Django-rest-framework Token Auth and logout

Question

Django-rest-framework Token Auth and logout

As far as I understand, the obtain_auth_token works as an input function. You provide credentials and return a token. What will be the way out? Should I remove the token when I log out? What would be the best practice?

If the deletion is ok, then how can I handle multiple clients at once. Say a user logs out of a mobile device, but wants to stay online on the Internet. The Token model currently has OneToOne related to User .

Please give me some advice. Thanks

+6

authentication django-rest-framework token

norbertpy Jan 9 '15 at 1:46

source share

1 answer

Kevin brown · Accepted Answer · 2015-01-09T03:48:50+0000

TokenAuthentication provided by the Django REST card is designed to be used as a very simple TokenAuthentication authentication. I mean, what do you get

A simple token that associates a user API with a user.
... which does not rotate by default
... which does not expire by default
... which is shared by API users (one token)

If you are looking for something more advanced, you usually have to look for another token verification method. It may be as simple as subclassing the standard TokenAuthentication classes and views (as indicated), but the Token model is not easily replaced. This means that changing the user field to ForeignKey , allowing you to have multiple tokens for the user, is not easy to implement.

Fortunately, the Django REST framework supports other authentication methods , such as OAuth and JSON Web Tokens, both of which support multiple tokens for users, you can find a comparison of the usual authentication classes in this stack overflow answer .

Django-rest-framework Token Auth and logout

More articles: