Change Proposal on TokenAuthentication

[quertenmont]

I propose a switch of logic regarding the TokenAuthentication class.

Today the authentication is done by getting the token with a select_related on the user.
This current approach is different from other authentication scheme, where the get is done on the user and credentical are checked in a second step.

The issue with the current approach is that you can't define "select_related" or other customization on the UserModel default manager. So I would propose to swap the logic to make the get on the user model itself and joined on the token table.

Today:

    def authenticate_credentials(self, key):
        model = self.get_model()
        try:
            token = model.objects.select_related('user').get(key=key)
        except model.DoesNotExist:
            raise exceptions.AuthenticationFailed(_('Invalid token.'))

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))

        return (token.user, token)

My Proposal:

from django.contrib.auth import get_user_model
from rest_framework.authentication import TokenAuthentication as DefaultTokenAuthentication
class TokenAuthentication(DefaultTokenAuthentication):
    def authenticate_credentials(self, key):
        try:
            user = get_user_model()._default_manager.select_related("auth_token").get(auth_token__key=key)
        except model.DoesNotExist:
            raise exceptions.AuthenticationFailed(_('Invalid token.'))

        if not user.is_active:
            raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))

        return (user, user.auth_token)

That's quite a minor change but it allows to improve the performance on joined user tables (typically on the user profile table)

[jerinpetergeorge]

I think you've missed the point of the model attribute

django-rest-framework/rest_framework/authentication.py

Line 162 in 010c8d4

model = None

This attribute makes things easy for us when inheriting the TokenAuthentication class with a custom model.

[quertenmont]

Not really.
The "model" attribute could easily be conserved within my proposal by switching to a "related_token_model".
That would by default be "auth_token" and could be changed to anything else.
This would allow to keep the benefits of adding all wanted customization on user model as I initially pointed out.

Loic