The Django API is powering a single-page app, so while there are tokens 
instead of sessions, from the user point of view there is an explicit login 
process to grab a signed token. I wanted to hook to the corresponding 
signal to log these login events. It's probably better if I do it inside my 
login/authenticate endpoint code though.

On Friday, January 13, 2017 at 12:02:16 PM UTC-3, Patryk Zawadzki wrote:
> Are you sure you need to depend on users "logging in" through an API? Most 
> authentication methods used in APIs are stateless and there is no explicit 
> login and logout process. You either include the credentials (be it bearer 
> token, auth header, custom data or whatever) or not. The credentials are 
> checked using authenticate but there is no "logging in" happening: you 
> don't create a session, set cookies etc.
> W dniu piątek, 13 stycznia 2017 00:30:11 UTC+1 użytkownik Federico Bond 
> napisał:
>> You are right. I was confusing the login view with the login method. The 
>> more concrete problem was that Django REST framework calls authenticate 
>> directly and user_login_failed is sent but never user_logged_in. I realize 
>> though that some of the authentication methods provided by an API don't 
>> have clear login semantics so it makes sense to only send failure events.

You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
Visit this group at
To view this discussion on the web visit
For more options, visit

Reply via email to