How to allow authorized, unauthenticated users to view certain endpoints?

Question

How to allow authorized, unauthenticated users to view certain endpoints?

Opened this issue a month ago · 0 comments

This is not a bug but rather a question.
I was wondering what's the best way to allow authorized but unauthenticated API users to view the documentation for certain endpoints.

In my case, I need API users with the HasAdminAPIKey permission to be authorized to see the schema for user endpoints (which require the IsAuthenticated permission)
My permission_classes for my UserViewSet looked like this: permission_classes = [IsAuthenticated & (HasAdminAPIKey | IsDebugOn)], and now I've changed it to permission_classes = [(HasAdminAPIKey | IsDebugOn) & (IsAuthenticated | IsDocsRequest)]

And this is the IsDocsRequest permission:

class IsDocsRequest(BasePermission):
    def has_permission(self, request: Request, view: APIView) -> bool:
        referer = request.headers.get("Referer")

        if referer is None:
            return False

        return referer == request.build_absolute_uri("/docs/")

This makes it possible for unauthenticated API users to access the view in the docs, but obviously not outside of them.
The issue is that this is not a secure way to check if the request is coming from drf-spectacular, as theoretically an API user with the HasAdminAPIKey permission could simply add the required referer to his headers...

So, what do you think is the best way to check if a request is coming from drf-spectacular in IsDocsRequest? Or is there another approach I'm missing?
Thank you for the help