SECURITY_DEFINITIONS type 'apiKey' isn't compatible with `rest_framework.authentication.TokenAuthentication`

[respondcreate]

When using rest_framework.authentication.TokenAuthentication, a token is validated by being in the Authorization header with a keyword, 'Token ', pre-pending the actual token value. If I use the settings below, the token is added to the Authorization header but it is not prepended by 'Token ':

SWAGGER_SETTINGS = {
    'SECURITY_DEFINITIONS': {
        'api_key': {
            'type': 'apiKey',
            'description': 'Personal API Key authorization',
            'name': 'Authorization',
            'in': 'header',
        }
    }
}

This means entering a valid token in the Swagger Authorize button returns a 401 Unauthorized response since requests are sent like this (note the lack of 'Token ' prepending token value in the 'Authorization' header): curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: a-token-value' 'http://hostname/api/some-endpoint/'

Is it possible to configure SWAGGER_SETTINGS['SECURITY_DEFINITIONS'] in a way that apiKey/token values are prepended by a keyword (as rest_framework.authentication.TokenAuthentication expects link to relevant code)?

NOTE: Token auth (via the swagger interface) worked this way in the 0.3.10 release (here's a link to where it's happening in the codebase. If this is not possible currently, what would it take to implement this? My guess would be two things:

1. Add the ability to add a 'keyword' option to the SECURITY_DEFINITIONS (maybe 'key_prefix' which would default to an empty string) which would then be passed along to the swagger view context.
2. Update the javascript to look for this value and prepend a token value with it. Admittedly my javascript skills aren't the best but if you could show me where I would need to shim the code from the afore-linked example in the paragraph into the current codebase I'd be more than willing to do it.

[respondcreate]

Hey @marcgibbons –

I did a bit of code-sleuthing and it appears I'd need to shim the keyword in this part of the code into line 1212 (obj.headers[this.name] = this.value;) of rest_framework_swagger/static/rest_framework_swagger/swagger-ui.js. Here's the codeblock in context (I can't link directly to it as github says the file is too big to show in its UI):

else if (this.type === 'header') {
    if(typeof obj.headers[this.name] === 'undefined') {
      obj.headers[this.name] = this.value;
    }

[maxcanada]

Hi,

After upgrading our version of rest swagger for django, we are facing the same problem. We use TokenAuthentication for our API and whatever I put in the "Authorize" button in the UI, it simply doesn't work.

    'SECURITY_DEFINITIONS': {
        'api_key': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization'
        }
    },

Those are my settings, pretty common ones.

Is it a bug or is there a way to make the code work with TokenAuthentication?

Currently, all my public APIs endpoints are shown, but none of them requiring authentication.

Best,

[mwatchi]

Same here. I would be willing to live with the token authorization not working, but the fact that it now hides all the API's that require it prevents me from upgrading to this version of DRF swagger.

[dannywillems]

@respondcreate @mwatchi @maxcanada See #662. Need to generate the minified JS before merging, and maybe find a better way because it's an ugly hack IMHO.

[respondcreate]

Hey @marcgibbons !

Would you mind taking a look at #662 and see if it's OK to merge? Thanks so much for tackling this @dannywillems !!

[respondcreate]

Hey @marcgibbons !

Just wanted to ping you again about this issue, any chance you'd be willing to merge this in order to get token auth working via the swagger interface?

[dilipkhemani]

Hey @marcgibbons !

Were you able to look into this. Has this now been resolved. Unable to use Swagger since the Authorization header needs to be prepended by 'Token'. Thanks in advance.

[maxblax]

Hey @marcgibbons
Just wanted an update on this issue. Facing the same problem as I'm using Token base Auth from djoser.
Thank you in advance!

[maxblax]

Check answer of https://stackoverflow.com/questions/39547208/django-rest-framework-swagger-authentication-error
It works for me.
Basically
SWAGGER_SETTINGS = {
'SECURITY_DEFINITIONS': {
'api_key': {
# apiKey Type
'type': 'apiKey',
'name': 'Authorization',
'in': 'header'
}
},

"LOGIN_URL": "auth/login/",
"LOGOUT_URL": "auth/logout/"

}

In the docs UI when prompt value enter:
Token

Provided you authentified before, for example manually with:
https::auth/login/