On Mon, Feb 22, 2016 at 5:36 AM, Wilfreid Mpunia <mkwilfr...@byteorbit.com> wrote:
> Good day, I have the following question. > I'm still learning and improving my django level, but I'm a bite confused > with a project that I'm working on. > > For a django web app, which requires a user to register with their email > and password, I used the custom user and backend as shown the djangoproject > website. > > However, later on I realised that the app will have to make some api call > with basic auth, which I assumes will be the registered user email and > password. > When you say your app has to make some API calls, are these calls being made outside of the user session (outside of the end-users browser)? API calls within a users' browser generally make use of the existing user session and SessionAuthentication and run as the same account as the end-user is using. Is there something specific that you're doing that requires basic auth (BA) on the web server? > > My questions is the following: > - does it really make sense two have those two authentications? because > I'm thinking to remove the django one, and rather use the > django_rest_framework auth. > > You can run everything using basic authentication, but most use session authentication so that the API calls within a web page don't need their own set of credentials, they simply piggy-back on the existing user session. You may also run in to trouble trying to run both session authentication and BA on the same server, since BA is handled by the web server directly (before being passed to Django), and will try and protect every page of the site without some extra custom configuration in your server configuration, which may be acceptable, but usually there are at least some pages of a site that are publicly available. Honestly I would avoid BA if possible. This is backed up by the DRF documentation stating that BA is really only suitable for testing: http://www.django-rest-framework.org/api-guide/authentication/#basicauthentication -James -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2Be%2BciVBjiRSU99Tk4M3aiA55ZQyL7Dw3Qzm3GqZraG0Vw6xiA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
