Token Authentication for RESTful API: should the token be periodically changed?

Question

I'm building a RESTful API with Django and django-rest-framework.

As authentication mechanism we have chosen "Token Authentication" and I have already implemented it following Django-REST-Framework's documentation, the question is, should the application renew / change the Token periodically and if yes how? Should it be the mobile app that requires the token to be renewed or the web-app should do it autonomously?

What is the best practice?

Anybody here experienced with Django REST Framework and could suggest a technical solution?

(the last question has lower priority)

score 126 · Accepted Answer · edited Jul 24 '19 at 11:46

126

It is good practice to have mobile clients periodically renew their authentication token. This of course is up to the server to enforce.

The default TokenAuthentication class does not support this, however you can extend it to achieve this functionality.

For example:

from rest_framework.authentication import TokenAuthentication, get_authorization_header
from rest_framework.exceptions import AuthenticationFailed

class ExpiringTokenAuthentication(TokenAuthentication):
    def authenticate_credentials(self, key):
        try:
            token = self.model.objects.get(key=key)
        except self.model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        # This is required for the time comparison
        utc_now = datetime.utcnow()
        utc_now = utc_now.replace(tzinfo=pytz.utc)

        if token.created < utc_now - timedelta(hours=24):
            raise exceptions.AuthenticationFailed('Token has expired')

        return token.user, token

It is also required to override the default rest framework login view, so that the token is refreshed whenever a login is done:

class ObtainExpiringAuthToken(ObtainAuthToken):
    def post(self, request):
        serializer = self.serializer_class(data=request.data)
        if serializer.is_valid():
            token, created =  Token.objects.get_or_create(user=serializer.validated_data['user'])

            if not created:
                # update the created time of the token to keep it valid
                token.created = datetime.datetime.utcnow()
                token.save()

            return Response({'token': token.key})
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

obtain_expiring_auth_token = ObtainExpiringAuthToken.as_view()

And don't forget to modify the urls:

urlpatterns += patterns(
    '',
    url(r'^users/login/?$', '<path_to_file>.obtain_expiring_auth_token'),
)

edited Jul 24 '19 at 11:46

andorov

4,197
3
39
52

answered Mar 13 '13 at 08:56

odedfos

4,491
3
30
42

10

Wouldn't you want to create a new token in ObtainExpiringAuthToken if it's expired though, rather than just update the timestamp for the old one? – Joar Leth Sep 30 '13 at 12:50
4

Creating a new token makes sense. You could also regenerate the value of the existing tokens key and then you would not have to delete the old token. – odedfos Nov 07 '13 at 14:06
What if i want to clear the token on expiry? When i get_or_create again will a new token get generated or timestamp gets updated? – Sayok88 Jan 10 '18 at 11:38
If you delete the token on expiry, then calling get_or_create from the /users/login would generate a new token with a freshly 'created' timestamp. Note that if the expired token is deleted, you would not be able to differentiate between an Invalid-Token and an Expired-Token. – odedfos Jan 10 '18 at 11:49
Isn't it considered better practice in login situations NOT to give this data to the client (if the token was expired or invalid)? In either case, the client has to get a new token anyway. – BjornW Mar 15 '19 at 15:13
3

Also, you could expire tokens from the table by evicting old ones periodically in a cronjob (Celery Beat or similar), instead of intercepting the validation – BjornW Mar 15 '19 at 15:14
I thought @BjornW response was the simplest; just have a cronjob that deletes all tokens over 1 month old etc. I quickly checked; if you pass an invalid token, it says "Invalid token" – ShibbySham May 10 '20 at 03:55
@odedfos Does it really matter though if a token is invalid vs. expired? An expired token is invalid... – ShibbySham May 10 '20 at 03:59
@ShibbySham yes, additionally, I did implement a scheme similar to this. but discovered that an issue in Django is that sometimes the preceding delete() of an object is not actually run by MySQL before the succeeding create(), which, if there are uniqueness constraints involved, then causes an exception. So one more reason to separate these logics and only do eviction in the cronjob out of line with the creations. (perhaps there is a django decorator or something to force queries to happen in the right order or using the same mysql connection though) – BjornW May 11 '20 at 10:07
1

@BjornW I would just do the eviction and, in my opinion, it's the responsibility of the person integrating with the API (or your front-end) to make a request, they receive, "Invalid token", and then hit the refresh/create new tokens endpoints – ShibbySham May 13 '20 at 08:14

score 33 · Answer 2 · edited Mar 25 '15 at 21:22

If someone is interested by that solution but wants to have a token that is valid for a certain time then gets replaced by a new token here's the complete solution (Django 1.6):

yourmodule/views.py:

import datetime
from django.utils.timezone import utc
from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.authtoken.models import Token
from django.http import HttpResponse
import json

class ObtainExpiringAuthToken(ObtainAuthToken):
    def post(self, request):
        serializer = self.serializer_class(data=request.DATA)
        if serializer.is_valid():
            token, created =  Token.objects.get_or_create(user=serializer.object['user'])

            utc_now = datetime.datetime.utcnow()    
            if not created and token.created < utc_now - datetime.timedelta(hours=24):
                token.delete()
                token = Token.objects.create(user=serializer.object['user'])
                token.created = datetime.datetime.utcnow()
                token.save()

            #return Response({'token': token.key})
            response_data = {'token': token.key}
            return HttpResponse(json.dumps(response_data), content_type="application/json")

        return HttpResponse(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

obtain_expiring_auth_token = ObtainExpiringAuthToken.as_view()

yourmodule/urls.py:

from django.conf.urls import patterns, include, url
from weights import views

urlpatterns = patterns('',
    url(r'^token/', 'yourmodule.views.obtain_expiring_auth_token')
)

your project urls.py (in the urlpatterns array):

url(r'^', include('yourmodule.urls')),

yourmodule/authentication.py:

import datetime
from django.utils.timezone import utc
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions

class ExpiringTokenAuthentication(TokenAuthentication):
    def authenticate_credentials(self, key):

        try:
            token = self.model.objects.get(key=key)
        except self.model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        utc_now = datetime.datetime.utcnow()

        if token.created < utc_now - datetime.timedelta(hours=24):
            raise exceptions.AuthenticationFailed('Token has expired')

        return (token.user, token)

In your REST_FRAMEWORK settings add ExpiringTokenAuthentication as an Authentification class instead of TokenAuthentication:

REST_FRAMEWORK = {

    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.SessionAuthentication',
        #'rest_framework.authentication.TokenAuthentication',
        'yourmodule.authentication.ExpiringTokenAuthentication',
    ),
}

I'm getting the error `'ObtainExpiringAuthToken' object has no attribute 'serializer_class'` when I try to access the api endpoint. Not sure what I am missing. — Dharmit, Jan 22 '15 at 11:02
Interesting solution, which I'll test out later; at the moment your post helped me to get on the right track as I'd simply forgot to set the AUTHENTICATION_CLASSES. — normic, Jan 20 '17 at 03:02
Coming late to the party but I needed to make some subtle changes to make it work. 1) utc_now = datetime.datetime.utcnow() should be utc_now = datetime.datetime.utcnow().replace(tzinfo=pytz.UTC) 2) In class ExpiringTokenAuthentication(TokenAuthentication): You need model, self.model = self.get_model() — Ishan Bhatt, Dec 12 '18 at 06:46
In Django 4.1 instead of using self.model should use model = self.get_model() if you get an error in self.model.DoesNotExist — Adrián E, Aug 08 '23 at 15:40

score 7 · Answer 3 · answered Apr 24 '18 at 01:27

Thought I'd give a Django 2.0 answer using DRY. Somebody already built this out for us, google Django OAuth ToolKit. Available with pip, pip install django-oauth-toolkit. Instructions on adding the token ViewSets with routers: https://django-oauth-toolkit.readthedocs.io/en/latest/rest-framework/getting_started.html. It's similar to the official tutorial.

So basically OAuth1.0 was more yesterday's security which is what TokenAuthentication is. To get fancy expiring tokens, OAuth2.0 is all the rage these days. You get an AccessToken, RefreshToken, and scope variable to fine tune the permissions. You end up with creds like this:

{
    "access_token": "<your_access_token>",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "<your_refresh_token>",
    "scope": "read"
}

Definitely agree with you, it helps to manage auth more easily and it is battle-tested. — Jasurbek Nabijonov, Jan 24 '21 at 20:23

score 6 · Answer 4 · edited May 23 '17 at 10:31

I've tried @odedfos answer but I had misleading error. Here is the same answer, fixed and with proper imports.

views.py

from django.utils import timezone
from rest_framework import status
from rest_framework.response import Response
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.views import ObtainAuthToken

class ObtainExpiringAuthToken(ObtainAuthToken):
    def post(self, request):
        serializer = self.serializer_class(data=request.DATA)
        if serializer.is_valid():
            token, created =  Token.objects.get_or_create(user=serializer.object['user'])

            if not created:
                # update the created time of the token to keep it valid
                token.created = datetime.datetime.utcnow().replace(tzinfo=utc)
                token.save()

            return Response({'token': token.key})
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

authentication.py

from datetime import timedelta
from django.conf import settings
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions

EXPIRE_HOURS = getattr(settings, 'REST_FRAMEWORK_TOKEN_EXPIRE_HOURS', 24)

class ExpiringTokenAuthentication(TokenAuthentication):
    def authenticate_credentials(self, key):
        try:
            token = self.model.objects.get(key=key)
        except self.model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        if token.created < timezone.now() - timedelta(hours=EXPIRE_HOURS):
            raise exceptions.AuthenticationFailed('Token has expired')

        return (token.user, token)

ramwin · Answer 5 · 2018-12-27T02:48:52.190

The author asked

the question is, should the application renew / change the Token periodically and if yes how? Should it be the mobile app that requires the token to be renewed or the web-app should do it autonomously?

But all of the answers are writing about how to automatically change the token.

I think change token periodically by token is meaningless. The rest framework create a token that has 40 characters, if the attacker tests 1000 token every second, it requires 16**40/1000/3600/24/365=4.6*10^7 years to get the token. You should not worried that the attacker will test your token one by one. Even you changed your token, the probability of guess you token is the same.

If you are worried that maybe the attackers can get you token, so you change it periodically, than after the attacker get the token, he can also change you token, than the real user is kicked out.

What you should really do is to prevent tha attacker from getting your user's token, use https.

By the way, I'm just saying change token by token is meaningless, change token by username and password is sometimes meanful. Maybe the token is used in some http environment (you should always avoid this kind of situation) or some third party (in this case, you should create different kind of token, use oauth2) and when the user is doing some dangerous thing like changing binding mailbox or delete account, you should make sure you will not use the origin token anymore because it may has been revealed by the attacker using sniffer or tcpdump tools.

Yes, agree, you should get a new access token by some other means (than an old access token). Like with a refresh token (or the old way of forcing a new login with password at least). — BjornW, Mar 16 '19 at 11:18

score 4 · Answer 6 · edited May 23 '17 at 12:34

4

You can leverage http://getblimp.github.io/django-rest-framework-jwt

This library is able generate token that has an expiration date

To understand the difference between DRF default token and the token provide by the DRF take a look at:

How to make Django REST JWT Authentication scale with mulitple webservers?

edited May 23 '17 at 12:34

Community

1
1

answered May 09 '15 at 05:25

Angky William

171
2
6

score 2 · Answer 7 · edited May 17 '21 at 07:22

It's a good practice to set an expiration mechanism on your app whether for mobile client or web client. There are two common solutions:

system expires token (after specific time) and user has to login again to gain new valid token.
system automatically expires old token (after specific time) and replaces it with new one (change token).

Common things in both of solutions:

Changes in settings.py

DEFAULT_AUTHENTICATION_CLASSES = [
# you replace right path of 'ExpiringTokenAuthentication' class
'accounts.token_utils.ExpiringTokenAuthentication'
]

TOKEN_EXPIRED_AFTER_MINUTES = 300

Create token_utils.py

from django.conf import settings
from datetime import timedelta

from django.conf import settings
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework.authtoken.models import Token
from rest_framework.exceptions import AuthenticationFailed


def expires_in(token: Token):
elapsed_time = timezone.now() - token.created
return timedelta(minutes=settings.TOKEN_EXPIRED_AFTER_MINUTES) - elapsed_time

def is_token_expired(token):
return expires_in(token) < timedelta(seconds=0)

Changes in your views:

@api_view(['GET'])
@authentication_classes([ExpiringTokenAuthentication])
@permission_classes([IsAuthenticated])
def test(request):
    ...
return Response(response, stat_code)

If using option 1, add these lines to token_utils.py

def handle_token_expired(token):
Token.objects.filter(key=token).delete()


class ExpiringTokenAuthentication(TokenAuthentication):

    def authenticate_credentials(self, key):
        try:
            token = Token.objects.get(key=key)
        except Token.DoesNotExist:
            raise AuthenticationFailed("Invalid Token!")

        if not token.user.is_active:
            raise AuthenticationFailed("User inactive or deleted")

        if is_token_expired(token):
            handle_token_expired(token)
            msg = "The token is expired!, user have to login again." 
            response = {"msg": msg}
            raise AuthenticationFailed(response)

    return token.user, token

If using option 2, add these lines to token_utils.py

def handle_token_expired(token):
    is_expired = is_token_expired(token)
    if is_expired:
        token.delete()
        token = Token.objects.create(user = token.user)
    return is_expired, token


class ExpiringTokenAuthentication(TokenAuthentication):
    """
    when token is expired, it will be removed
    and new one will be created
    """
    def authenticate_credentials(self, key):
        try:
            token = Token.objects.get(key = key)
        except Token.DoesNotExist:
            raise AuthenticationFailed("Invalid Token")
    
        if not token.user.is_active:
            raise AuthenticationFailed("User is not active")

        is_expired, token = handle_token_expired(token)
        if is_expired:
            raise AuthenticationFailed("The Token is expired")
    
        return (token.user, token)

score 0 · Answer 8 · answered Feb 18 '13 at 17:10

0

If you notice that a token is like a session cookie then you could stick to the default lifetime of session cookies in Django: https://docs.djangoproject.com/en/1.4/ref/settings/#session-cookie-age.

I don't know if Django Rest Framework handles that automatically but you can always write a short script which filters out the outdated ones and marks them as expired.

answered Feb 18 '13 at 17:10

Tomasz Zieliński

16,136
7
59
83

1

Token Authentication doesn't use cookies – s29 Apr 02 '15 at 04:58

score 0 · Answer 9 · answered Aug 28 '18 at 23:45

Just thought I would add mine as this was helpful for me. I usually go with the JWT method but sometimes something like this is better. I updated the accepted answer for django 2.1 with proper imports..

authentication.py

from datetime import timedelta
from django.conf import settings
from django.core.exceptions import ObjectDoesNotExist
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions

EXPIRE_HOURS = getattr(settings, 'REST_FRAMEWORK_TOKEN_EXPIRE_HOURS', 24)


class ExpiringTokenAuthentication(TokenAuthentication):
    def authenticate_credentials(self, key):
        try:
            token = self.get_model().objects.get(key=key)
        except ObjectDoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        if token.created < timezone.now() - timedelta(hours=EXPIRE_HOURS):
            raise exceptions.AuthenticationFailed('Token has expired')

    return token.user, token

views.py

import datetime
from pytz import utc
from rest_framework import status
from rest_framework.response import Response
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.authtoken.serializers import AuthTokenSerializer


class ObtainExpiringAuthToken(ObtainAuthToken):
    def post(self, request, **kwargs):
        serializer = AuthTokenSerializer(data=request.data)

        if serializer.is_valid():
            token, created = Token.objects.get_or_create(user=serializer.validated_data['user'])
            if not created:
                # update the created time of the token to keep it valid
                token.created = datetime.datetime.utcnow().replace(tzinfo=utc)
                token.save()

            return Response({'token': token.key})
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

score 0 · Answer 10 · answered Apr 14 '20 at 17:07

just to keep adding to @odedfos answer, I think there have been some changes to the syntax so the code of ExpiringTokenAuthentication needs some adjusting:

from rest_framework.authentication import TokenAuthentication
from datetime import timedelta
from datetime import datetime
import datetime as dtime
import pytz

class ExpiringTokenAuthentication(TokenAuthentication):

    def authenticate_credentials(self, key):
        model = self.get_model()
        try:
            token = model.objects.get(key=key)
        except model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        # This is required for the time comparison
        utc_now = datetime.now(dtime.timezone.utc)
        utc_now = utc_now.replace(tzinfo=pytz.utc)

        if token.created < utc_now - timedelta(hours=24):
            raise exceptions.AuthenticationFailed('Token has expired')

        return token.user, token

Also, don't forget to add it to DEFAULT_AUTHENTICATION_CLASSES instead of rest_framework.authentication.TokenAuthentication

score 0 · Answer 11 · answered Nov 06 '20 at 15:56

If anyone wants to expire the token after certain time of inactivity, below answer would help. I am tweaking one of the answers given here. I have added comments to the code I added

from rest_framework.authentication import TokenAuthentication
from datetime import timedelta
from datetime import datetime
import datetime as dtime
import pytz

class ExpiringTokenAuthentication(TokenAuthentication):

    def authenticate_credentials(self, key):
        model = self.get_model()
        try:
            token = model.objects.get(key=key)
        except model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        # This is required for the time comparison
        utc_now = datetime.now(dtime.timezone.utc)
        utc_now = utc_now.replace(tzinfo=pytz.utc)

        if token.created < utc_now - timedelta(minutes=15):  # TOKEN WILL EXPIRE AFTER 15 MINUTES OF INACTIVITY
            token.delete() # ADDED THIS LINE SO THAT EXPIRED TOKEN IS DELETED
            raise exceptions.AuthenticationFailed('Token has expired')
        else: 
            token.created = utc_now #THIS WILL SET THE token.created TO CURRENT TIME WITH EVERY REQUEST
            token.save() #SAVE THE TOKEN

        return token.user, token

Token Authentication for RESTful API: should the token be periodically changed?

11 Answers11

Changes in settings.py

Create token_utils.py

Changes in your views:

Linked