Actually, I see where the confusion is. Here is the recommended pattern for authentication backends <http://www.django-rest-framework.org/api-guide/authentication/#custom-authentication>, which the included TokenAuthentication follows:
In some circumstances instead of returning None, you may want to raise an > AuthenticationFailed exception from the .authenticate() method. > Typically the approach you should take is: > > - If authentication is not attempted, return None. Any other > authentication schemes also in use will still be checked. > > > - If authentication is attempted but fails, raise a > AuthenticationFailed exception. An error response will be returned > immediately, regardless of any permissions checks, and without checking > any > other authentication schemes. > > So, because a request has a token, the authentication is checked. However, because the token in invalid, the AuthenticationFailed exception is raised, which triggers and error response immediately, regardless of permissions. So, if you wanted to change that behavior, you could subclass TokenAuthentication and override .authenticate() to return None instead of raising the exception. On Wednesday, July 6, 2016 at 10:43:48 AM UTC-5, Chris Foresman wrote: > > From the documentation ( > http://www.django-rest-framework.org/api-guide/authentication/): > > *Note:* Don't forget that *authentication by itself won't allow or >> disallow an incoming request*, it simply identifies the credentials that >> the request was made with. >> ... >> If no class authenticates, request.user will be set to an instance of >> django.contrib.auth.models.AnonymousUser, and request.auth will be set >> to None. > > > Are you finding an instance where this is not the case? Can you post/link > to some sample code to discuss further? > > > > On Tuesday, July 5, 2016 at 4:20:53 PM UTC-5, Nadya Ionova wrote: >> >> >> Hi, >> >> >> >> Can anybody explain, why TokenAuthentication.authenticate_credentials >> method raises an AuthenticationFailed exception? >> >> Seems, since it is an authentication method, it shouldn’t allow or >> disallow an incoming request. >> >> On practice, user can have invalid token in cookies, but he/she still >> should have access to AllowAny pages, for example. >> >> >> Thanks for any thoughts >> > -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
