DEV Community: Michal Dobrzycki The latest articles on DEV Community by Michal Dobrzycki (@misiekofski). https://dev.to/misiekofski https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F401714%2Fee5489c7-0ed2-495a-8bb6-e21e026fd777.png DEV Community: Michal Dobrzycki https://dev.to/misiekofski en Create proper REST API with Django, DRF, JWT and OpenApi - testing Michal Dobrzycki Sat, 26 Sep 2020 15:42:18 +0000 https://dev.to/misiekofski/create-proper-rest-api-with-django-drf-jwt-and-openapi-testing-2o16 https://dev.to/misiekofski/create-proper-rest-api-with-django-drf-jwt-and-openapi-testing-2o16 <p>This is a continuation of <a href="https://dev.to/misiekofski/create-proper-rest-api-with-django-drf-jwt-and-openapi-chp">previous post</a></p> <h1> <em>Summary of this post.</em> </h1> <ol> <li>Install pytest and configure it for Django project</li> <li>Write a test that checks Profile and User count (it should be the same)</li> <li>Write the test that checks if the User can edit his Profile</li> <li>Write the test that checks if the User cannot edit other Profile than his own.</li> <li>Fix bugs found by our tests</li> <li>Create Github Actions to validate every pull request to <code>master</code> branch</li> <li>Play with the builds in Github Actions</li> </ol> <h2> Step #1 - install pytest and configure it </h2> <p>I'll assume for this article, that you have a good knowledge of <a href="https://docs.pytest.org/en/stable/" rel="noopener noreferrer">pytest</a>. If not, please read first <a href="https://djangostars.com/blog/django-pytest-testing/" rel="noopener noreferrer">this article</a></p> <p>Let's start with writing tests for our REST API. First, we need to install pytest-django (wrapper for pytest, which will help us to write more complex tests much easier), install it with the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pip install pytest-django </code></pre> </div> <p>Then we need to create pytest.ini file which will be used by <code>pytest</code> as a configuration to run tests in our application<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[pytest] DJANGO_SETTINGS_MODULE = restapi_article.settings python_files = tests.py test_*.py *_tests.py </code></pre> </div> <h2> Step 2 - Write a test that checks Profile and User count </h2> <p>Now we can start writing tests. Because in the previous article we used signals to create Profile along with User, let's write a test that will check the number of Users and Profiles in DB is the same (we want to create a new user and then see that amount of profiles is the same).</p> <p><code>@pytest.mark.django_db</code> decorator will allow us to use clean DB (right now we are using default SQLite) in our tests. So running <code>pytest</code> will use our <code>settings.py</code> to use configured <br> DB, and after the test, everything will be reverted back to the state before tests were executed. So first easy test will look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pytest</span> <span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Profile</span> <span class="nd">@pytest.mark.django_db</span> <span class="k">def</span> <span class="nf">test_user_create_creates_profile</span><span class="p">():</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">create_user</span><span class="p">(</span><span class="sh">'</span><span class="s">michal</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">test@scvconsultants.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">michalpassword</span><span class="sh">'</span><span class="p">)</span> <span class="k">assert</span> <span class="n">Profile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">count</span><span class="p">()</span> <span class="o">==</span> <span class="mi">1</span> <span class="k">assert</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">count</span><span class="p">()</span> <span class="o">==</span> <span class="mi">1</span> </code></pre> </div> <h2> Step 3 - Write the test that checks if the User can edit his Profile </h2> <p>Now we should test that the user can update his (and only his) profile. So let's write a test (I'll extend the previous test to test Profile). The modified test case will check that:</p> <ol> <li>Creating User creates also Profile in DB</li> <li>User field in created Profile will link to the correct User URL</li> <li>Next we'll obtain the token for the created user and save it in the script to authorize the next API call.</li> <li>With this token we'll populate Profile with some data.</li> <li>And check that response from PUT API call contains the same data that was sent in the previous request.</li> </ol> <p>First, we need to add a fixture to use <code>ApiClient</code> from <code>rest_framework.test</code>. Let's add this to <code>tests.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@pytest.fixture</span> <span class="k">def</span> <span class="nf">api_client</span><span class="p">():</span> <span class="kn">from</span> <span class="n">rest_framework.test</span> <span class="kn">import</span> <span class="n">APIClient</span> <span class="k">return</span> <span class="nc">APIClient</span><span class="p">()</span> </code></pre> </div> <p>And now we can use this fixture and extend the previous test. Please notice that i've changed test name, but it still checks the number of users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@pytest.mark.django_db</span> <span class="k">def</span> <span class="nf">test_user_can_update_his_profile</span><span class="p">(</span><span class="n">api_client</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">create_user</span><span class="p">(</span><span class="sh">'</span><span class="s">michal</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">test@scvconsultants.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">"</span><span class="s">michalpassword</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">Profile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">count</span><span class="p">()</span> <span class="o">==</span> <span class="mi">1</span> <span class="k">assert</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">count</span><span class="p">()</span> <span class="o">==</span> <span class="mi">1</span> <span class="n">profile_url</span> <span class="o">=</span> <span class="nf">reverse</span><span class="p">(</span><span class="sh">'</span><span class="s">profile-detail</span><span class="sh">'</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">[</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">])</span> <span class="n">user_url</span> <span class="o">=</span> <span class="nf">reverse</span><span class="p">(</span><span class="sh">'</span><span class="s">user-detail</span><span class="sh">'</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">[</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">])</span> <span class="c1"># check that profile was created for created user </span> <span class="n">response</span> <span class="o">=</span> <span class="n">api_client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">profile_url</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">].</span><span class="nf">endswith</span><span class="p">(</span><span class="n">user_url</span><span class="p">)</span> <span class="c1">#create bio </span> <span class="n">bio_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">:</span> <span class="n">response</span><span class="p">.</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">],</span> <span class="sh">"</span><span class="s">bio</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">This is test user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">location</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Wroclaw</span><span class="sh">"</span> <span class="p">}</span> <span class="c1">#create login data as user.password contains now encrypted string </span> <span class="n">login_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="n">username</span><span class="p">,</span> <span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">michalpassword</span><span class="sh">"</span> <span class="p">}</span> <span class="c1"># get token </span> <span class="n">token_url</span> <span class="o">=</span> <span class="nf">reverse</span><span class="p">(</span><span class="sh">'</span><span class="s">token_obtain_pair</span><span class="sh">'</span><span class="p">)</span> <span class="n">token</span> <span class="o">=</span> <span class="n">api_client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">token_url</span><span class="p">,</span> <span class="n">login_data</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">'</span><span class="s">json</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># check that access token was sent in response </span> <span class="k">assert</span> <span class="n">token</span><span class="p">.</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">access</span><span class="sh">'</span><span class="p">]</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="c1"># add http authorization header with Bearer prefix </span> <span class="n">api_client</span><span class="p">.</span><span class="nf">credentials</span><span class="p">(</span><span class="n">HTTP_AUTHORIZATION</span><span class="o">=</span><span class="sh">'</span><span class="s">Bearer </span><span class="sh">'</span> <span class="o">+</span> <span class="n">token</span><span class="p">.</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">access</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># update profile </span> <span class="n">response</span> <span class="o">=</span> <span class="n">api_client</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="n">profile_url</span><span class="p">,</span> <span class="n">bio_data</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">'</span><span class="s">json</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># validate response </span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">bio</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="n">bio_data</span><span class="p">[</span><span class="sh">'</span><span class="s">bio</span><span class="sh">'</span><span class="p">]</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">location</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="n">bio_data</span><span class="p">[</span><span class="sh">'</span><span class="s">location</span><span class="sh">'</span><span class="p">]</span> </code></pre> </div> <p>Now we can run tests by typing <code>pytest</code> in our project root in a terminal. Our test should pass without any errors.</p> <h2> Step 4 - Write the test that checks if the User cannot edit other Profile than his own. </h2> <p>Until now we don't see any issues with our application. But let's try to populate other profile than our user's in the next test. We will expect to see error 403 when updating other profile with the wrong JWT Token. Changing someone else Profile shouldn't be possible, but...<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@pytest.mark.django_db</span> <span class="k">def</span> <span class="nf">test_user_should_not_be_able_to_update_other_profile</span><span class="p">(</span><span class="n">api_client</span><span class="p">):</span> <span class="n">first_user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">create_user</span><span class="p">(</span><span class="sh">'</span><span class="s">michal</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">test@scvconsultants.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">"</span><span class="s">michalpassword</span><span class="sh">"</span><span class="p">)</span> <span class="n">second_user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">create_user</span><span class="p">(</span><span class="sh">'</span><span class="s">michal2</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">test2@scvconsultants.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">"</span><span class="s">michalpassword2</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">Profile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">count</span><span class="p">()</span> <span class="o">==</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">count</span><span class="p">()</span> <span class="c1">#get token for first_user </span> <span class="n">token_url</span> <span class="o">=</span> <span class="nf">reverse</span><span class="p">(</span><span class="sh">'</span><span class="s">token_obtain_pair</span><span class="sh">'</span><span class="p">)</span> <span class="n">login_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="n">first_user</span><span class="p">.</span><span class="n">username</span><span class="p">,</span> <span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">michalpassword</span><span class="sh">"</span> <span class="p">}</span> <span class="n">token</span> <span class="o">=</span> <span class="n">api_client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">token_url</span><span class="p">,</span> <span class="n">login_data</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">'</span><span class="s">json</span><span class="sh">'</span><span class="p">)</span> <span class="n">api_client</span><span class="p">.</span><span class="nf">credentials</span><span class="p">(</span><span class="n">HTTP_AUTHORIZATION</span><span class="o">=</span><span class="sh">'</span><span class="s">Bearer </span><span class="sh">'</span> <span class="o">+</span> <span class="n">token</span><span class="p">.</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">access</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># now update second_user Profile with first_user token </span> <span class="n">profile_url</span> <span class="o">=</span> <span class="nf">reverse</span><span class="p">(</span><span class="sh">'</span><span class="s">profile-detail</span><span class="sh">'</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">[</span><span class="n">second_user</span><span class="p">.</span><span class="nb">id</span><span class="p">])</span> <span class="n">response</span> <span class="o">=</span> <span class="n">api_client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">profile_url</span><span class="p">)</span> <span class="n">bio_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">:</span> <span class="n">response</span><span class="p">.</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">],</span> <span class="sh">"</span><span class="s">bio</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">This is test user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">location</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Wroclaw</span><span class="sh">"</span> <span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">api_client</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="n">profile_url</span><span class="p">,</span> <span class="n">bio_data</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">'</span><span class="s">json</span><span class="sh">'</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">403</span> </code></pre> </div> <p>Let's run those tests again with <code>pytest</code> and now we should see that the second test fails because we are able to update other Profile than ours!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>FAILED restapi/tests.py::test_user_should_not_be_able_to_update_other_profile - assert 200 == 403 </code></pre> </div> <h2> Step 5 - Fix bugs found by our tests </h2> <p>We need to fix this bug in our code (and it's a security bug). First, let's add <code>permissions.py</code> file and create proper permission logic there:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">rest_framework</span> <span class="kn">import</span> <span class="n">permissions</span> <span class="k">class</span> <span class="nc">IsProperUserOrReadOnly</span><span class="p">(</span><span class="n">permissions</span><span class="p">.</span><span class="n">BasePermission</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Custom permission to only allow owners of an object to edit it. </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">has_object_permission</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">view</span><span class="p">,</span> <span class="n">obj</span><span class="p">):</span> <span class="c1"># Read permissions are allowed to any request, </span> <span class="c1"># so we'll always allow GET, HEAD or OPTIONS requests. </span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="ow">in</span> <span class="n">permissions</span><span class="p">.</span><span class="n">SAFE_METHODS</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span> <span class="c1"># Write permissions are only allowed to the User linked with the Profile. </span> <span class="k">return</span> <span class="n">obj</span><span class="p">.</span><span class="n">user</span> <span class="o">==</span> <span class="n">request</span><span class="p">.</span><span class="n">user</span> </code></pre> </div> <p>Then we can change <code>ProfileViewSet</code> in our <code>views.py</code> to include this logic. Don't forget to import newly created permission:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">.permissions</span> <span class="kn">import</span> <span class="n">IsProperUserOrReadOnly</span> <span class="c1"># some code here </span><span class="n">permission_classes</span> <span class="o">=</span> <span class="p">[</span><span class="n">permissions</span><span class="p">.</span><span class="n">IsAuthenticatedOrReadOnly</span><span class="p">,</span> <span class="n">IsProperUserOrReadOnly</span><span class="p">]</span> </code></pre> </div> <p>Now we can run again tests with <code>pytest</code> and we should have 2 passing tests! It's that easy :)</p> <h2> Step 6 - Create Github Actions to validate every pull request to <code>master</code> branch </h2> <p>Once the tests are passing, it's a good time to set up GitHub and GitHub actions. Let's block our repository from pushing anything straight to the <code>master</code> branch.</p> <p>We can go to settings -&gt; branches and add branch policy for starters. Type "master" into branch name pattern and select "Require pull request reviews before merging".</p> <p>Then we go to Actions in our Github repo, and add Python application which should be suggested on the first page. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fs45j1jl3glhdax82w59b.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fs45j1jl3glhdax82w59b.png" alt="Github Actions - Python Application"></a></p> <p>It will add yaml file <code>python-app.yml</code> in directory <code>.github/workflows/</code>. Our file should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># This workflow will install Python dependencies, run tests and lint with a single version of Python</span> <span class="c1"># For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Python application</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">master</span> <span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Python </span><span class="m">3.8</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="m">3.8</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">python -m pip install --upgrade pip</span> <span class="s">pip install flake8 pytest</span> <span class="s">if [ -f requirements.txt ]; then pip install -r requirements.txt; fi</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lint with flake8</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># stop the build if there are Python syntax errors or undefined names</span> <span class="s">flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics</span> <span class="s"># exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide</span> <span class="s">flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test with pytest</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pytest</span> </code></pre> </div> <h2> Step 8 - Play with the builds in Github Actions </h2> <p>Let's break our tests on a locally created branch, so do the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git pull git checkout -b feature/broken-test </code></pre> </div> <p>And change last line in <code>tests.py</code> from 403 to 200<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> </code></pre> </div> <p>Now we can add, commit, and push the code and create a pull request to trigger Github Action. After pushing this code to branch, create Pull Request from the Github repository page.</p> <p>And you should see in your GitHub actions Error on step "Test with pytest"</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F3rux7lmn6zvs691akiay.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F3rux7lmn6zvs691akiay.png" alt="Github Actions - Tests fail"></a></p> <p>And the log should show something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; assert response.status_code == 200 E assert 403 == 200 E + where 403 = &lt;Response status_code=403, "application/json"&gt;.status_code restapi/tests.py:79: AssertionError ------------------------------ Captured log call ------------------------------- WARNING django.request:log.py:224 Forbidden: /api/v1/profile/2/ </code></pre> </div> <p>Those error will populate to Pull Request view and show you "All checks failed". This is a pretty good warning for you not to merge changes to <code>master</code> branch.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F26rx0zbg3dera1j52k9s.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F26rx0zbg3dera1j52k9s.png" alt="Build error - Github Actions"></a></p> <p>Let's fix the last line in <code>tests.py</code> to expect status 403 again and push the code again. And we should see now that the tests are passing in Actions and now we can safely merge this to master (pull request will also update it's view).</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fzutiv6lqinykx05mjgiv.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fzutiv6lqinykx05mjgiv.png" alt="Build pass - Github Actions"></a></p> <h2> Coming next: </h2> <ol> <li>Deployment to Heroku</li> <li>Dockerization</li> </ol> django python devops testing Create proper REST API with Django, DRF, JWT and OpenApi Michal Dobrzycki Sun, 06 Sep 2020 18:26:13 +0000 https://dev.to/misiekofski/create-proper-rest-api-with-django-drf-jwt-and-openapi-chp https://dev.to/misiekofski/create-proper-rest-api-with-django-drf-jwt-and-openapi-chp <h1> <em>Summary of this post.</em> </h1> <p>In this post I’ll introduce following concepts, feel free to skip to the next post, if you are familiar with them already:</p> <ol> <li>Create Django project with Django Rest Framework</li> <li>Add OpenApi specs to generate dynamically API documentation</li> <li>Use JWT (JSON Web Token) for authentication and authorization</li> </ol> <h2> Step #1 - create new project </h2> <p>Start a new project (either with PyCharm -&gt; new Django project or <code>django-admin startproject restapi_article</code>). I won't cover basics, because You can always go to <a href="https://docs.djangoproject.com/en/3.1/intro/tutorial01/">Django Tutorial</a> and learn from official documentation (which I find the best at the time of writing this article).</p> <p>Once we have Django project set up we need to install python libraries below (for best experience You should use <a href="https://virtualenv.pypa.io/en/latest/installation.html">virtual environment</a>):</p> <ul> <li>Django</li> <li>djangorestframework</li> <li>drf-yasg</li> <li>djangorestframework-simplejwt</li> </ul> <p>It's always good to conform to standards, so we should create <code>requirements.txt</code> file with all libraries. You can create it by using this command in the project root folder <code>pip freeze &gt; requirements.txt</code>. The file should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>asgiref==3.2.10 certifi==2020.6.20 chardet==3.0.4 coreapi==2.3.3 coreschema==0.0.4 Django==3.1.1 djangorestframework==3.11.1 djangorestframework-simplejwt==4.4.0 drf-yasg==1.17.1 idna==2.10 inflection==0.5.1 itypes==1.2.0 Jinja2==2.11.2 MarkupSafe==1.1.1 packaging==20.4 PyJWT==1.7.1 pyparsing==2.4.7 pytz==2020.1 requests==2.24.0 ruamel.yaml==0.16.12 ruamel.yaml.clib==0.2.2 six==1.15.0 sqlparse==0.3.1 uritemplate==3.0.1 urllib3==1.25.10 </code></pre> </div> <p>Next create an application with command <code>python3 manage.py startapp restapi</code></p> <p>Your file structure after creation should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── restapi │ ├── migrations │ ├── __init__.py │ ├── admin.py │ ├── apps.py │ ├── models.py │ ├── tests.py │ └── views.py ├── restapi_article │ ├── __init__.py │ ├── asgi.py │ ├── settings.py │ ├── urls.py │ └── wsgi.py ├── venv ├── db.sqlite3 ├── manage.py └── requirements.txt </code></pre> </div> <p>And add to our <code>restapi_article\settings.py</code> those three apps<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="p">[</span> <span class="p">...</span> <span class="s">'rest_framework'</span><span class="p">,</span> <span class="s">'drf_yasg'</span><span class="p">,</span> <span class="s">'restapi'</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <p>Edit <code>urls.py</code> to use root restapi.urls as main API application urls, this way we will have <code>localhost:8000/admin</code> to play with Django admin panel, and <code>/api/v1</code> endpoint as prefix for all urls (which is a really good way to version your API, as it might easily change in the future)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">django.urls</span> <span class="kn">import</span> <span class="n">path</span><span class="p">,</span> <span class="n">include</span> <span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="n">path</span><span class="p">(</span><span class="s">'admin/'</span><span class="p">,</span> <span class="n">admin</span><span class="p">.</span><span class="n">site</span><span class="p">.</span><span class="n">urls</span><span class="p">),</span> <span class="n">path</span><span class="p">(</span><span class="s">'api/v1/'</span><span class="p">,</span> <span class="n">include</span><span class="p">(</span><span class="s">'restapi.urls'</span><span class="p">)),</span> <span class="p">]</span> </code></pre> </div> <h2> Step 2 - create data models </h2> <p>I want to have a Drinking Diary application, where I can select a day and then post a note for myself. Also, I want to have a user profile with Bio field, location and date of Birth.</p> <p>Profile and Day will be linked as Many-To-Many relationship through the DrinkingDay model where I can post a note for a given day (what I drank and with whom for example).</p> <p><em>TODO (future): create an Event model, where you can ask some people to join you in drinking. It will have to combine multiple Profiles/Users with one Date</em></p> <p>We will also use <a href="https://docs.djangoproject.com/en/3.1/topics/signals/">signals</a> to create hooks for User creation, so we need only to create or update the Profile model, and User will be created/updated automatically with one request.</p> <p><code>models.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="nn">django.db</span> <span class="kn">import</span> <span class="n">models</span> <span class="kn">from</span> <span class="nn">django.db.models.signals</span> <span class="kn">import</span> <span class="n">post_save</span> <span class="kn">from</span> <span class="nn">django.dispatch</span> <span class="kn">import</span> <span class="n">receiver</span> <span class="k">class</span> <span class="nc">Day</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="n">day</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="n">DateField</span><span class="p">()</span> <span class="k">class</span> <span class="nc">Profile</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="n">OneToOneField</span><span class="p">(</span><span class="n">User</span><span class="p">,</span> <span class="n">on_delete</span><span class="o">=</span><span class="n">models</span><span class="p">.</span><span class="n">CASCADE</span><span class="p">)</span> <span class="n">bio</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="n">TextField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">500</span><span class="p">,</span> <span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">location</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="n">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">30</span><span class="p">,</span> <span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">birth_date</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="n">DateField</span><span class="p">(</span><span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">days</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="n">ManyToManyField</span><span class="p">(</span><span class="n">Day</span><span class="p">,</span> <span class="n">through</span><span class="o">=</span><span class="s">'DrinkingDay'</span><span class="p">)</span> <span class="k">class</span> <span class="nc">DrinkingDay</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="n">profile</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="n">ForeignKey</span><span class="p">(</span><span class="n">Profile</span><span class="p">,</span> <span class="n">on_delete</span><span class="o">=</span><span class="n">models</span><span class="p">.</span><span class="n">CASCADE</span><span class="p">)</span> <span class="n">day</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="n">ForeignKey</span><span class="p">(</span><span class="n">Day</span><span class="p">,</span> <span class="n">on_delete</span><span class="o">=</span><span class="n">models</span><span class="p">.</span><span class="n">CASCADE</span><span class="p">)</span> <span class="n">note</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="n">TextField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">1000</span><span class="p">,</span> <span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># Use signals so our Profile model will be automatically created # or updated when we create or update User instance # https://docs.djangoproject.com/en/3.1/topics/signals/ </span><span class="o">@</span><span class="n">receiver</span><span class="p">(</span><span class="n">post_save</span><span class="p">,</span> <span class="n">sender</span><span class="o">=</span><span class="n">User</span><span class="p">)</span> <span class="k">def</span> <span class="nf">create_user_profile</span><span class="p">(</span><span class="n">sender</span><span class="p">,</span> <span class="n">instance</span><span class="p">,</span> <span class="n">created</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="k">if</span> <span class="n">created</span><span class="p">:</span> <span class="n">Profile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="n">create</span><span class="p">(</span><span class="n">user</span><span class="o">=</span><span class="n">instance</span><span class="p">)</span> <span class="o">@</span><span class="n">receiver</span><span class="p">(</span><span class="n">post_save</span><span class="p">,</span> <span class="n">sender</span><span class="o">=</span><span class="n">User</span><span class="p">)</span> <span class="k">def</span> <span class="nf">save_user_profile</span><span class="p">(</span><span class="n">sender</span><span class="p">,</span> <span class="n">instance</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="n">instance</span><span class="p">.</span><span class="n">profile</span><span class="p">.</span><span class="n">save</span><span class="p">()</span> </code></pre> </div> <p>Now let's create and apply migrations for DB and then create superuser to be able to login to our admin panel. You need to run those three commands one by one (you can change email and username of course)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python manage.py makemigrations python manage.py migrate python manage.py createsuperuser --email admin@example.com --username admin </code></pre> </div> <h2> Step 3 - create serializers </h2> <p>Now we need to add <a href="https://www.django-rest-framework.org/api-guide/serializers/">serializers</a>. Serializer in shortcut is a way to create JSON from an object. <br> Let's start writing serializers for User and Profile model (we need to do them both, as it won't work without User):</p> <p><code>serializers.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="nn">rest_framework</span> <span class="kn">import</span> <span class="n">serializers</span> <span class="kn">from</span> <span class="nn">restapi.models</span> <span class="kn">import</span> <span class="n">Profile</span> <span class="k">class</span> <span class="nc">UserSerializer</span><span class="p">(</span><span class="n">serializers</span><span class="p">.</span><span class="n">HyperlinkedModelSerializer</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="n">User</span> <span class="n">fields</span> <span class="o">=</span> <span class="p">[</span><span class="s">'url'</span><span class="p">,</span> <span class="s">'username'</span><span class="p">,</span> <span class="s">'email'</span><span class="p">,</span> <span class="s">'groups'</span><span class="p">]</span> <span class="k">class</span> <span class="nc">ProfileSerializer</span><span class="p">(</span><span class="n">serializers</span><span class="p">.</span><span class="n">HyperlinkedModelSerializer</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="n">Profile</span> <span class="n">fields</span> <span class="o">=</span> <span class="p">[</span><span class="s">'user'</span><span class="p">,</span> <span class="s">'bio'</span><span class="p">,</span> <span class="s">'location'</span><span class="p">,</span> <span class="s">'birth_date'</span><span class="p">,</span> <span class="s">'days'</span><span class="p">]</span> </code></pre> </div> <h2> Step 4 - create viewsets </h2> <p>Now that we have serializers in place, we can create Views in Django. So at every url we will see what we want. Let's do that for both UserView and ProfileView (although here we could omit User view, as it's not required.</p> <p>Change <code>views.py</code> (in restapi folder):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="nn">rest_framework</span> <span class="kn">import</span> <span class="n">viewsets</span> <span class="kn">from</span> <span class="nn">restapi.models</span> <span class="kn">import</span> <span class="n">Profile</span> <span class="kn">from</span> <span class="nn">restapi.serializers</span> <span class="kn">import</span> <span class="n">ProfileSerializer</span><span class="p">,</span> <span class="n">UserSerializer</span> <span class="k">class</span> <span class="nc">UserViewSet</span><span class="p">(</span><span class="n">viewsets</span><span class="p">.</span><span class="n">ModelViewSet</span><span class="p">):</span> <span class="s">""" API endpoint that allows users to be viewed or edited. """</span> <span class="n">queryset</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nb">all</span><span class="p">().</span><span class="n">order_by</span><span class="p">(</span><span class="s">'-date_joined'</span><span class="p">)</span> <span class="n">serializer_class</span> <span class="o">=</span> <span class="n">UserSerializer</span> <span class="k">class</span> <span class="nc">ProfileViewSet</span><span class="p">(</span><span class="n">viewsets</span><span class="p">.</span><span class="n">ModelViewSet</span><span class="p">):</span> <span class="s">""" API endpoint that allows profiles to be viewed or edited. """</span> <span class="n">queryset</span> <span class="o">=</span> <span class="n">Profile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nb">all</span><span class="p">()</span> <span class="n">serializer_class</span> <span class="o">=</span> <span class="n">ProfileSerializer</span> </code></pre> </div> <h2> Step 5 - register router for Viewsets </h2> <p>DRF allows us to use something called <a href="https://www.django-rest-framework.org/api-guide/routers/">routers</a>. This will handle automatic URL routing to Django for us.</p> <p>Change <code>urls.py</code> (in restapi folder):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">django.urls</span> <span class="kn">import</span> <span class="n">path</span><span class="p">,</span> <span class="n">include</span> <span class="kn">from</span> <span class="nn">rest_framework</span> <span class="kn">import</span> <span class="n">routers</span> <span class="kn">from</span> <span class="nn">restapi</span> <span class="kn">import</span> <span class="n">views</span> <span class="n">router</span> <span class="o">=</span> <span class="n">routers</span><span class="p">.</span><span class="n">DefaultRouter</span><span class="p">()</span> <span class="n">router</span><span class="p">.</span><span class="n">register</span><span class="p">(</span><span class="sa">r</span><span class="s">'profile'</span><span class="p">,</span> <span class="n">views</span><span class="p">.</span><span class="n">ProfileViewSet</span><span class="p">)</span> <span class="n">router</span><span class="p">.</span><span class="n">register</span><span class="p">(</span><span class="sa">r</span><span class="s">'user'</span><span class="p">,</span> <span class="n">views</span><span class="p">.</span><span class="n">UserViewSet</span><span class="p">)</span> <span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="n">path</span><span class="p">(</span><span class="s">'api-auth/'</span><span class="p">,</span> <span class="n">include</span><span class="p">(</span><span class="s">'rest_framework.urls'</span><span class="p">,</span> <span class="n">namespace</span><span class="o">=</span><span class="s">'rest_framework'</span><span class="p">)),</span> <span class="n">path</span><span class="p">(</span><span class="s">''</span><span class="p">,</span> <span class="n">include</span><span class="p">(</span><span class="n">router</span><span class="p">.</span><span class="n">urls</span><span class="p">)),</span> <span class="p">]</span> </code></pre> </div> <p>Now we can run our app with <code>python manage.py runserver</code> and go to <code>http://127.0.0.1:8000/api/v1/</code> to see that our application is working :)</p> <p>If you created a superuser, that should automatically create Profile for him, so going to <code>http://127.0.0.1:8000/api/v1/profile/1/</code> should allow you to update your superuser Profile.</p> <h2> Step 6 - add Swagger documentation </h2> <p>Everything is already good to go, we just need to create URL for showing Swagger documentation. Also, it's a good practice to create schema_view to describe our API for other developers.</p> <p>Update <code>urls.py</code> (in restapi folder):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">django.urls</span> <span class="kn">import</span> <span class="n">path</span><span class="p">,</span> <span class="n">include</span><span class="p">,</span> <span class="n">re_path</span> <span class="kn">from</span> <span class="nn">drf_yasg</span> <span class="kn">import</span> <span class="n">openapi</span> <span class="kn">from</span> <span class="nn">drf_yasg.views</span> <span class="kn">import</span> <span class="n">get_schema_view</span> <span class="kn">from</span> <span class="nn">rest_framework</span> <span class="kn">import</span> <span class="n">routers</span><span class="p">,</span> <span class="n">permissions</span> <span class="kn">from</span> <span class="nn">restapi</span> <span class="kn">import</span> <span class="n">views</span> <span class="n">router</span> <span class="o">=</span> <span class="n">routers</span><span class="p">.</span><span class="n">DefaultRouter</span><span class="p">()</span> <span class="n">router</span><span class="p">.</span><span class="n">register</span><span class="p">(</span><span class="sa">r</span><span class="s">'profile'</span><span class="p">,</span> <span class="n">views</span><span class="p">.</span><span class="n">ProfileViewSet</span><span class="p">)</span> <span class="n">router</span><span class="p">.</span><span class="n">register</span><span class="p">(</span><span class="sa">r</span><span class="s">'user'</span><span class="p">,</span> <span class="n">views</span><span class="p">.</span><span class="n">UserViewSet</span><span class="p">)</span> <span class="n">schema_view</span> <span class="o">=</span> <span class="n">get_schema_view</span><span class="p">(</span> <span class="n">openapi</span><span class="p">.</span><span class="n">Info</span><span class="p">(</span> <span class="n">title</span><span class="o">=</span><span class="s">"Drinking Day API"</span><span class="p">,</span> <span class="n">default_version</span><span class="o">=</span><span class="s">'v1'</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="s">"This API allows us to keep a diary of our daily drinking"</span><span class="p">,</span> <span class="n">terms_of_service</span><span class="o">=</span><span class="s">"https://www.scvconsultants.com"</span><span class="p">,</span> <span class="n">contact</span><span class="o">=</span><span class="n">openapi</span><span class="p">.</span><span class="n">Contact</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="s">"michal@scvconsultants.com"</span><span class="p">),</span> <span class="n">license</span><span class="o">=</span><span class="n">openapi</span><span class="p">.</span><span class="n">License</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="s">"MIT License"</span><span class="p">),</span> <span class="p">),</span> <span class="n">public</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">permission_classes</span><span class="o">=</span><span class="p">(</span><span class="n">permissions</span><span class="p">.</span><span class="n">AllowAny</span><span class="p">,),</span> <span class="p">)</span> <span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="n">path</span><span class="p">(</span><span class="s">'api-auth/'</span><span class="p">,</span> <span class="n">include</span><span class="p">(</span><span class="s">'rest_framework.urls'</span><span class="p">,</span> <span class="n">namespace</span><span class="o">=</span><span class="s">'rest_framework'</span><span class="p">)),</span> <span class="n">path</span><span class="p">(</span><span class="s">''</span><span class="p">,</span> <span class="n">include</span><span class="p">(</span><span class="n">router</span><span class="p">.</span><span class="n">urls</span><span class="p">)),</span> <span class="n">re_path</span><span class="p">(</span><span class="sa">r</span><span class="s">'^swagger(?P&lt;format&gt;\.json|\.yaml)$'</span><span class="p">,</span> <span class="n">schema_view</span><span class="p">.</span><span class="n">without_ui</span><span class="p">(</span><span class="n">cache_timeout</span><span class="o">=</span><span class="mi">0</span><span class="p">),</span> <span class="n">name</span><span class="o">=</span><span class="s">'schema-json'</span><span class="p">),</span> <span class="n">path</span><span class="p">(</span><span class="s">'swagger/'</span><span class="p">,</span> <span class="n">schema_view</span><span class="p">.</span><span class="n">with_ui</span><span class="p">(</span><span class="s">'swagger'</span><span class="p">,</span> <span class="n">cache_timeout</span><span class="o">=</span><span class="mi">0</span><span class="p">),</span> <span class="n">name</span><span class="o">=</span><span class="s">'schema-swagger-ui'</span><span class="p">),</span> <span class="p">]</span> </code></pre> </div> <p>Now we should be able to see Swagger UI at:<br> <code>http://127.0.0.1:8000/api/v1/swagger/</code> <br> and .json + .yaml schema at links below:<br> <code>http://127.0.0.1:8000/api/v1/swagger.json</code> <br> <code>http://127.0.0.1:8000/api/v1/swagger.yaml</code></p> <h2> Step 7 - Add JWT tokens to limit access to Profile model. </h2> <p>First, we need to update <code>settings.py</code> to add JWT auth classes. I also add pagination as this is a great practice to use default page size for collections (we don't need to send everything at once, right?).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># REST FRAMEWORK config </span><span class="n">REST_FRAMEWORK</span> <span class="o">=</span> <span class="p">{</span> <span class="s">'DEFAULT_PAGINATION_CLASS'</span><span class="p">:</span> <span class="s">'rest_framework.pagination.PageNumberPagination'</span><span class="p">,</span> <span class="s">'PAGE_SIZE'</span><span class="p">:</span> <span class="mi">25</span><span class="p">,</span> <span class="s">'DEFAULT_AUTHENTICATION_CLASSES'</span><span class="p">:</span> <span class="p">(</span> <span class="s">'rest_framework_simplejwt.authentication.JWTAuthentication'</span><span class="p">,</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Then we need to create an endpoint for grabbing and refreshing Token (as tokens <strong>should</strong> expire due to security reasons). You can set up it yourself with the <a href="https://django-rest-framework-simplejwt.readthedocs.io/en/latest/settings.html">official documentation</a>.</p> <p>Let's add it in <code>urls.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">rest_framework_simplejwt.views</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">TokenObtainPairView</span><span class="p">,</span> <span class="n">TokenRefreshView</span><span class="p">,</span> <span class="p">)</span> <span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="p">...</span> <span class="n">path</span><span class="p">(</span><span class="s">'api/token/'</span><span class="p">,</span> <span class="n">TokenObtainPairView</span><span class="p">.</span><span class="n">as_view</span><span class="p">(),</span> <span class="n">name</span><span class="o">=</span><span class="s">'token_obtain_pair'</span><span class="p">),</span> <span class="n">path</span><span class="p">(</span><span class="s">'api/token/refresh/'</span><span class="p">,</span> <span class="n">TokenRefreshView</span><span class="p">.</span><span class="n">as_view</span><span class="p">(),</span> <span class="n">name</span><span class="o">=</span><span class="s">'token_refresh'</span><span class="p">),</span> <span class="p">...</span> <span class="p">]</span> </code></pre> </div> <p>Now you can go to: <code>http://127.0.0.1:8000/api/v1/token/</code> and send your superuser credentials as a POST and you should get a beautiful working token, which you can decode and verify <a href="https://www.jsonwebtoken.io/">here</a> and it should decode to user_id that corresponds with your credentials (user_id will be probably 1).</p> <p>Adding now permissions to our views is really easy, first import in <code>views.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">rest_framework</span> <span class="kn">import</span> <span class="n">permissions</span> </code></pre> </div> <p>And then in our specific view (let's use ProfileViewSet for this) add:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">ProfileViewSet</span><span class="p">(</span><span class="n">viewsets</span><span class="p">.</span><span class="n">ModelViewSet</span><span class="p">,</span> <span class="n">mixins</span><span class="p">.</span><span class="n">UpdateModelMixin</span><span class="p">):</span> <span class="p">...</span> <span class="n">permission_classes</span> <span class="o">=</span> <span class="p">[</span><span class="n">permissions</span><span class="p">.</span><span class="n">IsAuthenticatedOrReadOnly</span><span class="p">]</span> </code></pre> </div> <p>Now we can easily add users, but we can't update our Profile unless we are providing proper JWT Token. The whole permissions list is available in Rest Framework <a href="https://www.django-rest-framework.org/api-guide/permissions/#api-reference">documentation</a></p> <h2> Coming next: </h2> <ul> <li>Creating CI/CD with usage of <a href="https://github.com/">Github</a> and <a href="https://www.heroku.com/">Heroku</a>.</li> <li>Dockerization</li> <li>Integration tests for API with pytest</li> </ul> django python openapi