Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token-based authentication not prefixing Token as part of Authorization header #1386

Open
lombaardcj opened this issue Mar 2, 2025 · 3 comments
Open

Token-based authentication not prefixing Token as part of Authorization header #1386

lombaardcj opened this issue Mar 2, 2025 · 3 comments

Comments

@lombaardcj
Copy link

Describe the bug
Token-based authentication with required prefix "Token"

To Reproduce

  1. Click Authorize button
  2. Enter tokenAuth (apiKey) Value and click Authorize
  3. Close Available authorizations pop-up
  4. Open any endpoint with a GET that requires TokenAuth
  5. Try It Out
  6. Execute
    Snippets show the problem already

Image

Image

Expected behavior
Token-based authentication with required prefix "Token" to be sent when making request
@tfranzel
Copy link
Owner

tfranzel commented Mar 3, 2025
edited
Loading

This has been raised a couple of times and is an issue outside of our control.

  • OpenAPI does only support type: http, scheme: basic and type: http, scheme: bearer for this, without any further configuration.
  • SwaggerUI hardcodes the bearer prefix to Bearer.
  • DRF uses the Token as prefix by default. Afaik this is non-compliant with the standard and create problems all around as you can see.

Advise: Make your life easier and set keyword = 'Bearer' on your TokenAuthentication class.
There is no way we can easily inject a custom prefix. If you are stuck on Token as keyword, there is no other option than using apiKey with a manual handwritten prefix, as described in the auth comment.

I don't like it either, but it is what it is.

@lombaardcj
Copy link
Author

lombaardcj commented Mar 4, 2025
edited
Loading

Thank you, I thought due to the official mentions from the DRF project towards this project, such a problem would've been easily fixable by now. Fortunately I do have control over the implementation code of the app, and will make changes to follow the better supported Bearer token.

@tfranzel
Copy link
Owner

tfranzel commented Mar 4, 2025

It would be easily fixable, but DRF is so stable and so widely used that they are long past the point of changing defaults and creating breaking changes.

I wouldn't recommend using DRF's TokenAuthentication for anything serious anyway, because its super basic and persists the plain secret to the DB.

I have written a better version that uses Bearer and does not store secrets in the DB, which you might want to check out: https://github.com/tfranzel/django-seriously?tab=readme-ov-file#tokenauthentication. Currently in the process of updating other parsts of that lib, but the auth stuff will not change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lombaardcj @tfranzel