API authentication is not available when LOGIN_REQUIRED is true #566

New Issue

adam · 2025-12-29T16:23:17+01:00

adam commented

2025-12-29 16:23:17 +01:00

Originally created by @moepman on GitHub (Dec 6, 2016).

The REST API documentation is missing information on how to supply authentication credentials.

Originally created by @moepman on GitHub (Dec 6, 2016). The REST API documentation is missing information on how to supply authentication credentials.

adam added the type: bug label 2025-12-29 16:23:17 +01:00

adam closed this issue

2025-12-29 16:23:17 +01:00

adam commented

2025-12-29 16:23:17 +01:00

@dorkmatt commented on GitHub (Dec 7, 2016):

Agreed this would be very helpful to document, the in-browser API works fine - but in a real world scenario CSRF tokens & cookies are unlikely to be used. Traditional HTTP auth doesn't appear to work for the API endpoints.

@dorkmatt commented on GitHub (Dec 7, 2016): Agreed this would be very helpful to document, the in-browser API works fine - but in a real world scenario CSRF tokens & cookies are unlikely to be used. Traditional HTTP auth doesn't appear to work for the API endpoints.

adam commented

2025-12-29 16:23:18 +01:00

@jeremystretch commented on GitHub (Dec 7, 2016):

I just dug into this a bit. Although basic HTTP authentication is supported by the REST API, NetBox implements a middleware which redirects all unauthenticated requests to the login page if LOGIN_REQUIRED is true. The redirection occurs before the API can attempt to validate the user.

I believe I've worked around this by exempting all API views from the redirection middleware, and instead enforcing Django REST Framework's built-in authentication when LOGIN_REQUIRED is true. Will have a commit submitted shortly.

@jeremystretch commented on GitHub (Dec 7, 2016): I just dug into this a bit. Although basic HTTP authentication _is_ supported by the REST API, NetBox implements a middleware which redirects all unauthenticated requests to the login page if `LOGIN_REQUIRED` is true. The redirection occurs before the API can attempt to validate the user. I believe I've worked around this by exempting all API views from the redirection middleware, and instead enforcing Django REST Framework's built-in authentication when `LOGIN_REQUIRED` is true. Will have a commit submitted shortly.

adam commented

2025-12-29 16:23:18 +01:00

@dorkmatt commented on GitHub (Dec 7, 2016):

Not quite, the middleware seems removed but auth isn't working - example:

%  curl -H 'Accept: application/json' -u user:password https://netbox.domain.tld/api/ipam/vlans/ -v
*   Trying 192.168.2.2...
* Connected to netbox.domain.tld (192.168.2.2) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: netbox.domain.tld
* Server certificate: Let's Encrypt Authority X3
* Server certificate: DST Root CA X3
* Server auth using Basic with user 'c3noc'
> GET /api/ipam/vlans/ HTTP/1.1
> Host: netbox.domain.tld
> Authorization: Basic YzNub2M6cGFzc3dvcmQ=
> User-Agent: curl/7.43.0
> Accept: application/json
>
< HTTP/1.1 403 Forbidden
< Date: Wed, 07 Dec 2016 20:34:07 GMT
< Server: Apache
< Vary: Accept,Cookie
< X-Frame-Options: SAMEORIGIN
< Allow: GET, HEAD, OPTIONS
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; font-src 'self' data:;
< Transfer-Encoding: chunked
< Content-Type: application/json
<
* Connection #0 to host netbox.domain.tld left intact
{"detail":"Authentication credentials were not provided."}

The same error results for both incorrect and correct credentials. Possibly the DEFAULT_AUTHENTICATION_CLASSES need to be defined?

@dorkmatt commented on GitHub (Dec 7, 2016): Not quite, the middleware seems removed but auth isn't working - example: ``` % curl -H 'Accept: application/json' -u user:password https://netbox.domain.tld/api/ipam/vlans/ -v * Trying 192.168.2.2... * Connected to netbox.domain.tld (192.168.2.2) port 443 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: netbox.domain.tld * Server certificate: Let's Encrypt Authority X3 * Server certificate: DST Root CA X3 * Server auth using Basic with user 'c3noc' > GET /api/ipam/vlans/ HTTP/1.1 > Host: netbox.domain.tld > Authorization: Basic YzNub2M6cGFzc3dvcmQ= > User-Agent: curl/7.43.0 > Accept: application/json > < HTTP/1.1 403 Forbidden < Date: Wed, 07 Dec 2016 20:34:07 GMT < Server: Apache < Vary: Accept,Cookie < X-Frame-Options: SAMEORIGIN < Allow: GET, HEAD, OPTIONS < Strict-Transport-Security: max-age=15552000; includeSubDomains < Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; font-src 'self' data:; < Transfer-Encoding: chunked < Content-Type: application/json < * Connection #0 to host netbox.domain.tld left intact {"detail":"Authentication credentials were not provided."} ``` The same error results for both incorrect and correct credentials. Possibly the [DEFAULT_AUTHENTICATION_CLASSES](http://www.django-rest-framework.org/api-guide/authentication/) need to be defined?

adam commented

2025-12-29 16:23:18 +01:00

@jeremystretch commented on GitHub (Dec 7, 2016):

It's working for me:

$ curl "http://localhost:8000/api/dcim/sites/"
{"detail":"Authentication credentials were not provided."}

$ curl "http://localhost:8000/api/dcim/sites/" -u username:badpassword
{"detail":"Invalid username/password."}

$ curl "http://localhost:8000/api/dcim/sites/" -u username:goodpassword
[JSON objects]

BasicAuthentication is included in the default authentication classes so it shouldn't need to be defined explicitly.

@jeremystretch commented on GitHub (Dec 7, 2016): It's working for me: ``` $ curl "http://localhost:8000/api/dcim/sites/" {"detail":"Authentication credentials were not provided."} $ curl "http://localhost:8000/api/dcim/sites/" -u username:badpassword {"detail":"Invalid username/password."} $ curl "http://localhost:8000/api/dcim/sites/" -u username:goodpassword [JSON objects] ``` `BasicAuthentication` is included in the [default authentication classes](https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/settings.py#L40) so it shouldn't need to be defined explicitly.

adam commented

2025-12-29 16:23:21 +01:00

@dorkmatt commented on GitHub (Dec 7, 2016):

Works for me, the web server was restarted but not gunicorn - restarting both fixed the issue, thank you.

@dorkmatt commented on GitHub (Dec 7, 2016): Works for me, the web server was restarted but not gunicorn - restarting both fixed the issue, thank you.

Sign in to join this conversation.

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#566