This example will show how you can protect your api by using authentication and how you can limit the amount of requests a user can do to a resource by setting a throttle to your view.
If you want to protect your api from unauthorized users, Django REST Framework offers you two default authentication methods:
- Basic Authentication
- Django’s session-based authentication
These authentication methods are by default enabled. But they are not used unless you specifically state that your view requires authentication.
To do this you just need to import the Isauthenticated class from the frameworks’ permissions module.:
from djangorestframework.permissions import IsAuthenticated
Then you enable authentication by setting the right ‘permission requirement’ to the permissions class attribute of your View like the example View below.:
class LoggedInExampleView(View):
"""
You can login with **'test', 'test'.** or use curl:
`curl -X GET -H 'Accept: application/json' -u test:test http://localhost:8000/permissions-example`
"""
permissions = (IsAuthenticated, )
def get(self, request):
return 'You have permission to view this resource'
The IsAuthenticated permission will only let a user do a ‘GET’ if he is authenticated. Try it yourself on the live sandbox
If you want to limit the amount of requests a client is allowed to do on a resource, then you can set a ‘throttle’ to achieve this.
For this to work you’ll need to import the PerUserThrottling class from the permissions module.:
from djangorestframework.permissions import PerUserThrottling
In the example below we have limited the amount of requests one ‘client’ or ‘user’ may do on our view to 10 requests per minute.:
class ThrottlingExampleView(View):
"""
A basic read-only View that has a **per-user throttle** of 10 requests per minute.
If a user exceeds the 10 requests limit within a period of one minute, the
throttle will be applied until 60 seconds have passed since the first request.
"""
permissions = (PerUserThrottling,)
throttle = '10/min'
def get(self, request):
"""
Handle GET requests.
"""
return "Successful response to GET request because throttle is not yet active."
Try it yourself on the live sandbox.
Now if you want a view to require both aurhentication and throttling, you simply declare them both:
permissions = (PerUserThrottling, Isauthenticated)
To see what other throttles are available, have a look at the permissions module.
If you want to implement your own authentication method, then refer to the authentication module.