Overview
The Aqua-IoT API uses Django REST Framework’s token-based authentication. All API endpoints require authentication using a valid token in the request header.
Authentication Method
All endpoints use the IsAuthenticated permission class, requiring a valid authentication token for every request.
Implementation Details
From views.py, each viewset enforces authentication:
class TemperaturaAquarioViewset(viewsets.ViewSet):
permission_classes = (IsAuthenticated,)
# ...
Authentication Token
The system uses a pre-configured authentication token:
2d75140c068049278f9cb7d39b1a20f05aecdc56
This token is currently used by the MQTT-Django bridge for submitting sensor data from IoT devices.
Using the Token
Include the token in the Authorization header of every API request:
Authorization: Token 2d75140c068049278f9cb7d39b1a20f05aecdc56
Example Request
curl -X POST http://127.0.0.1:8000/api/temperatura-aquario/ \
-H "Authorization: Token 2d75140c068049278f9cb7d39b1a20f05aecdc56" \
-H "Content-Type: application/json" \
-d '{
"nome": "Temperatura",
"tipo": "Acuario",
"grupo": "Grupo A",
"temperatura": "25.5",
"unidade_medida": "graus"
}'
Authentication Flow
Include Token
Add the Authorization header with your token to every request
DRF Validates
Django REST Framework validates the token against the database
Permission Check
The IsAuthenticated permission class verifies the user is authenticated
Process Request
If authentication succeeds, the request is processed
MQTT Integration Example
The Raspberry Pi MQTT client demonstrates proper token usage:
# From mqtt-django.py
headers = {'Authorization': 'Token 2d75140c068049278f9cb7d39b1a20f05aecdc56'}
url_temperatura_aquario = "http://127.0.0.1:8000/api/temperatura-aquario/"
send_temperatura_aquario = requests.post(
url_temperatura_aquario,
headers=headers,
json=temperatura_aquario
)
Error Responses
Missing Token
If the Authorization header is missing:
Status Code: 401 Unauthorized
{
"detail": "Authentication credentials were not provided."
}
Invalid Token
If the token is invalid or expired:
Status Code: 401 Unauthorized
{
"detail": "Invalid token."
}
Missing Permissions
If the authenticated user lacks required permissions:
Status Code: 403 Forbidden
{
"detail": "You do not have permission to perform this action."
}
Security Considerations
- Never expose your authentication token in public repositories or client-side code
- Store tokens securely in environment variables or secure configuration files
- Rotate tokens periodically for enhanced security
- Use HTTPS in production to encrypt token transmission
Token Management
Generating New Tokens
To generate a new authentication token in Django:
from rest_framework.authtoken.models import Token
from django.contrib.auth.models import User
user = User.objects.get(username='your_username')
token = Token.objects.create(user=user)
print(token.key)
Viewing Existing Tokens
from rest_framework.authtoken.models import Token
token = Token.objects.get(user__username='your_username')
print(token.key)
Best Practices
- Store Securely: Keep tokens in environment variables or secure vaults
- Use HTTPS: Always use HTTPS in production environments
- Validate Responses: Check for 401/403 status codes and handle re-authentication
- Token Rotation: Implement periodic token rotation for security
- Scope Limitations: Create separate tokens for different services or devices
Testing Authentication
Test your authentication setup with a simple request:
curl -X POST http://127.0.0.1:8000/api/temperatura-aquario/ \
-H "Authorization: Token 2d75140c068049278f9cb7d39b1a20f05aecdc56" \
-H "Content-Type: application/json" \
-d '{}'
400 Bad Request response indicates authentication succeeded but data validation failed. A 401 Unauthorized response indicates authentication issues.