OPTIONS request and token auth

[Олег Чумаков]

Hi! I using token auhorization and edit headers for requests via jQuery($.ajaxSetup/beforeSend). All requests which i send manually are fine, but default sent OPTIONS request returning code 301 (Moved Permanently). I look inside logs and see that click to Options button from browable API view prints "POST /v1/some/..." but OPTIONS request by jQuery prints "OPTIONS /v1/some/...". What can i do to disable OPTIONS requests from jQuery or enable OPTIONS support in Django-Rest-Framework? 

In addition question about token authorization. How i can change headers of OPTIONS requests or disable authorization check for them? Thanks!

[Олег Чумаков]

I found that OPTIONS 301 response was changed to 403 after changing parent class of View from APIView to generics.GenericAPIView.

четверг, 24 января 2013 г., 21:27:29 UTC+4 пользователь Олег Чумаков написал:

[Tom Christie]

jQuery will be sending the OPTIONS request because it's making a cross-origin request.

I'd suggest you take a google around getting CORS working with jQuery.

You'll need to set some headers server-side to get everything working, take a look at this thread, in particular Otto Yiu's CORS middleware: https://github.com/OttoYiu/django-cors-headers.

Note that the 301 you were seeing won't be anything related to REST framework, as there's nowhere in the code that ever returns a 301.

Cheers,

  Tom

[Олег Чумаков]

Thanks! That all is right. But problem in token auth. Every request must contains header "Authorization %TOKEN%". But OPTIONS request headers are uncontrollable. So i want to find a way to edit this headers or disable authorization for OPTIONS requests on server side.

пятница, 25 января 2013 г., 13:30:43 UTC+4 пользователь Tom Christie написал:

[Carlton Gibson]

On 25 Jan 2013, at 11:52, Олег Чумаков <olegchuma...@gmail.com> wrote:

Thanks! That all is right. But problem in token auth. Every request must contains header "Authorization %TOKEN%". But OPTIONS request headers are uncontrollable. So i want to find a way to edit this headers or disable authorization for OPTIONS requests on server side.

Could you not use a custom authentication class the returns True if the request method is OPTIONS and proxies to permissions.IsAuthenticated if not?

Regards,

Carlton

[Олег Чумаков]

This is what i want to do, but i can't find elegant way for it. I setted authentication class once in settings, and not redefine it in view. I using standart TokenAuthetification from django-rest-framework so i can't modify this code, without copying and creating my own version of this class. I will try to disable TokenAuthetification inside custom middleware. Thanks for advices :)

пятница, 25 января 2013 г., 17:38:13 UTC+4 пользователь Carlton Gibson написал:

[Олег Чумаков]

Found solution. I'm just defined custom permissions scheme for allow all OPTIONS requests without authorization. Thanks ^)

пятница, 25 января 2013 г., 18:25:25 UTC+4 пользователь Олег Чумаков написал:

[Tom Christie]

It's worth noting that bypassing permissions checks for OPTIONS requests, could potentially expose more information about your API than you'd like to unauthenticated users, as noted against this related pull request  (eg. allow attacker to determine existence of objects in the system.)

It may be that's not an issue for you're use-case, but just in case, you might also consider dealing with CORS pre-flight OPTIONS requests using middleware.  The django-cors-headers package from Otto Yiu should do what you need.

Cheers,

  Tom