In Django Rest Framework have two types of authenticated session token method one is Authentication using default RFW Django and the second one is Django JWT-JSON Web Token Authentication

(PARTH JANI) #1

which one is standard ?

0 Likes

(Basil Jose) #2

Both are standard, JWT is more secure than builtin Token auth.

They both carrying out similar tasks with few differences.

Token

DRF’s builtin Token Authentication

  1. One Token for all sessions
  2. No time stamp on the token

DRF JWT Token Authentication

  1. One Token per session
  2. Expiry timestamp on each token

Database access

DRF’s builtin Token Authentication

  1. Database access to fetch the user associated with the token
  2. Verify user’s status
  3. Authenticate the user

DRF JWT Token Authentication

  1. Decode token (get payload)
  2. Verify token timestamp (expiry)
  3. Database access to fetch user associated with the id in the payload
  4. Verify user’s status
  5. Authenticate the user

Pros

DRF’s builtin Token Authentication

  1. Allows forced-logout by replacing the token in the database (ex: password change)

DRF JWT Token Authentication

  1. Token with an expiration time
  2. No database hit unless the token is valid

Cons

DRF’s builtin Token Authentication

  1. Database hit on all requests
  2. Single token for all sessions

DRF JWT Token Authentication

  1. Unable to recall the token without tracking it in the database
  2. Once the token is issued, anyone with the token can make requests
  3. Specs are open to interpretations, no consensus on how to do refresh
3 Likes

(PARTH JANI) #3

Thank you very much @basil.jose for excellent informative elaborate answer

0 Likes

(Vitor Freitas) #4

Great pros and cons @basil.jose!

0 Likes