.py file and let's create an endpoint for login api.

urls.py
  1. from django.urls import path
  2. from . import views
  5. urlspatterns = [
  6.     path("api/user/login/", views.LoginAPIView.as_view(), name="user-login"),
  7.   ]


3. Students Api

Now we will going to create our Students Api that will basically return students data.


Open a models.py file and let's define student model.

models.py
  1. from django.db import models
  4. class Student(models.Model):
  6.        name = models.CharField(max_length = 100)
  7.        email = models.EmailField(max_length = 277)
  8.        created_at = models.DateTimeField(auto_now_add = True, null = True)
  9.        updated_at = models.DateTimeField(auto_now_add = True, null = True)
  11.        def __str__(self):
  12.               return str(self.name)


Hit these commands to create student table.

python manage.py makemigrations
python manage.py migrate


Next open a serializers.py file and let's create a ModelSerializer for Student.

serializers.py
  1. from rest_framework import serializers
  2. from .models import Student
  5. class StudentSerializer(serializers.ModelSerializer):
  7.     class Meta:
  8.             model = Student
  9.             fields = ['name','email','created_at','updated_at']


Next, open a views.py file, and Let's create a APIView class for Student.

views.py
  1. from rest_framework.views import APIView
  2. from rest_framework.response import Response
  3. from rest_framework import status
  4. from .serializers import StudentSerializer
  5. from .models import Student
  6. from rest_framework.permissions import IsAuthenticated
  9. class StudentAPIView(APIView):
  10.     """This api will handle student"""
  12.     permission_classes = [ IsAuthenticated ]
  14.     def get(self,request):
  15.             data = Student.objects.all()
  16.             serializer = StudentSerializer(data, many = True)
  17.             response = {
  18.                    "status": status.HTTP_200_OK,
  19.                    "message": "success",
  20.                    "data": serializer.data
  21.                    }
  22.             return Response(response, status = status.HTTP_200_OK)

We have to must add the IsAuthenticated permission to our student api. It means to get the students data, ideally you need to pass the access token, that you got at the time of login.



Next, open an urls.py file and let's create an endpoint for student api.

urls.py
  1. from django.urls import path
  2. from . import views
  5. urlspatterns = [
  6.     path("api/students/", views.StudentAPIView.as_view(), name="api-student"),
  7.   ]

Conclusion

This is how you can secure your all api's using jwt token, just you need to only add IsAuthenticated to permission_classes, and set the simplejwt to authenticate_classess in settings file.

Latest Posts

BlogsAbout meContact me
Copyright © 2024 Pythonworld.