DRF does not consider all authenticators when deciding whether to raise a 401 or 403.

[Salaah01]

Following the documentation on setting authentication classes, we have configured two authentication classes in a project I work on.

Within our code, we raise rest_framework.exceptions.AuthenticationFailed which we expect to raise a 401. However, it raises a 403.

Digging into the source code, I find that rest_framework.views.APIVIew.handle_exception attaches the HTTP_403_FORBIDDEN status onto the exception. This happens due to rest_framework.views.APIVIew.get_authenticate_header returning None.

I believe there might be a bug in that function. That function does the following:

def get_authenticate_header(self, request):
        """
        If a request is unauthenticated, determine the WWW-Authenticate
        header to use for 401 responses, if any.
        """
        authenticators = self.get_authenticators()
        if authenticators:
            return authenticators[0].authenticate_header(request)

The first authenticator's authenticate_header method does not return anything. However, if we change the function to use the second authenticator class (authenticators[1]), it instead returns a string. Subsequently, the response then contains a 401 status code.

I believe the fix would be something like:

authenticators = self.get_authenticators()
for authenticator in authenticators:
    auth_header = authenticator.authenticate_header(request):
        if auth_header:
            return auth_header

I am happy to raise an issue and apply the fix if you agree.

Note: A colleague has checked the tests and it seems that the tests all assume there is always a single authentication class.

[Salaah01]

A colleague came across the following in docs: https://www.django-rest-framework.org/api-guide/authentication/#unauthorized-and-forbidden-responses

So it looks like this is intentional.
Is there any reason for this? Wouldn't it be better to iterate over the authenticators as proposed above?

[tomchristie]

Here's an answer to the same question from a while back...

#3800 (comment)

The ordering of the classes is relevant in order to allow developers to choose between "browsers should/should not respond with an authentication dialog".

[Salaah01]

Would be awesome to understand why that's in place.
I can't help but wonder, wouldn't it be better just to iterate over those rather than just use the first one?