Add option to provide blank AUTH_HEADER_TYPE? about djangorestframework-simplejwt HOT 5 CLOSED

Hi Nicholas,

Thanks for feedback! I'll have to look into this and clarify what the relevant RFCs have to say about it. Also, do you have a link to something that makes it more clear what the issue is with Swagger? Either way, you could probably get away with subclassing rest_framework_simplejwt.authentication.JWTAuthentication and overriding the get_raw_token method to get what you need. You'd then just list that class in settings.py instead of the default authentication backend class. Just make sure you take a moment to consider if there are any security implications in doing that (I can't think of any off the top of my head).

from djangorestframework-simplejwt.

Here's a related PR for swagger, but basically, swagger doesn't support adding Bearer or Token to the Authentication header via the UI right now. marcgibbons/django-rest-swagger#662

I think you're right on checking the RFCs. I'm now realizing the JWT implementation I saw that did not include a Bearer or Token prefix was a custom job, so it may be incorrect to simply omit a prefix. But given that this package allows you to basically set a custom one, I wonder if the spec has anything to say about not having one.

I'll give your overriding option a try. Thanks!

from djangorestframework-simplejwt.

@nicholasserra Did you ever happen to find out if a blank auth header type is kosher? I haven't had the time to look into this. Also, did my suggestion ever work out for you?

from djangorestframework-simplejwt.

So for a bit I was basically just typing Bearer example-token into the Swagger authorize box, as this was the workaround:

But I just tried out your recommendation finally, and it works well. So as the code sits, you cannot add None to AUTH_HEADER_TYPES, but you can add an empty string.

So my setting is 'AUTH_HEADER_TYPES': ('Bearer', '',), and I added these lines to my custom get_raw_token:

        if b'' in AUTH_HEADER_TYPE_BYTES and len(parts) == 1:
            # Allow blank auth header
            return parts[0] 

and that now allows me to authenticate via Bearer in the header or by omitting a token type entirely.

So this solves my nitpick of having to enter the token type into swagger. As to whether any of this is correct or allowed by the spec? I have no idea ha. I'm gonna close this now, as I don't think theres a valuable fix here that follows any spec. Thank you for the recommendation on this!

from djangorestframework-simplejwt.

Thanks Nicholas. Glad you got things worked out.

from djangorestframework-simplejwt.