Django Rest Framework - Authentication Class - When Post without Auth header not 401 response it goes by

[XploitXploit]

If you pass incorrect token, it'll return 401 status response. But if you don't put authorization header on your request, django will not return 401 response and behave with request as AnonymousUser request.

Its this the common flow of the library. Mabye I am doing thing the wrong way.

from rest_framework_simplejwt.authentication import JWTAuthentication from rest_framework_simplejwt.serializers import ( TokenObtainPairSerializer as TokenObtainPairSerializerSimpleJwt, ) class CorporateQuotationViewSet(generics.CreateAPIView, viewsets.GenericViewSet): serializer_class = CorporateQuotationSerializer authentication_classes = [JWTAuthentication,] # permission_classes = [IsAuthenticated, ]

[ghost]

Yes, you are correct. If an incorrect token is passed to the JWTAuthentication class, Django will return a 401 status response. However, if no authorization header is included in the request, Django will not return a 401 response and will instead treat the request as coming from an AnonymousUser.

In the code snippet you provided, the permission_classes attribute is commented out, which means that anonymous access is allowed even when JWTAuthentication is used. To ensure that only authenticated users have access to the view, the permission_classes attribute should be uncommented and set to [IsAuthenticated].

By doing this, Django will return a 401 response if an unauthenticated user tries to access the view. Therefore, uncommenting the permission_classes attribute and setting it to [IsAuthenticated] is recommended if you want to enforce authentication for this view.

I hope this is helpful! 👍