<h2id="apache-mod_wsgi-specific-configuration">Apache mod_wsgi specific configuration</h2>
<h2id="apache-mod_wsgi-specific-configuration">Apache mod_wsgi specific configuration</h2>
<p>Note that if deploying to <ahref="http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPassAuthorization">Apache using mod_wsgi</a>, the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level.</p>
<p>Note that if deploying to <ahref="http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPassAuthorization">Apache using mod_wsgi</a>, the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level.</p>
<p>If you are deploying to Apache, and using any non-session based authentication, you will need to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the <code>WSGIPassAuthorization</code> directive in the appropriate context and setting it to <code>'On'</code>.</p>
<p>If you are deploying to Apache, and using any non-session based authentication, you will need to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the <code>WSGIPassAuthorization</code> directive in the appropriate context and setting it to <code>'On'</code>.</p>
<preclass="prettyprint lang-py"><code># this can go in either server config, virtual host, directory or .htaccess
<preclass="prettyprint lang-py"><code># this can go in either server config, virtual host, directory or .htaccess
WSGIPassAuthorization On
WSGIPassAuthorization On
</code></pre>
</code></pre>
<hr/>
<hr/>
...
@@ -285,7 +286,7 @@ WSGIPassAuthorization On
...
@@ -285,7 +286,7 @@ WSGIPassAuthorization On
</code></pre>
</code></pre>
<p><strong>Note:</strong> If you use <code>BasicAuthentication</code> in production you must ensure that your API is only available over <code>https</code>. You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.</p>
<p><strong>Note:</strong> If you use <code>BasicAuthentication</code> in production you must ensure that your API is only available over <code>https</code>. You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.</p>
<p>This authentication scheme uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients.</p>
<p>This authentication scheme uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients.</p>
<p>To use the <code>TokenAuthentication</code> scheme, include <code>rest_framework.authtoken</code> in your <code>INSTALLED_APPS</code> setting:</p>
<p>To use the <code>TokenAuthentication</code> scheme, include <code>rest_framework.authtoken</code> in your <code>INSTALLED_APPS</code> setting:</p>
@@ -482,6 +483,8 @@ class ExampleAuthentication(authentication.BaseAuthentication):
...
@@ -482,6 +483,8 @@ class ExampleAuthentication(authentication.BaseAuthentication):
<p>The <ahref="https://github.com/Rediker-Software/doac">Django OAuth2 Consumer</a> library from <ahref="https://github.com/Rediker-Software">Rediker Software</a> is another package that provides <ahref="https://github.com/Rediker-Software/doac/blob/master/docs/integrations.md#">OAuth 2.0 support for REST framework</a>. The package includes token scoping permissions on tokens, which allows finer-grained access to your API.</p>
<p>The <ahref="https://github.com/Rediker-Software/doac">Django OAuth2 Consumer</a> library from <ahref="https://github.com/Rediker-Software">Rediker Software</a> is another package that provides <ahref="https://github.com/Rediker-Software/doac/blob/master/docs/integrations.md#">OAuth 2.0 support for REST framework</a>. The package includes token scoping permissions on tokens, which allows finer-grained access to your API.</p>
<h2id="json-web-token-authentication">JSON Web Token Authentication</h2>
<h2id="json-web-token-authentication">JSON Web Token Authentication</h2>
<p>JSON Web Token is a fairly new standard which can be used for token-based authentication. Unlike the built-in TokenAuthentication scheme, JWT Authentication doesn't need to use a database to validate a token. <ahref="https://github.com/GetBlimp">Blimp</a> maintains the <ahref="https://github.com/GetBlimp/django-rest-framework-jwt">djangorestframework-jwt</a> package which provides a JWT Authentication class as well as a mechanism for clients to obtain a JWT given the username and password.</p>
<p>JSON Web Token is a fairly new standard which can be used for token-based authentication. Unlike the built-in TokenAuthentication scheme, JWT Authentication doesn't need to use a database to validate a token. <ahref="https://github.com/GetBlimp">Blimp</a> maintains the <ahref="https://github.com/GetBlimp/django-rest-framework-jwt">djangorestframework-jwt</a> package which provides a JWT Authentication class as well as a mechanism for clients to obtain a JWT given the username and password.</p>
<p>The <ahref="http://hawkrest.readthedocs.org/en/latest/">HawkREST</a> library builds on the <ahref="http://mohawk.readthedocs.org/en/latest/">Mohawk</a> library to let you work with <ahref="https://github.com/hueniverse/hawk">Hawk</a> signed requests and responses in your API. <ahref="https://github.com/hueniverse/hawk">Hawk</a> lets two parties securely communicate with each other using messages signed by a shared key. It is based on <ahref="http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-05">HTTP MAC access authentication</a> (which was based on parts of <ahref="http://oauth.net/core/1.0a">OAuth 1.0</a>).</p>
<p>HTTP Signature (currently a <ahref="https://datatracker.ietf.org/doc/draft-cavage-http-signatures/">IETF draft</a>) provides a way to achieve origin authentication and message integrity for HTTP messages. Similar to <ahref="http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Amazon's HTTP Signature scheme</a>, used by many of its services, it permits stateless, per-request authentication. <ahref="https://github.com/etoccalino/">Elvio Toccalino</a> maintains the <ahref="https://github.com/etoccalino/django-rest-framework-httpsignature">djangorestframework-httpsignature</a> package which provides an easy to use HTTP Signature Authentication mechanism.</p>
<p>HTTP Signature (currently a <ahref="https://datatracker.ietf.org/doc/draft-cavage-http-signatures/">IETF draft</a>) provides a way to achieve origin authentication and message integrity for HTTP messages. Similar to <ahref="http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Amazon's HTTP Signature scheme</a>, used by many of its services, it permits stateless, per-request authentication. <ahref="https://github.com/etoccalino/">Elvio Toccalino</a> maintains the <ahref="https://github.com/etoccalino/django-rest-framework-httpsignature">djangorestframework-httpsignature</a> package which provides an easy to use HTTP Signature Authentication mechanism.</p>
<p>The most important thing you can do to help push the REST framework project forward is to be actively involved wherever possible. Code contributions are often overvalued as being the primary way to get involved in a project, we don't believe that needs to be the case.</p>
<p>The most important thing you can do to help push the REST framework project forward is to be actively involved wherever possible. Code contributions are often overvalued as being the primary way to get involved in a project, we don't believe that needs to be the case.</p>
<p>If you use REST framework, we'd love you to be vocal about your experiences with it - you might consider writing a blog post about using REST framework, or publishing a tutorial about building a project with a particular Javascript framework. Experiences from beginners can be particularly helpful because you'll be in the best position to assess which bits of REST framework are more difficult to understand and work with.</p>
<p>If you use REST framework, we'd love you to be vocal about your experiences with it - you might consider writing a blog post about using REST framework, or publishing a tutorial about building a project with a particular Javascript framework. Experiences from beginners can be particularly helpful because you'll be in the best position to assess which bits of REST framework are more difficult to understand and work with.</p>
<p>Other really great ways you can help move the community forward include helping answer questions on the <ahref="https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework">discussion group</a>, or setting up an <ahref="http://stackexchange.com/filters/66475/rest-framework">email alert on StackOverflow</a> so that you get notified of any new questions with the <code>django-rest-framework</code> tag.</p>
<p>Other really great ways you can help move the community forward include helping answer questions on the <ahref="https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework">discussion group</a>, or setting up an <ahref="http://stackexchange.com/filters/66475/rest-framework">email alert on StackOverflow</a> so that you get notified of any new questions with the <code>django-rest-framework</code> tag.</p>
<p>When answering questions make sure to help future contributors find their way around by hyperlinking wherever possible to related threads and tickets, and include backlinks from those items if relevant.</p>
<p>When answering questions make sure to help future contributors find their way around by hyperlinking wherever possible to related threads and tickets, and include backlinks from those items if relevant.</p>
<h2id="code-of-conduct">Code of conduct</h2>
<h2id="code-of-conduct">Code of conduct</h2>
<p>Please keep the tone polite & professional. For some users a discussion on the REST framework mailing list or ticket tracker may be their first engagement with the open source community. First impressions count, so let's try to make everyone feel welcome.</p>
<p>Please keep the tone polite & professional. For some users a discussion on the REST framework mailing list or ticket tracker may be their first engagement with the open source community. First impressions count, so let's try to make everyone feel welcome.</p>
<p>Be mindful in the language you choose. As an example, in an environment that is heavily male-dominated, posts that start 'Hey guys,' can come across as unintentionally exclusive. It's just as easy, and more inclusive to use gender neutral language in those situations.</p>
<p>Be mindful in the language you choose. As an example, in an environment that is heavily male-dominated, posts that start 'Hey guys,' can come across as unintentionally exclusive. It's just as easy, and more inclusive to use gender neutral language in those situations.</p>
...
@@ -222,7 +222,7 @@
...
@@ -222,7 +222,7 @@
<li>Closing an issue doesn't necessarily mean the end of a discussion. If you believe your issue has been closed incorrectly, explain why and we'll consider if it needs to be reopened.</li>
<li>Closing an issue doesn't necessarily mean the end of a discussion. If you believe your issue has been closed incorrectly, explain why and we'll consider if it needs to be reopened.</li>
</ul>
</ul>
<h2id="triaging-issues">Triaging issues</h2>
<h2id="triaging-issues">Triaging issues</h2>
<p>Getting involved in triaging incoming issues is a good way to start contributing. Every single ticket that comes into the ticket tracker needs to be reviewed in order to determine what the next steps should be. Anyone can help out with this, you just need to be willing to</p>
<p>Getting involved in triaging incoming issues is a good way to start contributing. Every single ticket that comes into the ticket tracker needs to be reviewed in order to determine what the next steps should be. Anyone can help out with this, you just need to be willing to</p>
<ul>
<ul>
<li>Read through the ticket - does it make sense, is it missing any context that would help explain it better?</li>
<li>Read through the ticket - does it make sense, is it missing any context that would help explain it better?</li>
<li>Is the ticket reported in the correct place, would it be better suited as a discussion on the discussion group?</li>
<li>Is the ticket reported in the correct place, would it be better suited as a discussion on the discussion group?</li>
...
@@ -246,7 +246,7 @@ pip install -r optionals.txt
...
@@ -246,7 +246,7 @@ pip install -r optionals.txt
# Run the tests
# Run the tests
rest_framework/runtests/runtests.py
rest_framework/runtests/runtests.py
</code></pre>
</code></pre>
<p>You can also use the excellent <code>[tox][tox]</code> testing tool to run the tests against all supported versions of Python and Django. Install <code>tox</code> globally, and then simply run:</p>
<p>You can also use the excellent <ahref="http://tox.readthedocs.org/en/latest/">tox</a> testing tool to run the tests against all supported versions of Python and Django. Install <code>tox</code> globally, and then simply run:</p>
<h2id="adding-login-to-the-browsable-api">Adding login to the Browsable API</h2>
<h2id="adding-login-to-the-browsable-api">Adding login to the Browsable API</h2>
<p>If you open a browser and navigate to the browsable API at the moment, you'll find that you're no longer able to create new code snippets. In order to do so we'd need to be able to login as a user.</p>
<p>If you open a browser and navigate to the browsable API at the moment, you'll find that you're no longer able to create new code snippets. In order to do so we'd need to be able to login as a user.</p>
<p>We can add a login view for use with the browsable API, by editing our URLconf once more.</p>
<p>We can add a login view for use with the browsable API, by editing the URLconf in our project-level urls.py file.</p>
<p>Add the following import at the top of the file:</p>
<p>Add the following import at the top of the file:</p>
<preclass="prettyprint lang-py"><code>from django.conf.urls import include
<preclass="prettyprint lang-py"><code>from django.conf.urls import include
