REST Easy — API Security Done Right by Jeff Schenck
State of REST Django REST Framework has clearly broken away with a ton of momentum, and with good reason. It's a solid framework, and the tools it provides right out of the box — serialization, validation, nested relationships — are splendid. It even provides basic authentication and authorization baked right in, which works great in the very simple cases.
However, when you start encountering slightly more complicated API permission setups, things start to get messy.
REST Security There's a big tectonic shift when trading in your traditional request-response-Django site for a frontend-framework-API-Django site. Your application logic used to reside almost entirely server-side, but now it's split — half server-side, half browser-side. And the trick with browser-side code is it runs in a completely untrusted environment. So we're faced with a much more complicated security situation to batten down.
You need different authentication strategies: session auth, JWT token auth, API keys, signed URLs, and combinations thereof. You have different permission strategies: table-level, row-level, column-level, and combinations thereof. It gets real complicated.
REST Easy I'll show how to use the tools at our disposal — Django groups and permissions, REST Frameworks's permission classes, third-party libraries — to cobble together a passable security setup for your API. You'll get plenty of code samples, detailing the kinds of setups we put together for our site and the custom tooling we built to do it.
Next-Level REST We'll end by talking about how our tools can serve us better in the future. If Django is going to have a strong place in the future of the web, we need strong tooling for building APIs. This is how we'll get there.
Help us caption & translate this video!