django-rest-framework-simplejwt VS django-cors-headers

Now, I'm converting this app into a Vue-based SPA (still powered by Django). I'm using the Django REST Framework to build the API that the SPA will interact with. (I'll be using token-based auth, via django-rest-knox. ETA: I'll actually be using djangorestframework-simplejwt.)

Django REST Framework SimpleJWT Django REST Framework SimpleJWT provides JSON Web Token (JWT) authentication for Django REST Framework APIs. It enables secure and stateless token-based authentication, allowing clients to authenticate and access protected endpoints.

I'm using simple JWT with DRF.

So , i was using djangorestframework-simplejwt for token bases authentication with drf.

I used JWT authentication instead. https://github.com/jazzband/djangorestframework-simplejwt

First: the drf token is not a jwt. If you want to use jwt, I recommend the drf simple jwt plugin: https://github.com/jazzband/djangorestframework-simplejwt

There is an issue in the drf-simplejwt repo that I borrowed some code from: https://github.com/jazzband/djangorestframework-simplejwt/issues/71.Is anyone doing authentication with JWT / HttpOnly cookies in a similar way? Thanks for anyone that can take a look or offer some feedback!

I'm not going to go in-depth with it, but I've seen a different technique used to achieve the same result in the SimpleJWT project that can be found in this file in the source code. Basically the technique relies on the settings_changed signal to establish default values for settings and update those settings in the context of the package. I'm not sure if there is a massive improvement on this approach over the previous one (maybe caching?), but if there is, feel free to comment.

I work in FOSS and have a project I can share with that stack. The back-end is here. Change the branch to develop and look in accounts. Its not a perfect example of what you want since we extend the TokenView with VogonTokenVerifyView. Basically you create a login form on your front-end and then make a request to TokenObtainPairView with the login info and it will return tokens if everything went to plan. The vue project can be found here. There is really nothing fancy happening in the frontend, create a form and send the information. I would not save the tokens in localStorage like we are doing. This is a very debated topic but I have come to the conclusion after tons reading on the subject that cookies are a better route. There is an interesting thread on the subject in a pull request in the simplejwt-repo. Once that pull request is merged, we will switch to cookies.

django-cors-headers, a Django app to add CORS headers to the application.

Django does not include tools to handle CORS configuration from the core package. To make this work, you'll need to reach for a third party package. Since CORS configuration is handled through HTTP headers, you'll find that the very appropriately named django-cors-headers package is exactly what you need.

This might not be of any help at all since i dont use bottle, but in django its common to use django-cors-headers.

For more information about django-cors-headers, check this document.

This is a solution I found when looking at the source code of the well known package Django Corsheaders. It is very, very simple. Just define a wrapper over the django.conf.settings, and specify a property per each setting that your library allows to customize.

https://github.com/adamchainz/django-cors-headers#configuration

I'm only guessing, check if you have the middleware in the list as high as possible.

And set the headers as per your requirement using the Documentation