API authentication is not available when LOGIN_REQUIRED is true

[moepman]

The REST API documentation is missing information on how to supply authentication credentials.

[dorkmatt]

Agreed this would be very helpful to document, the in-browser API works fine - but in a real world scenario CSRF tokens & cookies are unlikely to be used. Traditional HTTP auth doesn't appear to work for the API endpoints.

[jeremystretch]

I just dug into this a bit. Although basic HTTP authentication is supported by the REST API, NetBox implements a middleware which redirects all unauthenticated requests to the login page if LOGIN_REQUIRED is true. The redirection occurs before the API can attempt to validate the user.

I believe I've worked around this by exempting all API views from the redirection middleware, and instead enforcing Django REST Framework's built-in authentication when LOGIN_REQUIRED is true. Will have a commit submitted shortly.

[dorkmatt]

Not quite, the middleware seems removed but auth isn't working - example:

%  curl -H 'Accept: application/json' -u user:password https://netbox.domain.tld/api/ipam/vlans/ -v
*   Trying 192.168.2.2...
* Connected to netbox.domain.tld (192.168.2.2) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: netbox.domain.tld
* Server certificate: Let's Encrypt Authority X3
* Server certificate: DST Root CA X3
* Server auth using Basic with user 'c3noc'
> GET /api/ipam/vlans/ HTTP/1.1
> Host: netbox.domain.tld
> Authorization: Basic YzNub2M6cGFzc3dvcmQ=
> User-Agent: curl/7.43.0
> Accept: application/json
>
< HTTP/1.1 403 Forbidden
< Date: Wed, 07 Dec 2016 20:34:07 GMT
< Server: Apache
< Vary: Accept,Cookie
< X-Frame-Options: SAMEORIGIN
< Allow: GET, HEAD, OPTIONS
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; font-src 'self' data:;
< Transfer-Encoding: chunked
< Content-Type: application/json
<
* Connection #0 to host netbox.domain.tld left intact
{"detail":"Authentication credentials were not provided."}

The same error results for both incorrect and correct credentials. Possibly the DEFAULT_AUTHENTICATION_CLASSES need to be defined?

[jeremystretch]

It's working for me:

$ curl "http://localhost:8000/api/dcim/sites/"
{"detail":"Authentication credentials were not provided."}

$ curl "http://localhost:8000/api/dcim/sites/" -u username:badpassword
{"detail":"Invalid username/password."}

$ curl "http://localhost:8000/api/dcim/sites/" -u username:goodpassword
[JSON objects]

BasicAuthentication is included in the default authentication classes so it shouldn't need to be defined explicitly.

[dorkmatt]

Works for me, the web server was restarted but not gunicorn - restarting both fixed the issue, thank you.