Our app has ~50k User objects and even more Client objects, and currently, because of AuthTokenAdmin's list_filter, our app times out every time we access the AuthToken list page in Django admin (because the filter lists every single one of these User and Client objects as possible filters). Can AuthTokenAdmin's list_filter be removed?

I am using django-rest-durin in a closed-source project where I've extended it to add a sort-of "sessions management" feature.

• REST view for an authenticated user to get list of sessions (in context of django-rest-durin, this means AuthToken instances), revoke session by ID. Useful for pages like "View active browser sessions".
• REST views for an authenticated user to create/delete token against a pre-defined client. Useful for pages like "Get API key".

If and when I find the time, I'd really like to take that code, generalize it and make it part of this package.

At the moment, the durin/models.py is omitted from code coverage, I'd like to change this.

• Include test cases for both models, AuthToken and Client.
• Include test cases which could potentially invoke some weird behavior

Hello, first I want to say thanks for the library and well documentation,

If you POST request on Logout view without an authorization header, it returns 500 Internal server error that says:

File .../venv/lib/python3.8/site-packages/durin/views.py", line 172, in post
    request._auth.delete()
AttributeError: 'NoneType' object has no attribute 'delete'

I know it doesn't make sense that an unauthenticated user wants to log out, But shouldn't we check?

post method in Logout view can be:

def post(self, request, *args, **kwargs):
        if request._auth:
            request._auth.delete()
            user_logged_out.send(
                sender=request.user.__class__, request=request, user=request.user
            )
        return Response(None, status=status.HTTP_204_NO_CONTENT)

OR in my case I overwrite the LogoutView method and add permission_class:

from durin.views import LogoutView as DurinLogoutView

class LogoutView(DurinLogoutView):
    **permission_classes = [permissions.IsAuthenticated]**

The same happens in LogoutAllView except there can't find the user

File ".../venv/lib/python3.8/site-packages/durin/views.py", line 195, in post
    request.user.auth_token_set.all().delete()
AttributeError: 'AnonymousUser' object has no attribute 'auth_token_set'

Should be easily sub-classable (extendable) and enable normalization.

django-memoize has not received an update in a long time, whereas django-cache-memoize has active development and more features.

From django-silk profiling,

        if not auth_token.user.is_active:

is causing a query like:

SELECT "api_user"."id",
       "api_user"."password",
       "api_user"."last_login",
       "api_user"."is_superuser",
       "api_user"."username",
       "api_user"."first_name",
       "api_user"."last_name",
       "api_user"."email",
       "api_user"."is_staff",
       "api_user"."is_active",
       "api_user"."date_joined"
FROM "api_user"
WHERE "api_user"."id" = 1
LIMIT 21

this can be potentially be optimized using select_related.

how to setup durin such that TOKEN_TTL never expires ?

There can be use cases where developers wish to store settings/metadata about a user specific to a client. (For example, theme name, styling, avatar, display name, etc.)

Few initial implementation ideas:

• Provide an abstract UserClient model with user_id and client_id fields that developers could subclass.
• Provide an UserClientSettings model with user_id, client_id, metadata = JsonField fields that developers can directly use.

Model should provide a shortcut method:

def get_current(request: "rest_framework.request.Request") -> UserClient

More ideas welcome.

in models.py

from django.utils.translation import ugettext_lazy as _ no longer works

https://docs.djangoproject.com/en/4.0/releases/4.0/#features-removed-in-4-0

• django.utils.translation.ugettext(), ugettext_lazy(), ugettext_noop(), ungettext(), and ungettext_lazy() are removed.

Create a ClientSerializer and a corresponding ClientViewset for the Client model.

Hello

Could you explain how to make a refresh request please ? I tried with Basic auth and Bearer Auth but always receive this error.

Thanks for help.

Regards

Hi, was wondering if there are any additional setup required when authenticating a Google OAuth token? The header format is of the form Authorization: Token some_hash, but for some reason the response form calling an API afterwards returns {detail: Invalid token. }. Can this be caused if a default expiry and additional settings are not set? When not using 3rd party Oauth, the client logs in and is able to perform API calls with the token created by durin.

Hi!
Thanks for the library, it really helped me solve my problem. But while implementing authorization via GraphQL I encountered the following problem: AuthToken.objects.get_or_create(user=user, client=auth_client) method does not work correctly.
Expected behavior: classic get_or_create
Real result: error NOT NULL constraint failed: durin_authtoken.expiry

A piece of code in which an error occurs:

login(request, user)
token, created = AuthToken.objects.get_or_create(user=user, client=auth_client)

If I wrap it in try-exept, everything works as it should.

try:
    token = AuthToken.objects.get(user=user, client=auth_client)
except AuthToken.DoesNotExist:
    token = AuthToken.objects.create(user=user, client=auth_client)

per client-token pair based throttling

https://docs.djangoproject.com/en/3.1/howto/custom-management-commands/