WEBVTT

00:01.460 --> 00:05.900
In the previous video, we discover how to create a token.

00:05.900 --> 00:11.980
And now I will show you how we can use that token to secure our application.

00:11.990 --> 00:16.910
So let's come back to our PyCharm and we can close.

00:19.190 --> 00:24.290
That URLs we don't use it anymore and you can close all of that.

00:24.290 --> 00:32.850
So basically in our settings we can set up a setting for our rest framework.

00:32.870 --> 00:35.540
At the moment we don't have anything here yet.

00:35.540 --> 00:40.880
So in any place you like we can add a setting, especially for rest framework.

00:40.880 --> 00:52.280
So we do all capital rest, underscore framework like that and then we'll include some configuration

00:52.280 --> 00:53.000
inside.

00:57.000 --> 00:59.430
And we gonna do default.

01:01.130 --> 01:05.210
Permission classes.

01:07.320 --> 01:08.070
And then.

01:09.580 --> 01:14.980
We can pass a tuple array of different permissions.

01:14.980 --> 01:17.560
I will do a new line here.

01:20.590 --> 01:22.300
And then capital rest.

01:25.580 --> 01:26.600
Framework.

01:28.190 --> 01:33.880
Permissions and then we can decide what permission we would like to have it.

01:33.890 --> 01:39.790
So I will start is with is authenticated.

01:39.800 --> 01:41.150
That's case sensitive.

01:41.360 --> 01:43.940
So rest framework permissions is authenticated.

01:43.940 --> 01:45.350
I'll put a comma at the very end.

01:45.350 --> 01:52.910
That's very important because we need to we need to tell Python that this is actually array a tuple

01:52.910 --> 01:53.930
that we'll use.

01:53.930 --> 01:59.240
Otherwise it will be treated as a single record and it will throw an error for us.

01:59.240 --> 02:05.840
So wherever you have a tuple to make sure that python will treat as tuple puts the command the very

02:05.840 --> 02:06.200
end.

02:06.230 --> 02:10.040
So rest framework, permission is authenticated, we add it like that.

02:10.040 --> 02:13.970
And as you can see here, that's a default in the settings.

02:13.970 --> 02:19.490
So that means that we would like to use as default is authenticated.

02:19.490 --> 02:27.330
So we restrict our application to be used only by authenticated users.

02:27.330 --> 02:28.920
So I will run it again.

02:30.620 --> 02:33.050
And now its server is running.

02:33.050 --> 02:41.720
Let's go back to the postman here and then let's try to use this one of the one of the calls we use

02:41.720 --> 02:42.110
before.

02:42.140 --> 02:48.140
So as you can see here, if I click this on the books, this is what we use before I have another tab

02:48.140 --> 02:49.010
here when I click it.

02:49.010 --> 02:50.780
So this one is still there.

02:51.230 --> 02:58.460
I have another tab, which is a demo books and I will try to use the get before we had a list of all

02:58.460 --> 02:59.840
the books in our database.

02:59.840 --> 03:04.880
So if I will do it now, you can see here authentication credentials were not provided.

03:04.940 --> 03:10.930
The reason for this message being displayed is this.

03:10.940 --> 03:17.810
So the default permission for our whole project is is intoxicated.

03:17.810 --> 03:24.200
So that means I restrict everything in our my application to be authenticated.

03:24.200 --> 03:31.500
So what we need to actually do to get some records and I will show you so we have that token that we

03:31.500 --> 03:33.090
can actually use.

03:33.090 --> 03:43.110
So normally what we need to do is we go to the headers and inside headers we need to attach our theorization.

03:43.110 --> 03:52.470
So the key here is authorization and the value is capital token, then space, and then we can paste

03:52.470 --> 03:54.600
in that long string.

03:54.600 --> 03:57.360
So we don't have much space here.

03:57.360 --> 03:59.940
So it will go to double line and it doesn't really matter.

03:59.940 --> 04:06.540
But the syntax is token space and the long string that we got it from here.

04:06.540 --> 04:12.750
So you can see we have this token, I just copy that and put it inside the headers in authorization

04:12.750 --> 04:16.020
token space and the string, if I will send it.

04:16.020 --> 04:22.410
Now what we could expect is to have the result back, but it's not going to work.

04:22.410 --> 04:24.510
And I will show you in a second why.

04:24.600 --> 04:26.430
So I will send it now.

04:26.700 --> 04:33.030
And you can see nothing has been changed despite the fact we are sending the token with to get our books.

04:33.030 --> 04:36.750
What we need to do is we need to come back to our Django.

04:37.170 --> 04:46.530
And inside the views here, we need to tell that this view set will use that authentication classes

04:46.890 --> 04:51.510
and here we can provide here, give it a token authentication.

04:51.510 --> 04:53.010
First, we'll need to import it.

04:53.010 --> 05:04.050
So from rest framework authentication, import token authentication and that token authentication,

05:04.050 --> 05:06.450
I can pass it here.

05:06.480 --> 05:12.360
I also need to provide that extra comma for python to treat it as a tuple, otherwise it will be treated

05:12.510 --> 05:14.100
as a single record.

05:14.100 --> 05:19.820
And we need to be an array because authentication classes expect might have more than one value.

05:19.830 --> 05:22.650
So actually you can pass as many as you like.

05:22.650 --> 05:25.770
So that's what we have now, our authentication classes.

05:25.770 --> 05:29.220
And then we say token authentication, use it for this view.

05:33.350 --> 05:38.030
And then I will refresh it here and then we can come back to our postman.

05:38.240 --> 05:40.120
And then let's try it again.

05:40.130 --> 05:44.840
We still have that authorization and token and I will send it get.

05:44.840 --> 05:51.380
And in this case, you can see I'm getting my two books from the database because I provide that authorization

05:51.380 --> 05:52.250
token here.

05:52.250 --> 05:59.690
If I will disable this for now and this time when I click send, it is without the authorization.

05:59.690 --> 06:05.300
So you can see here authentication credentials were not provided if I include it.

06:07.270 --> 06:08.980
I have all the books.

06:08.980 --> 06:18.490
So in that case, what I'm doing is I'm restricting to see a list of the books for people who has authorization

06:18.490 --> 06:20.650
and only people with a token.

06:20.650 --> 06:23.170
That means they need to have an account in our system.

06:23.170 --> 06:25.060
They will get the list there.

06:25.330 --> 06:27.940
So that's the way to restrict it.

06:27.970 --> 06:32.440
What else can we do in the settings we change?

06:32.440 --> 06:34.420
It here is authenticated.

06:34.420 --> 06:37.900
That's not the only method we have in the documentation.

06:37.900 --> 06:41.620
We might have a more methods, but I will show you, show you another one.

06:42.040 --> 06:44.980
Allow any like that.

06:44.980 --> 06:46.750
So if I will change it here.

06:48.130 --> 06:50.110
And come back to our application.

06:50.290 --> 06:55.090
And then if I will send it here, nothing changed because I provide authentication.

06:55.090 --> 07:02.710
If I disable this authentication and send it, you can see I still see a list of books because my default.

07:04.630 --> 07:05.530
In the settings.

07:05.530 --> 07:08.620
My default permission classes is allow any.

07:08.650 --> 07:13.060
That means everyone can see anything in my application.

07:13.060 --> 07:20.110
But despite the fact that default might be halloweeny, I can still override it here for this specific

07:20.110 --> 07:20.830
view set.

07:20.860 --> 07:28.360
So what I can do is I can do permission classes and here I can do is authenticated as we had it before,

07:28.360 --> 07:29.770
so I need to import it first.

07:29.770 --> 07:32.260
So from rest framework.

07:33.380 --> 07:34.280
Permissions.

07:35.620 --> 07:37.490
Is authenticated.

07:37.540 --> 07:40.900
You can see here, actually, we have more options.

07:40.900 --> 07:45.010
So this admin user is authenticated or read only and so on and so on.

07:45.010 --> 07:47.920
So you can actually see some references there.

07:47.920 --> 07:52.390
I will use this and dedicated like that and I will pass it here.

07:52.420 --> 07:53.860
Also make it a double.

07:54.130 --> 08:03.010
So this time my default one I said allow any so my application will be open to anyone, but this specific

08:03.010 --> 08:06.160
view set will be owned is authenticated.

08:06.160 --> 08:13.900
So I will save this here, come back to my postman and then let's try to get the list of the books without

08:13.930 --> 08:14.710
a token.

08:15.540 --> 08:16.200
Sending.

08:17.000 --> 08:19.910
And I need to provide it with the token.

08:21.020 --> 08:21.590
I get it.

08:21.590 --> 08:22.280
All right.

08:24.520 --> 08:27.010
So that proves the way.

08:27.960 --> 08:34.400
How we can actually secure it and have a full control over our resources in the database.

08:34.410 --> 08:40.560
So in our case, we have only one view set, but you might have multiple models, multiple view sets,

08:40.560 --> 08:44.460
and you can restrict them by view set.

08:44.460 --> 08:51.420
So you might say my application is allowing any to see everything, but you might have some resources

08:51.420 --> 08:53.700
that you will restricted or other way around.

08:53.730 --> 08:59.490
You will restrict everything here and if you want to open something you can do, allow any here as well.

08:59.490 --> 09:03.480
So this is the way to control the access to our application.