How to allow authorized, unauthenticated users to view certain endpoints?
Opened this issue · 0 comments
This is not a bug but rather a question.
I was wondering what's the best way to allow authorized but unauthenticated API users to view the documentation for certain endpoints.
In my case, I need API users with the HasAdminAPIKey
permission to be authorized to see the schema for user endpoints (which require the IsAuthenticated
permission)
My permission_classes
for my UserViewSet
looked like this: permission_classes = [IsAuthenticated & (HasAdminAPIKey | IsDebugOn)]
, and now I've changed it to permission_classes = [(HasAdminAPIKey | IsDebugOn) & (IsAuthenticated | IsDocsRequest)]
And this is the IsDocsRequest permission:
class IsDocsRequest(BasePermission):
def has_permission(self, request: Request, view: APIView) -> bool:
referer = request.headers.get("Referer")
if referer is None:
return False
return referer == request.build_absolute_uri("/docs/")
This makes it possible for unauthenticated API users to access the view in the docs, but obviously not outside of them.
The issue is that this is not a secure way to check if the request is coming from drf-spectacular
, as theoretically an API user with the HasAdminAPIKey
permission could simply add the required referer to his headers...
So, what do you think is the best way to check if a request is coming from drf-spectacular
in IsDocsRequest
? Or is there another approach I'm missing?
Thank you for the help