I am currently creating a website using React for the frontend and Django Rest Framework for an API. I decided to use token authentication as I figured it would be an extensible option if I ever decide to create a mobile app in addition to my web application.
At the moment, I am creating one token for each new user, and I have no method of refreshing or changing the token. On login, the frontend passes the username and password to Django, which either creates or retrieves a token and sends it back to be used for future calls to the API.
This is the view I am using to do so:
class GetAuthToken(ObtainAuthToken):
# Used to retrieve an auth token with a username and password
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data,
context={'request': request})
serializer.is_valid(raise_exception=True)
user = serializer.validated_data['user']
token, created = Token.objects.get_or_create(user=user)
return Response({
'token': token.key,
'user_id': user.pk,
})
The fact that my tokens never change doesn't seem especially secure and makes me think I have to rethink my authentication/authorization strategy. I'm really not sure where to go from here though, and I had trouble finding help online since my combination of React and DRF isn't especially popular from what I can tell. Any tips would be appreciated, thanks.
question from:
https://stackoverflow.com/questions/65647719/how-do-i-create-secure-token-authentication-with-django-rest-framework-react 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
