error in HasApiKey permission
Closed this issue · 10 comments
Describe the bug
error in HasApiKey permission when trying to call the api i get invalid credentials error i think the problem is in the crypto.py file
@souheyltoumi Hi. Could you follow the Bug Report issue template, providing necessary details as listed there? Right now this issue is not really actionable. Thanks!
@florimondmanca
Describe the bug
request always return unvalid credentials when adding HasAPIkey to permissions_classes
To Reproduce
Steps to reproduce the behavior:
create a simple class
from rest_framework_api_key.permissions import HasAPIKey
class ProjectListView(APIView):
permission_classes = (HasAPIKey,)
def get(self, request):
"""Retrieve a project based on the request API key."""
return HttpResponse("SUCCESS")
Configure urls
3.generate apikey
4.at postman configure the header as its stated in the user guide
5.when accessing that Url we get unvalid credentials
Expected behavior
expect to get the result success
Screenshots
If applicable, add screenshots to help explain your problem.
image
Desktop (please complete the following information):
OS: Windows
Version: [e.g. 0.2.2]
Python Version: [e.g. 3.7]
Django Version: [e.g. 2.1]
DRF Version: [e.g. 3.8.2]
Additional context
Add any other context about the problem here.
Also experiencing this issue
django==3.1.3
djangorestframework==3.12.2
djangorestframework-api-key==2.0.0
Despite following all the instructions, when a request is sent to the server including a valid 'Authorization' header. The server responds with:
403
{
"detail": "Authentication credentials were not provided."
}
@souheyltoumi found the issue. It's that the documentation is wrong. It suggests supplying just the api key PREFIX with requests. When you actually must pass the full api key in the header.
e,g,
VALID
e1A90iCP.qg7Hn5JOKsSzZYG8NoneihxXVO24QhOi
NOT VALID
e1A90iCP
Hi all,
you actually must pass the full api key in the header.
Yup, that's correct. I see now in @souheyltoumi's screenshot that they seem to have passed the prefix only, but the full API key is required.
It's that the documentation is wrong. It suggests supplying just the api key PREFIX with requests.
This doesn't seem to be what the docs here point at…? https://florimondmanca.github.io/djangorestframework-api-key/guide/#authorization-header Or is "the generated API key" ambiguous, i.e. it could be understood by "the visible part of the API key that's shown to you in the admin"? Or should we use more ***** asterisks to hint that those are meant to hide the full API key, rather than the 8-characters prefix? :-)
Nobody reads docs word by word, readers skim over things and just read code blocks usually.
This part is what's misleading:
then clients must make authorized requests using:
X-Api-Key: ********
and
Authorization: Api-Key ********
where ******** refers to the generated API key.
it should be more like:
then clients must make authorized requests using:
X-Api-Key: ********************************
thank you @richardARPANET and @florimondmanca
********************************
Yup, agreed. :-) I'll log a ticket about this so we properly track it. Edit: #157
Thanks all.
hey @richardARPANET how do i get the full Api key
@souheyltoumi When you create it in the Django admin panel it shows on UI at that moment (and never again).