Unauthenticated Requests not hitting Views

[rishindoshi]

Hello! I'm relatively new to using DRM so forgive any technical miscues here :). I had a question around the documentation stating:

"Don't forget that authentication by itself won't allow or disallow an incoming request, it simply identifies the credentials that the request was made with."

So I have a view function that's defined as follows:

@api_view(['GET'])
@authentication_classes([TokenAuthentication])
@permission_classes([])
def refresh_spotify_token(request):
    pdb.set_trace()

Now when I make a request to the above route with an invalid token, shouldn't the code still get to that pdb breakpoint and set request.auth to None? Instead the code never reaches the view, and the server logs read:

Unauthorized: /api/v1/users/refresh_spotify_token/
WARNING:django.request:Unauthorized: /api/v1/users/refresh_spotify_token/
[05/Jan/2022 00:31:10] "GET /api/v1/users/refresh_spotify_token/ HTTP/1.1" 401 27

Unless I'm understanding incorrectly, this seems like unexpected behavior since we did not define any Permission Classes. Any help on this matter would be much appreciated!

[Yona5]

For your view (refresh_spotify_token) to process the request, the user has to be authenticated since you have specified the authentication_classes. A user with an invalid token is not authenticated.

[rishindoshi]

Ahh I see thank you for the response! Seems I wasn't understanding the terminology correctly 😄

So with that same view function definition, I'm seeing that if I submit a GET request to the refresh_spotify_token route with no Authorization header set on the request, then we still reach that breakpoint. However, if I submit a GET request with an Authorization header pointing to an invalid token, then the breakpoint within the view is never hit. I'm wondering why is this the case? If TokenAuthentication is specified on the view, shouldn't DRF reject a request with no Authorization header?

[Yona5]

If the Authorization header is not specified, DRF simply returns None. Otherwise, it tries to authenticate the user and raises an exception if the authentication fails (the token is not a match or the user is not active).

If you want to only allow authenticated users, specify IsAuthenticated in your permission_classes. For more options, see rest_framework.permissions.

[RohitPatil18]

Yes. This is actually two step process. Authentication class finds a user and add user object to the request object. In case, There is no user found It simply adds AnonymousUser object. In order to allow only autheticated user i.e. User objects retrieved from database (Not Anonymous user object). We have to specify Permission classes as well. DRF provides us IsAutheticated class.

[rishindoshi]

Got it makes sense. Thanks everyone for the help!