Skip to content
This repository was archived by the owner on May 26, 2020. It is now read-only.

Commit 6acd070

Browse files
jpadillajpadilla
committed
Initial mkdocs setup
1 parent a24f6ef commit 6acd070

File tree

5 files changed

+287
-182
lines changed

5 files changed

+287
-182
lines changed

.gitignore

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,4 +17,4 @@ lib/
1717
local/
1818

1919
!.gitignore
20-
!.travis.yml
20+
!.travis.yml

README.md

Lines changed: 30 additions & 181 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,21 @@
1-
# Django REST framework JWT Auth
1+
# REST framework JWT Auth
22

3-
[![Build Status](https://travis-ci.org/GetBlimp/django-rest-framework-jwt.png?branch=master)](https://travis-ci.org/GetBlimp/django-rest-framework-jwt) [![PyPI version](https://badge.fury.io/py/djangorestframework-jwt.png)](http://badge.fury.io/py/djangorestframework-jwt)
3+
[![build-status-image]][travis]
4+
[![pypi-version]][pypi]
5+
6+
**JSON Web Token Authentication support for Django REST Framework**
7+
8+
Full documentation for the project is available at [docs][docs].
49

510
## Overview
6-
This package provides [JSON Web Token Authentication](http://tools.ietf.org/html/draft-ietf-oauth-json-web-token) support for [Django REST framework](http://django-rest-framework.org/).
711

8-
If you want to read more about JWT, here's a great blog post by the guys at Auth0 that talks about [Cookie vs Token based authentication](http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/).
12+
This package provides [JSON Web Token Authentication][jwt-auth-spec] support for [Django REST framework][drf].
13+
14+
If you want to know more about JWT, check out the following resources:
15+
16+
- DjangoCon 2014 - JSON Web Tokens [Video][jwt-video] | [Slides][jwt-slides]
17+
- [Auth with JSON Web Tokens][auth-jwt]
18+
- [JWT.io][jwt-io]
919

1020
## Requirements
1121

@@ -17,186 +27,25 @@ If you want to read more about JWT, here's a great blog post by the guys at Auth
1727

1828
Install using `pip`...
1929

20-
```
21-
$ pip install djangorestframework-jwt
22-
```
23-
24-
## Usage
25-
26-
In your `settings.py`, add `JSONWebTokenAuthentication` to Django REST framework's `DEFAULT_AUTHENTICATION_CLASSES`.
27-
28-
```python
29-
REST_FRAMEWORK = {
30-
'DEFAULT_PERMISSION_CLASSES': (
31-
'rest_framework.permissions.IsAuthenticated',
32-
),
33-
'DEFAULT_AUTHENTICATION_CLASSES': (
34-
'rest_framework.authentication.SessionAuthentication',
35-
'rest_framework.authentication.BasicAuthentication',
36-
'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
37-
),
38-
}
39-
```
40-
41-
In your `urls.py` add the following URL route to enable obtaining a token via a POST included the user's username and password.
42-
43-
```python
44-
urlpatterns = patterns(
45-
'',
46-
# ...
47-
48-
url(r'^api-token-auth/', 'rest_framework_jwt.views.obtain_jwt_token'),
49-
)
50-
```
51-
52-
You can easily test if the endpoint is working by doing the following in your terminal, if you had a user created with the username **admin** and password **abc123**.
53-
5430
```bash
55-
$ curl -X POST -d "username=admin&password=abc123" http://localhost:8000/api-token-auth/
56-
```
57-
58-
Alternatively, you can use all the content types supported by the Django REST framework to obtain the auth token. For example:
59-
60-
```bash
61-
$ curl -X POST -H "Content-Type: application/json" -d '{"username":"admin","password":"abc123"}' http://localhost:8000/api-token-auth/
62-
```
63-
64-
Now in order to access protected api urls you must include the `Authorization: JWT <your_token>` header.
65-
66-
```bash
67-
$ curl -H "Authorization: JWT <your_token>" http://localhost:8000/protected-url/
68-
```
69-
70-
## Refresh Token
71-
If `JWT_ALLOW_REFRESH` is True, issued tokens can be "refreshed" to obtain a new brand token with renewed expiration time. Add a URL pattern like this:
72-
```python
73-
url(r'^api-token-refresh/', 'rest_framework_jwt.views.refresh_jwt_token'),
74-
```
75-
76-
Pass in an existing token to the refresh endpoint as follows: `{"token": EXISTING_TOKEN}`. Note that only non-expired tokens will work. The JSON response looks the same as the normal obtain token endpoint `{"token": NEW_TOKEN}`.
77-
78-
```bash
79-
$ curl -X POST -H "Content-Type: application/json" -d '{"token":"<EXISTING_TOKEN>"}' http://localhost:8000/api-token-refresh/
80-
```
81-
82-
Refresh with tokens can be repeated (token1 -> token2 -> token3), but this chain of token stores the time that the original token (obtained with username/password credentials), as `orig_iat`. You can only keep refreshing tokens up to `JWT_REFRESH_EXPIRATION_DELTA`.
83-
84-
A typical use case might be a web app where you'd like to keep the user "logged in" the site without having to re-enter their password, or get kicked out by surprise before their token expired. Imagine they had a 1-hour token and are just at the last minute while they're still doing something. With mobile you could perhaps store the username/password to get a new token, but this is not a great idea in a browser. Each time the user loads the page, you can check if there is an existing non-expired token and if it's close to being expired, refresh it to extend their session. In other words, if a user is actively using your site, they can keep their "session" alive.
85-
86-
## Additional Settings
87-
There are some additional settings that you can override similar to how you'd do it with Django REST framework itself. Here are all the available defaults.
88-
89-
```python
90-
JWT_AUTH = {
91-
'JWT_ENCODE_HANDLER':
92-
'rest_framework_jwt.utils.jwt_encode_handler',
93-
94-
'JWT_DECODE_HANDLER':
95-
'rest_framework_jwt.utils.jwt_decode_handler',
96-
97-
'JWT_PAYLOAD_HANDLER':
98-
'rest_framework_jwt.utils.jwt_payload_handler',
99-
100-
'JWT_PAYLOAD_GET_USER_ID_HANDLER':
101-
'rest_framework_jwt.utils.jwt_get_user_id_from_payload_handler',
102-
103-
'JWT_RESPONSE_PAYLOAD_HANDLER':
104-
'rest_framework_jwt.utils.jwt_response_payload_handler',
105-
106-
'JWT_SECRET_KEY': settings.SECRET_KEY,
107-
'JWT_ALGORITHM': 'HS256',
108-
'JWT_VERIFY': True,
109-
'JWT_VERIFY_EXPIRATION': True,
110-
'JWT_LEEWAY': 0,
111-
'JWT_EXPIRATION_DELTA': datetime.timedelta(seconds=300),
112-
113-
'JWT_ALLOW_REFRESH': False,
114-
'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7),
115-
116-
'JWT_AUTH_HEADER_PREFIX': 'JWT',
117-
}
118-
```
119-
This packages uses the JSON Web Token Python implementation, [PyJWT](https://github.com/progrium/pyjwt) and allows to modify some of it's available options.
120-
121-
### JWT_SECRET_KEY
122-
This is the secret key used to sign the JWT. Make sure this is safe and not shared or public.
123-
124-
Default is your project's `settings.SECRET_KEY`.
125-
126-
### JWT_ALGORITHM
127-
128-
Possible values:
129-
130-
> * HS256 - HMAC using SHA-256 hash algorithm (default)
131-
> * HS384 - HMAC using SHA-384 hash algorithm
132-
> * HS512 - HMAC using SHA-512 hash algorithm
133-
> * RS256 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash algorithm
134-
> * RS384 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-384 hash algorithm
135-
> * RS512 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-512 hash algorithm
136-
137-
Note:
138-
> For the RSASSA-PKCS1-v1_5 algorithms, the "secret" argument in jwt.encode is supposed to be a private RSA key as
139-
> imported with Crypto.PublicKey.RSA.importKey. Likewise, the "secret" argument in jwt.decode is supposed to be the
140-
> public RSA key imported with the same method.
141-
142-
Default is `"HS256"`.
143-
144-
### JWT_VERIFY
145-
146-
If the secret is wrong, it will raise a jwt.DecodeError telling you as such. You can still get at the payload by setting the `JWT_VERIFY` to `False`.
147-
148-
Default is `True`.
149-
150-
### JWT_VERIFY_EXPIRATION
151-
152-
You can turn off expiration time verification with by setting `JWT_VERIFY_EXPIRATION` to `False`.
153-
154-
Default is `True`.
155-
156-
### JWT_LEEWAY
157-
158-
> This allows you to validate an expiration time which is in the past but no very far. For example, if you have a JWT payload with an expiration time set to 30 seconds after creation but you know that sometimes you will process it after 30 seconds, you can set a leeway of 10 seconds in order to have some margin.
159-
160-
Default is `0` seconds.
161-
162-
### JWT_EXPIRATION_DELTA
163-
This is an instance of Python's `datetime.timedelta`. This will be added to `datetime.utcnow()` to set the expiration time.
164-
165-
Default is `datetime.timedelta(seconds=300)`(5 minutes).
166-
167-
### JWT_ALLOW_REFRESH
168-
Enable token refresh functionality. Token issued from `rest_framework_jwt.views.obtain_jwt_token` will have an `orig_iat` field. Default is `False`
169-
170-
### JWT_REFRESH_EXPIRATION_DELTA
171-
Limit on token refresh, is a `datetime.timedelta` instance. This is how much time after the original token that future tokens can be refreshed from.
172-
173-
Default is `datetime.timedelta(days=7)` (7 days).
174-
175-
### JWT_PAYLOAD_HANDLER
176-
Specify a custom function to generate the token payload
177-
178-
### JWT_PAYLOAD_GET_USER_ID_HANDLER
179-
If you store `user_id` differently than the default payload handler does, implement this function to fetch `user_id` from the payload.
180-
181-
### JWT_RESPONSE_PAYLOAD_HANDLER
182-
Responsible for controlling the response data returned after login or refresh. Override to return a custom response such as including the serialized representation of the User.
183-
184-
Defaults to return the JWT token.
185-
186-
Example:
187-
```
188-
def jwt_response_payload_handler(token, user=None):
189-
return {
190-
'token': token,
191-
'user': UserSerializer(user).data
192-
}
31+
$ pip install djangorestframework-jwt
19332
```
19433

195-
Default is `{'token': token}`
34+
## Documentation & Support
19635

197-
### JWT_AUTH_HEADER_PREFIX
198-
You can modify the Authorization header value prefix that is required to be sent together with the token. The default value is `JWT`. This decision was introduced in PR [#4](https://github.com/GetBlimp/django-rest-framework-jwt/pull/4) to allow using both this package and OAuth2 in DRF.
36+
Full documentation for the project is available at [docs][docs].
19937

200-
Another common value used for tokens and Authorization headers is `Bearer`.
38+
You may also want to follow the [author][blimp] on Twitter.
20139

202-
Default is `JWT`.
40+
[build-status-image]: https://secure.travis-ci.org/GetBlimp/django-rest-framework-jwt.png?branch=master
41+
[travis]: http://travis-ci.org/GetBlimp/django-rest-framework-jwt?branch=master
42+
[pypi-version]: https://pypip.in/version/djangorestframework-jwt/badge.svg
43+
[pypi]: https://pypi.python.org/pypi/djangorestframework-jwt
44+
[jwt-auth-spec]: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token
45+
[drf]: http://django-rest-framework.org/
46+
[jwt-video]: https://www.youtube.com/watch?v=825hodQ61bg
47+
[jwt-slides]: https://speakerdeck.com/jpadilla/djangocon-json-web-tokens
48+
[auth-jwt]: http://jpadilla.com/post/73791304724/auth-with-json-web-tokens
49+
[jwt-io]: http://jwt.io/
50+
[docs]: http://getblimp.github.io/django-rest-framework-jwt
51+
[blimp]: https://twitter.com/blimp

docs/css/extra.css

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
body.homepage div.col-md-9 h1:first-of-type {
2+
text-align: center;
3+
font-size: 60px;
4+
font-weight: 300;
5+
margin-top: 0;
6+
}
7+
8+
body.homepage div.col-md-9 p:first-of-type {
9+
text-align: center;
10+
}
11+
12+
body.homepage .badges {
13+
text-align: right;
14+
}
15+
16+
body.homepage .badges a {
17+
display: inline-block;
18+
}
19+
20+
body.homepage .badges a img {
21+
padding: 0;
22+
margin: 0;
23+
}

0 commit comments

Comments
 (0)