Access geonode api without browser client login

[cristianleonie-geos]

I'm encountering an issue with authentication in GeoNode and could use some help. I've enabled it by setting:

LOCKDOWN_GEONODE=True

However, I need to access the API (.../api/v2/...) through a client, both for frontend clients in Django templates and in pure code.

When I activate the lockdown, any API call is redirected to the login page, regardless of the authentication method I use. I've tried BasicAuth and token authentication (by adding REST_FRAMEWORK TokenAuthentication), but nothing seems to work.

The only workaround I've found is to add the API urls to AUTH_EXEMPT_URLS, and create my own middleware to intercept requests. But that doesn't seem like the correct approach.

Could you please help me understand what I'm doing wrong and suggest a better solution?

[giohappy]

Try setting `ENABLE_APIKEY_LOGIN=True`. This setting will enable a middleware that will authenticate and login users if an access_token is provided (as Bearer token inside the Authorization header). I see this setting is not documented, we should add it. Giovanni

[cristianleonie-geos]

Awesome, this worked as intended, I'll share my code for those interested:

my_application/settings.py

INSTALLED_APPS += (
    "activation",
    "utils",
    "rest_framework_simplejwt",
)

REST_FRAMEWORK = {
    'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend'],
    "DEFAULT_AUTHENTICATION_CLASSES": [
        "rest_framework.authentication.SessionAuthentication",
        "oauth2_provider.contrib.rest_framework.OAuth2Authentication",
        "rest_framework_simplejwt.authentication.JWTAuthentication",
    ],
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',
    ],
    "DEFAULT_RENDERER_CLASSES": [
        "rest_framework.renderers.JSONRenderer",
        "dynamic_rest.renderers.DynamicBrowsableAPIRenderer",
    ],
    "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
    "EXCEPTION_HANDLER": "geonode.base.api.exceptions.geonode_exception_handler",
}
# Allow access to token generation
AUTH_EXEMPT_URLS += ("/api-token-auth/*", )

Here you might want to add only the DEFAULT_PERMISSION/AUTHENTICATION rather than overriding the whole REST_FRAMEWORK variable so if you update version it doesn't create issues

.env

ENABLE_APIKEY_LOGIN=True
LOCKDOWN_GEONODE=True

urls.py

from rest_framework_simplejwt.views import (
    TokenObtainPairView,
    TokenRefreshView,
    TokenVerifyView,
)

urlpatterns += [
    path('api-token-auth/', TokenObtainPairView.as_view(), name='token_obtain_pair'),
    path('api-token-auth/refresh/', TokenRefreshView.as_view(), name='token_refresh'),
    path('api-token-auth/verify/', TokenVerifyView.as_view(), name='token_verify'),
]