How to implement admin login and logout using Django REST framework?

Question

I have been given a task to authenticate admin login programmatically and logout as well.

I am able to to do login but on logged out when I check which user I am logging out it says AnonymousUser. How can I make sure I log out current user which is logged it.

I am using Django REST framework and testing it on Postman.

@api_view(["POST"])
def adminLogin(request):
    
    if(request.method=="POST"):
        username = request.data["username"]
        password = request.data["password"]

        authenticated_user = authenticate(request,username=username, password=password)
        if authenticated_user != None:

            if(authenticated_user.is_authenticated and authenticated_user.is_superuser):
                login(request,authenticated_user)
                return JsonResponse({"Message":"User is Authenticated. "})   
            else:
                return JsonResponse({"message":"User is not authenticated. "})
        else:
            return JsonResponse({"Message":"Either User is not registered or password does not match"})

@api_view(["POST"])
def adminLogout(request):
    print(request.user)
    logout(request)
    return JsonResponse({"message":"LoggedOut"})

Answer 1

Logging in/logging out with a REST API makes not much sense. The idea of logging in/logging out, at least how Django implements it, is by means of the session, so with a cookie that has the session id.

API clients like Postman usually do not work with cookies: each request is made more or less independent of the previous one. If you thus make the next request without a reference to the session, then the view will not link a user to that request. Clients like AJAX that runs on the browser of course can work with cookies, since these are embedded in the browser that manages cookies. You can work with cookies in postman as specified in this tutorial ^{[learning postman]}, but this is usually not how an API is supposed to work.

This is why APIs usually work with a token, for example a JWT token. When authenticating, these are given a token that might be valid for a short amount of time, and subsequently it uses that token to make any other request that should be authorized.

As the Django REST framework documentation on TokenAuthentication ^[drf-doc] says, you can define views that create, and revoke tokens. The page also discusses session authentication that thus can be used for AJAX requests.

But likely you are thus using the wrong means to do proper authentication for your REST API, and you thus might want to work with a token like a JWT token instead.