Opened 3 years ago

Closed 3 years ago

#33513 closed Bug (invalid)

Custom authentication class: raising AuthenticationFailed leads to 403

Reported by: Aurel Owned by: nobody
Component: contrib.auth Version: 3.2
Severity: Normal Keywords: authentication
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Aurel)

Hi,
I am writing a custom authentication class. I overwrite:

def authenticate(self, request):

If a user is not authenticated I do:
raise exceptions.AuthenticationFailed(_('Invalid token.'))
I expect that djano returns a 401. But django returns 403 like if I were in has_permission(). But I am in authenticate() for sure. And if in this methoid this exception is raised Django, sholuld return a 401!

My custom auth class inherits from BaseAuthentication:
from rest_framework.authentication import BaseAuthentication

Change History (4)

comment:1 by Aurel, 3 years ago

Description: modified (diff)

comment:2 by Aurel, 3 years ago

Description: modified (diff)

comment:3 by Aurel, 3 years ago

Well, ok, you need to overwrite / implement also "def authenticate_header(self, request):". Otherwise a 403 is returned. This does not make sense to me. Why django changes to 403 only if there is no authenticate header? 403 means, you are identified, but not allowed to get in...

comment:4 by Mariusz Felisiak, 3 years ago

Resolution: invalid
Status: newclosed

rest_framework.authentication.BaseAuthentication is not a builtin backend. Please check docs about Writing an authentication backend and if you're having trouble understanding how Django works, see TicketClosingReasons/UseSupportChannels for ways to get help.

Note: See TracTickets for help on using tickets.
Back to Top