Opened 3 years ago
Closed 3 years ago
#33513 closed Bug (invalid)
Custom authentication class: raising AuthenticationFailed leads to 403
| Reported by: | Aurel | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 3.2 |
| Severity: | Normal | Keywords: | authentication |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Hi,
I am writing a custom authentication class. I overwrite:
def authenticate(self, request):
If a user is not authenticated I do:
raise exceptions.AuthenticationFailed(_('Invalid token.'))
I expect that djano returns a 401. But django returns 403 like if I were in has_permission(). But I am in authenticate() for sure. And if in this methoid this exception is raised Django, sholuld return a 401!
My custom auth class inherits from BaseAuthentication:
from rest_framework.authentication import BaseAuthentication
Change History (4)
comment:1 by , 3 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 3 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 3 years ago
comment:4 by , 3 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
rest_framework.authentication.BaseAuthentication is not a builtin backend. Please check docs about Writing an authentication backend and if you're having trouble understanding how Django works, see TicketClosingReasons/UseSupportChannels for ways to get help.
Well, ok, you need to overwrite / implement also "def authenticate_header(self, request):". Otherwise a 403 is returned. This does not make sense to me. Why django changes to 403 only if there is no authenticate header? 403 means, you are identified, but not allowed to get in...