Last active July 9, 2023 08:09
Token authorization middleware for Django Channels 3
from django.contrib.auth.models import AnonymousUser
from rest_framework.authtoken.models import Token
from channels.db import database_sync_to_async
from channels.middleware import BaseMiddleware
from project.settings import SIMPLE_JWT, SECRET_KEY
def get_user(token_key):
# If you are using normal token based authentication
token = Token.objects.get(key=token_key)
return token.user
except Token.DoesNotExist:
return AnonymousUser()
# If you are using jwt
user_id: int = jwt.decode(token_key, SECRET_KEY, algorithms=[SIMPLE_JWT['ALGORITHM']]).get(SIMPLE_JWT['USER_ID_CLAIM'])
except jwt.exceptions.DecodeError:
return AnonymousUser()
except jwt.exceptions.ExpiredSignatureError:
return AnonymousUser()
return AnonymousUser() if user_id is None else User.objects.get(id=user_id)
except User.DoesNotExist:
return AnonymousUser()
class TokenAuthMiddleware(BaseMiddleware):
def __init__(self, inner):
async def __call__(self, scope, receive, send):
token_key = (dict((x.split('=') for x in scope['query_string'].decode().split("&")))).get('token', None)
except ValueError:
token_key = None
scope['user'] = AnonymousUser() if token_key is None else await get_user(token_key)
return await super().__call__(scope, receive, send)
BdVade commented Jul 4, 2021

I found out the query string returns a byte string is why. Ignore the question.. Thank you

I sent the token in the second argument to the ws constructor ( used to send the 'sec-websocket-protocol' header), in order to avoid sending the token in the query string, since it ends up in clear in the server logs.

frontend (React.js):

socket: new ReconnectingWebSocket('wss://' + + '/ws', [localStorage.getItem('Token')])


YegorDB commented Dec 20, 2021

Hi there! You are welcome to discussion about BaseAuthTokenMiddleware. That middleware provides base logic to use auth tokens.

Hi there! I add another jwt authentication base on token for django channel with header and query_params just click here

