Django-rest-framework and django-rest-framework-jwt APIViews and validation Authorization headers

0
votes

I'm using DRF and DRF-jwt to secure my APIs. Currently I have some CBV written like this

class Organization(APIView):
    permission_classes = (IsAuthenticated,)
    @method_decorator(csrf_exempt, name='dispatch')
    class OfficeVisitsOverview(APIView):
        def post(self, request, *args, **kwargs):
            cursor = connection.cursor()
            (before, today) = getDateRange()
            cursor.execute("SELECT format(COUNT(*), 'N0') \
                            FROM Medi_OfficeVisit \
                            WHERE ( cast(VisitDate as date) BETWEEN '{0}' AND '{1}' ) \
                    ".format(before, today))
            data = dictfetchall(cursor)
            connection.close()
            return JsonResponse({"numberOfOVs": data[0][""]})

From my understanding the APIView and the permission class IsAuthenticated makes sure that theres an Authorization token being sent with the request header. How can you be sure that no one has modified the JWT? How do i know that the Secret_Token in my Django app is being used every time to decode/encode/verify/validate the JWT that is being received/sent with every request? Is this enough security for my APIs to be opened to the public?

1
djangodjango-rest-frameworkjwt

1 Answers

2
votes

Is authenticated just makes sure that current request.user.is_authenticated is True. It is authentication backend's responsibility to check for headers, validate tokens and so on and set User.is_authenticated. This is one you have added in your settings file while setting up rest-framework-jwt. This is an application created exactly for purpose of secure authentication, so yes, it's enough. But you still have to take care of other aspects such as SSL, sql injection and so on (search for Django security). Warning! Do not use .format to create SQL queries, as this is direct way for SQL injection. If you later use some user provided parameters for your query, you will be in danger. Pass parameters as second argument to cursor.execute or use ORM to avoid this.