Session Tokens

Introduction

When using allauth headless in non-browser contexts, such as mobile apps, a session token is used to keep track of the authentication state. This session token is handed over by the app by providing the X-Session-Token request header.

If you do not have any requirements that prescribe a specific token strategy, the simplest way forward is to use the X-Session-Token authentication mechanism for your own APIs as well. In order to do so, integration with Django Ninja and Django REST framework is offered out of the box.

Securing Your API Endpoints

Django Ninja

For Django Ninja, the following security class is available:

class allauth.headless.contrib.ninja.security.XSessionTokenAuth

This security class uses the X-Session-Token that django-allauth is using for authentication purposes.

get_session_token(request: HttpRequest) → str | None: Returns the session token for the given request, by looking up the X-Session-Token header. Override this if you want to extract the token from e.g. the Authorization header.

An example on how to use that security class in your own code is listed below:

from allauth.headless.contrib.ninja.security import x_session_token_auth
from ninja import NinjaAPI

api = NinjaAPI()

@api.get("/your/own/api", auth=[x_session_token_auth])
def your_own_api(request):
    ...

Django REST framework

For Django REST framework, the following authentication class is available:

class allauth.headless.contrib.rest_framework.authentication.XSessionTokenAuthentication

This authentication class uses the X-Session-Token that django-allauth is using for authentication purposes.

authenticate(request: HttpRequest): Authenticate the request and return a two-tuple of (user, token).

get_session_token(request: HttpRequest) → str | None: Returns the session token for the given request, by looking up the X-Session-Token header. Override this if you want to extract the token from e.g. the Authorization header.

An example on how to use that authentication class in your own code is listed below:

from allauth.headless.contrib.rest_framework.authentication import (
    XSessionTokenAuthentication,
)
from rest_framework import permissions
from rest_framework.views import APIView

class YourOwnAPIView(APIView):

    authentication_classes = [
        XSessionTokenAuthentication,
    ]
    permission_classes = [permissions.IsAuthenticated]

    def get(self, request):
        ...