Comments (8)
the internet is async, so nw!
jwts have public claims and private payloads. Feel free to read the docs to see how to set each.
from djangorestframework-simplejwt.
Hi,
I think this will provide an object level permission:
class IsOwnerOrReadOnlyJWT(permissions.BasePermission):
"""
Custom JWT permission to only allow owners of an object to edit it.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
jwt_authenticator = JWTAuthentication()
data = jwt_authenticator.authenticate(request=request)
if data:
user, token = data
if user and user.id == request.user.id == obj.owner_id:
# Write permissions are only allowed to the owner of the object.
return True
# If wasn't safe method or authenticate as the owner of the object - reject.
return False
like to hear opinions, Thanks!
from djangorestframework-simplejwt.
Hi! Great approach, and I think that's a great custom solution. I think if you want an authentication battery included package, you should take a look at django-oauth-toolkit which will come with its own claims.
I also think that, with JWTs, you could simply add claims to your JWT rather than performing backend checks for resources for everything. Some things require permissions, such as at the object level like what can the current user see, but that should be at view level.
from djangorestframework-simplejwt.
Hi @Andrew-Chen-Wang, even if authentication isn't the main goal of this library, do you think a section in the docs with an example would be a good idea? My use case doesn't require oauth and a simple extra permission does the job. I also think adding the discussions tab is a good idea. A lot of the issues aren't really issues, but people asking how to do X or Y.
from djangorestframework-simplejwt.
Happy to review a new doc section with multiple examples. Might be helpful to link to examples written in the code base instead of the docs, and embed the code.
Also happy to open Discussions tab. @jazzband/roadies are the only ones with power to do so.
from djangorestframework-simplejwt.
Hi! Great approach, and I think that's a great custom solution. I think if you want an authentication battery included package, you should take a look at django-oauth-toolkit which will come with its own claims.
I also think that, with JWTs, you could simply add claims to your JWT rather than performing backend checks for resources for everything. Some things require permissions, such as at the object level like what can the current user see, but that should be at view level.
I will take a look at django-oauth-toolkit
,thanks!
Can you elaborate about "simply add claims to your JWT" ?
(Sorry for the delay, had some home-assignments / interviews)
from djangorestframework-simplejwt.
Didn't understand how it could replace the above.
Or you meant to do this check in the views? (It will be DRY?)
from djangorestframework-simplejwt.
Either is fine, serializer is preferred. Doc page: https://django-rest-framework-simplejwt.readthedocs.io/en/latest/customizing_token_claims.html
from djangorestframework-simplejwt.
Related Issues (20)
- Incorrect type hints for several classes/methods HOT 4
- Import "rest_framework_simplejwt.authentication" could not be resolved Pylance (reportMissingImports) HOT 2
- Import Error on Django 5 HOT 1
- ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)) with djangorestframework-jwt HOT 1
- How setup AWS Cognito with djangorestframework-simplejwt HOT 2
- CVE-2024-22513 HOT 1
- Security Issue HOT 3
- `Token` subclass' `for_user` method is typed to return a `Token` HOT 1
- encrypt username instead of user_id HOT 1
- The translation of the message "No active account found with the given credentials" does not work in various locales HOT 1
- TokenRefreshView doesn't register token_blacklist_outstandingtoken HOT 2
- How can we return custom JWT from dj-rest-auth instead of the session key HOT 1
- django5.0 is currently not supported HOT 1
- Why Outstanding token exist and why it stores raw refresh token
- Reported vulnerability in 5.3.1 HOT 3
- request.user.is_superuser and request.user.is_staff are False HOT 3
- Allow adding more field to payload of encoded `token` HOT 2
- Add JSON_ENCODER to the doc
- Can django 5.0 be used? Just use basic verification methods HOT 7
- TokenRefreshView should prevent users from refreshing token if the user is inactive
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from djangorestframework-simplejwt.