see build output of Django 2.0 here https://travis-ci.org/James1345/django-rest-knox/builds/316640570?utm_source=github_status&utm_medium=notification

The method was introduced in 2.7.7
https://docs.python.org/2/library/hmac.html#hmac.compare_digest

many machines however are still on 2.7.6

time to live, will allow to manage time limited sessions - will force to re-login user, with optional session extension will be a full end-to-end authentication

Looks good!

Want to consider adding to the rest framework grid on django packages: https://www.djangopackages.com/grids/g/django-rest-framework/

Also PR linking to this from the rest framework 'third party packages' docs in auth section would make sense.

Cheers!

You might want to switch the users portion of to use https://docs.djangoproject.com/en/dev/ref/contrib/admin/#django.contrib.admin.ModelAdmin.raw_id_fields

When running tests on Django 2.0+ we see these 2 warnings. Should be an easy fix.

py36-django20 create: /app/.tox/py36-django20
py36-django20 installdeps: Django>=2.0,<2.1, django-nose, markdown<3.0, djangorestframework, flake8, freezegun, mkdocs, pyOpenSSL, pytest-django, setuptools, twine, wheel
py36-django20 inst: /app/.tox/dist/django-rest-knox-3.3.1.zip
py36-django20 installed: asn1crypto==0.24.0,atomicwrites==1.2.1,attrs==18.2.0,bleach==3.0.2,certifi==2018.8.24,cffi==1.11.5,chardet==3.0.4,Click==7.0,cmarkgfm==0.4.2,cryptography==2.3.1,Django==2.0.9,django-nose==1.4.6,django-rest-knox==3.3.1,djangorestframework==3.8.2,docutils==0.14,flake8==3.5.0,freezegun==0.3.10,future==0.16.0,idna==2.7,Jinja2==2.10,livereload==2.5.2,Markdown==2.6.11,MarkupSafe==1.0,mccabe==0.6.1,mkdocs==1.0.4,more-itertools==4.3.0,nose==1.3.7,pkginfo==1.4.2,pluggy==0.7.1,py==1.6.0,pycodestyle==2.3.1,pycparser==2.19,pyflakes==1.6.0,Pygments==2.2.0,pyOpenSSL==18.0.0,pytest==3.8.2,pytest-django==3.4.3,python-dateutil==2.7.3,pytz==2018.5,PyYAML==3.13,readme-renderer==22.0,requests==2.19.1,requests-toolbelt==0.8.0,six==1.11.0,tornado==5.1.1,tqdm==4.26.0,twine==1.12.1,urllib3==1.23,webencodings==0.5.1
py36-django20 runtests: PYTHONHASHSEED='2083888879'
py36-django20 runtests: commands[0] | python manage.py migrate
System check identified some issues:

WARNINGS:
?: (2_0.W001) Your URL pattern '^api/$' [name='api-root'] has a route that contains '(?P<', begins with a '^', or ends with a '$'. This was likely an oversight when migrating to django.urls.path().
?: (2_0.W001) Your URL pattern '^api/' has a route that contains '(?P<', begins with a '^', or ends with a '$'. This was likely an oversight when migrating to django.urls.path().

Can someone provide a short example or tutorial to explain how knox works? I have a DRF backend app and many client (web, ios, android). I would like to add some imprivment to my backend to allow the user to have a different token by client.
But when I try to login trough api/auth/login/ endpoint, I got a error 401.
When I look at the code, the LoginView need the user to be logged in. How is it possible to be logged in in the LoginView (that doesn't makes sens for me ^^)?

Thank you for your help!

Is there any particular reason of why POST empty body approach for login?

An perhaps a stupid question is: how do you do that? I always get Authentication credentials were not provided.

I would like to implement a method of refreshing tokens from a single page app. The refresh itself seems pretty simple, but I was wondering what the best way of accessing a token's expiration time is. I was thinking about overriding the login view to return the expiration time as well, but the manager method to create new tokens only returns the token's key. Any input would be much appreciated.

I am attempting to use django-rest-swagger for API documentation with DRF 3.8.1. Loading fails with the following exception:

'LoginView' should either include a `serializer_class` attribute, or override the `get_serializer_class()` method.

In the DRF documentation, it specifies that:

serializer_class - [...] Typically, you must either set this attribute, or override the get_serializer_class() method.

http://www.django-rest-framework.org/api-guide/generic-views/#attributes

If I'm understanding the documentation correctly, it appears that DRF GenericAPIView must have a serializer_class, which LoginView, LogoutView, and LogoutAllView do not, so I believe this is a bug in django-rest-knox and not in django-rest-swagger.

I'm going to override the classes in my project to add a serializer_class, but I think it might be a fairly involved set of changes. If you're interested in a pull request, please let me know and I can work on creating one once I make the changes.

Does it make sense to make authentication_classes = [BasicAuthentication] the default behavior for KnoxLoginView? Or is it more common to require a different authentication method, rather than basic, for KnoxLoginView?

I think that we could setup the repository to use develop as the default branch which would always be picked up when creating PR's.

Just my 2 cents though.

When i send token with token(len) is longer or shorter token, the program is exception:

Environment:


Request Method: GET
Request URL: ###############

Django Version: 1.9.7
Python Version: 2.7.10
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'django-rest-knox',
 'corsheaders',
 'rest_framework',
']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'corsheaders.middleware.CorsMiddleware']



Traceback:

File "C:\Python27\lib\site-packages\django\core\handlers\base.py" in get_response
  149.                     response = self.process_exception_by_middleware(e, request)

File "C:\Python27\lib\site-packages\django\core\handlers\base.py" in get_response
  147.                     response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "C:\Python27\lib\site-packages\django\views\decorators\csrf.py" in wrapped_view
  58.         return view_func(*args, **kwargs)

File "C:\Python27\lib\site-packages\django\views\generic\base.py" in view
  68.             return self.dispatch(request, *args, **kwargs)

File "C:\Python27\lib\site-packages\rest_framework\views.py" in dispatch
  466.             response = self.handle_exception(exc)

File "C:\Python27\lib\site-packages\rest_framework\views.py" in dispatch
  454.             self.initial(request, *args, **kwargs)

File "C:\Python27\lib\site-packages\rest_framework\views.py" in initial
  376.         self.perform_authentication(request)

File "C:\Python27\lib\site-packages\rest_framework\views.py" in perform_authentication
  310.         request.user

File "C:\Python27\lib\site-packages\rest_framework\request.py" in __getattribute__
  353.             return super(Request, self).__getattribute__(attr)

File "C:\Python27\lib\site-packages\rest_framework\request.py" in user
  193.             self._authenticate()

File "C:\Python27\lib\site-packages\rest_framework\request.py" in _authenticate
  316.                 user_auth_tuple = authenticator.authenticate(self)

File " django-rest-knox/knox/auth.py" in authenticate
  18.         return self.authenticate_credentials(token)

File " django-rest-knox/knox/auth.py" in authenticate_credentials
  31.             digest = hash_token(token, auth_token.salt)

File " django-rest-knox/knox/crypto.py" in hash_token
  32.     digest.update(binascii.unhexlify(token))

Exception Type: TypeError at #####
Exception Value: Odd-length string

I thing you can return token is invalid.

hello, i am a newbie in django. I want to django-rest-knox authentication in my REST API, it's better than simple simple DRF Tokens .

I try to authenticate first created user :

curl -X POST -d "email=[email protected]&password=bejoilty" http://localhost:8000/api/auth/login/

But i always receive HTTP 401 error
I tried several solutions , but nothing works.
My settings:

My user model inherited AbstractBaseUser

My model

My UserSerializer

Can someone tell me where is my mistake, please.

Hi,
I currently use djoser library to do the equivalent but want to be able to support multiple tokens per user which rest-knox supports. But I am unable to get it to work.

I am trying to get rest-knox to work but running into an HTTP 401 issue that I think others have reported. However I dont understand why you have LoginView have permission_classes = (IsAuthenticated,) Shouldnt this be changed AllowedAny.

Why should you have some other type of login first and then call the rest-knox login to login again?
If you look into the login view of djoser, that also has AllowAny permission for the login view.

Thanks

Using django-rest-knox==3.0.0 runs into 'ImportError: No module named rand'.

From what i have seen with the latest update of pyOpenSSL to 17.3.0 they might have removed the rand module. They recommend to use os.urandom instead.

When using knox, if I have a custom model that doesn't use username as the username field, like say email_address, the UserSerializer fails because Django lets us have custom username fields. (See: https://docs.djangoproject.com/en/1.10/topics/auth/customizing/#django.contrib.auth.models.CustomUser.USERNAME_FIELD)

Hello,
Im testing out this library and so far I am really liking it, but I wonder if there is a way to throttle or limit the amount of keys a user can have?

I am willing to take a stab at this if it does not exist, but im curious to hear what everyone else thinks about it?

EDIT: I think that probably a limit is the way to go rather than throttling the requests since that can be handled by the throttling mechanism already built into DRF.

Kindly,
Sphrak

Using default settings result may result in 500 errors since REST_KNOX is not mandatory in settings. This was introduced in version 3.2.0

https://github.com/James1345/django-rest-knox/blob/5ace943e46c799da5c9eeb2e65336d88e63ca008/knox/auth.py#L75

AuthToken.objects.create function tries to add expires as integer to datetime resulting in the above exception. It should be wrapped as a timedelta instead.

http://james1345.github.io/django-rest-knox/settings/

Here in the doc you do mention that TOKEN_TTL should be timedelta but then the example settings show it to be an integer. Either the doc should be fixed or you should support integer as hours as also mentioned in the doc.

  REST_KNOX = {
    'SECURE_HASH_ALGORITHM': 'cryptography.hazmat.primitives.hashes.SHA512',
    'AUTH_TOKEN_CHARACTER_LENGTH': 64,
    'TOKEN_TTL': 10,
    'USER_SERIALIZER': 'knox.serializers.UserSerializer',
 }

I have seen this been discussed in
#7

I would like to share my point of view and an alternative solution here :) :).

The LoginView we have right now requires the user to be authenticated in the first place. This means, first the user has to pass a valid Token (somehow obtained earlier) in the HTTP Authorization Header or have a Valid Session, etc in order to pass permission classes in https://github.com/James1345/django-rest-knox/blob/master/knox/views.py#L16.

Is this the desired behavior for a Login View or API? Shouldn't we allow users, who are not authenticated yet, to pass credentials, authentic the credentials and finally login the user. So the LoginView will take in credentials like username, password etc, authenticate the credentials, and finally create an AuthToken and return response.

Forgive me if I misunderstand the implementation for the LoginView for knox, but shouldn't the LoginView have a permission of 'Allow Any' instead of 'IsAuthenticated' ?

I'd like to change and make the following a configurable settings:

https://github.com/James1345/django-rest-knox/blob/370b517a20429e1cccd7b8f8bbcce10c93b766e7/knox/settings.py#L40

@rphlo, @belugame what's your opinion as you wrote / reviewed this part?

Hello!

We are currently testing django-rest-knox and are having some strange behaviors:

Login with dummy view:

@api_view()

def login_request(request):
    user, created = User.objects.get_or_create(username__iexact='hansblub')
    new_token = AuthToken.objects.create(user)
    return Response({"TOKEN": new_token})

$ http GET https://xxxx/interface/login/
HTTP/1.1 200 OK
Allow: OPTIONS, GET
Cache-Control: max-age=600
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/json
Date: Mon, 20 Feb 2017 22:46:04 GMT
Expires: Mon, 20 Feb 2017 22:55:56 GMT
Last-Modified: Mon, 20 Feb 2017 22:45:56 GMT
Server: nginx/1.10.2
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked
Vary: Accept-Encoding

{
    "TOKEN": "33c9c41ab0208042750e100f89efb7270c0bda9c588413cb26304499c39b4ead"
}

Sending a request with header:

$ http GET https://xxxx/interface/request/ "Authorization:Token 249e547d5e585f103c321a67ea4da4e48ed37d154dbbe674741a9864753aa868d"
HTTP/1.1 200 OK
Allow: OPTIONS, GET
Cache-Control: max-age=600
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/json
Date: Mon, 20 Feb 2017 22:46:19 GMT
Expires: Mon, 20 Feb 2017 22:55:43 GMT
Last-Modified: Mon, 20 Feb 2017 22:45:43 GMT
Server: nginx/1.10.2
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked
Vary: Accept-Encoding

{
<some stuff?
}

Sending the same request without header, from a different device, in a different network, with a different remote ip, just gives the same result.

If I delete the token, the result is right:

$ http POST https://droag.annorath-game.com/interface/request/HTTP/1.1 401 Unauthorized
Allow: OPTIONS, GET
Connection: keep-alive
Content-Type: application/json
Date: Mon, 20 Feb 2017 22:24:56 GMT
Server: nginx/1.10.2
Transfer-Encoding: chunked
WWW-Authenticate: Token

{
    "detail": "Authentication credentials were not provided."
}

What can be the cause of this? I don't get it currently.

Hi
Thank you for this library as it seems it is a pretty good replacement for the basic token auth of DRF. I have been trying to get this library to work but confused as to how to actually replace the default token auth.

I currently use djoser for REST register/login/logout/set password etc with basic DRF Token Auth

Is this is a replacement for the for...

1. Replace
   'rest_framework.authentication.TokenAuthentication',
   with
   'knox.auth.TokenAuthentication',

in
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.SessionAuthentication',
),

or
2. Do I have to change my login/logout views in addition to changing the authentication.
3. Do I remove 'rest_framework.authtoken', from INSTALLED_APPS?

Thanks

hi
i have a error when i wanna get token with send post request to /api/auth/login with basic Authorization header.

python 3.4 django 1.9.4

settings.py:

INSTALLED_APPS = [
....
'rest_framework',
'knox',
....
]

REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAuthenticated',),
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
),
'PAGE_SIZE': 10,
'DEFAULT_FILTER_BACKENDS': ('rest_framework.filters.DjangoFilterBackend',)
}

REST_KNOX = {
'SECURE_HASH_ALGORITHM': 'cryptography.hazmat.primitives.hashes.SHA512',
'AUTH_TOKEN_CHARACTER_LENGTH': 64,
'TOKEN_TTL': 10,
'USER_SERIALIZER': 'knox.serializers.UserSerializer',
}

urls.py:
from django.conf.urls import url, include
urlpatterns = [
url(r'api/auth/', include('knox.urls'))
]

Internal Server Error: /api/auth/login/
Traceback (most recent call last):
File "/usr/local/lib/python3.4/dist-packages/django/core/handlers/base.py", line 149, in get_response
response = self.process_exception_by_middleware(e, request)
File "/usr/local/lib/python3.4/dist-packages/django/core/handlers/base.py", line 147, in get_response
response = wrapped_callback(request, _callback_args, *_callback_kwargs)
File "/usr/local/lib/python3.4/dist-packages/django/views/decorators/csrf.py", line 58, in wrapped_view
return view_func(_args, *_kwargs)
File "/usr/local/lib/python3.4/dist-packages/django/views/generic/base.py", line 68, in view
return self.dispatch(request, _args, *_kwargs)
File "/usr/local/lib/python3.4/dist-packages/rest_framework/views.py", line 466, in dispatch
response = self.handle_exception(exc)
File "/usr/local/lib/python3.4/dist-packages/rest_framework/views.py", line 463, in dispatch
response = handler(request, _args, *_kwargs)
File "/usr/local/lib/python3.4/dist-packages/knox/views.py", line 19, in post
token = AuthToken.objects.create(request.user)
File "/usr/local/lib/python3.4/dist-packages/knox/models.py", line 14, in create
digest = crypto.hash_token(token, salt)
File "/usr/local/lib/python3.4/dist-packages/knox/crypto.py", line 32, in hash_token
digest = hashes.Hash(sha(), backend=default_backend())
File "/usr/local/lib/python3.4/dist-packages/cryptography/hazmat/backends/init.py", line 35, in default_backend
_default_backend = MultiBackend(_available_backends())
File "/usr/local/lib/python3.4/dist-packages/cryptography/hazmat/backends/init.py", line 22, in _available_backends
"cryptography.backends"
File "/usr/local/lib/python3.4/dist-packages/cryptography/hazmat/backends/init.py", line 21, in
for ep in pkg_resources.iter_entry_points(
AttributeError: 'EntryPoint' object has no attribute 'resolve'

The module rand it's no longer supported in OpenSSL:

https://pypi.python.org/pypi/pyOpenSSL

This line breaks:

https://github.com/James1345/django-rest-knox/blob/master/knox/crypto.py#L5

Version: django-rest-knox==2.3.0

Produces an error 401:

• Authorization: Token 12
• Authorization: 123

Produces an "Odd-length string" error 500:

• Authorization: Token 123
• Authorization: Token abcde
• ... every other token with an odd length

As the readme doesn't really state it: django-rest-knox has a major performance issue.

https://github.com/James1345/django-rest-knox/blob/master/knox/auth.py#L50

This line leads to major performance hits once one reaches significant user numbers, as each API request leads to all tokens being sent do the Django instances. Once reaching a few tens of thousands of users and more than a handful of requests per second, the application is spending more time receiving/parsing SQL and guessing tokens than doing some actual work.

One way to change this would be the following: Split the token in 2 parts:

• Part one is an identifier for a database column, e.g. a random string
• Part two is the very token knox currently uses

This would lead to only querying for a single row (the one matching part on), then comparing one hash.

Funfact: While loadtesting I watched my servers handle > 100mbit/s of SQL due to this bug.

I need some custom behaviour that will require me to access the AuthToken object itself rather than just the token string. How do I do that if all I have is that string? I can't figure out this part from the documentation or the code.

Just an FYI, the link to the documentation page is no longer found:
https://james1345.github.io/

Hi @James1345 and other contributors, first thanks for the great app!

I use Knox in production on several projects. This time I need to deploy one of those in a Linux shared server in a hosting provider (WebFaction). The problem is when I login I always receive the same token no matter the user credentials I send. Naturally, when trying to login a second time I get:

"(1062, "Duplicate entry '1080f871e39cc839e5bcc9f852f9a8f3ddc03cf7e72e9fd1d6e4a71d7e74936f' for key 'PRIMARY'")".

I noticed the problem is with the random bytes generation. When Knox tries to generate salt and token it only gets a bunch of zeros from OpenSSL.rand.bytes. So when it uses the zeros to digest the token, the result is always the same. This generates a database error since token field is, of course, unique.

As I needed to deploy the project fast I started to mess around with Knox code and found that if I replace the OpenSSL.rand.bytes with os.urandom it solves the problem. Is also good to mention both os.urandom and OpenSSL.rand.bytes work fine in the Python terminal of the same server.

In the documentation of Knox is said that "DRF Tokens are generated with os.urandom, which is not cryptographically secure. Knox uses OpenSSL to provide tokens." But the documentation of pyOpenSSL rand module says "Functions from this module shouldn’t be used. Use urandom instead." pointing the this article.

So could some one clarify if is it really worse to use os.random and why?

Not sure if I'm missing something, but reading the docs I could only see knox used on per-view level.

I can simply add knox.auth.TokenAuthentication to REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"] too, to have it on all my api views, right?

If that's so, shouldn't docs explain or show that?

I see that knox uses PyOpenSSL to generate random numbers for the tokens. According to the cryptography documentation using os.urandom is fine.

I would like to implement logging when an authentication token is removed via the function _cleanup_token

It could be nice if the module would emit some different signals for the following items:
https://github.com/James1345/django-rest-knox/blob/master/knox/auth.py#L101
and
https://github.com/James1345/django-rest-knox/blob/master/knox/auth.py#L104

Documentation on signals:
https://docs.djangoproject.com/en/2.1/topics/signals/

this bit triggers a type error: "super() takes at least 1 argument (0 given)"

auth_token = super().create(digest=digest, salt=salt, user=user)

I am using python 2.7.6 with django 1.8.2.

I guess this would work as expected in Python 3.

Unless I've confused myself, when a token has expired the client will need to login again to obtain a new token.

The default is 10 hours, but that seems very short given Knox could be providing tokens to mobile apps. Is there a reason to keep the TTL low?

It would be really helpful to add any clarification to the documentation!

Hi. Great work!

In models.py , maybe change the following line:
auth_token = super().create(digest=digest, salt=salt, user=user)
to:
auth_token = super(AuthTokenManager,self).create(digest=digest, salt=salt, user=user)

for Python 2.7 compatibility?

Would it make sense to add named tokens that do not expire so that they can be used in server to server communications?

This should work by default, correct? It should be mentioned in the docs.

Basic Auth is bad
Digest auth is a possibility
Pub/private is possibility

Is there something I'm missing?

In the docs (Installation > Setup), it says to "Make knox's TokenAuthentication your default authentification class for django-rest-framework."

Only way later in the docs does it mention that doing so will require you to override the login view.

It took me forever to figure out how I was getting a 401 even though I followed all the setup instructions. I think the information about overriding should be included in the setup, or there should be different setup instructions altogether so people can run a test quickly and make sure everything works post-install.

I think it's a bit sad to have to switch between RST and MD syntax in the changelog / readme and the doc.

Would you mind if I rewrite everything in markdown instead?

Under class LogoutView, request._auth.delete() refers to the AuthToken. Where is request._auth being set?

see job log: https://travis-ci.org/James1345/django-rest-knox/jobs/409780228

HTTPError: 400 Client Error: User 'xxx.xxx' does not have a verified primary email address. Please add a verified primary email before attempting to upload to PyPI. See https://pypi.org/help/#verified-email for more information.for more information. for url: https://upload.pypi.org/legacy/

Original author was informed by me.

https://github.com/James1345/django-rest-knox/blob/e2c59581eac21381f9e789494744f20e4e187e7b/knox/auth.py#L71

it's bad to use == directly

https://docs.python.org/2/library/hmac.html#hmac.compare_digest

Please remove fields 'first_name' and 'last_name' from user serializer in order to support its use with custom user model with no such fields.
Or alternatively give options in settings to override the serializer used.

I'm trying out this project: https://github.com/Seedstars/django-react-redux-base which is using Knox and when I login via the frontend, django doesn't create a sessionId, although the login was successful. Attempting to access the django admin dashboard will ask you to login again, even though my user is a super user. Is this something to do with the way Knox has been set up?