Failing Authorization tokens should raise 401
Django's authenticate
method will check the user's credentials against all configured backends, returning the authenticated user or None
if no backend could authenticate them (https://docs.djangoproject.com/en/2.2/topics/auth/default/#django.contrib.auth.authenticate)
This means that if I pass an Authorization
token but it's invalid, the user will not be authenticated but will access the view as an anonymous user. They should receive a 401 regardless of the permissions for anonymous users on the resource. This is also the guidance of Django Rest Framework, and they say to achieve it by overriding BaseAuthentication
We should do this and in our auth backend we can raise and catch AuthenticationFailed
exception when we want to respond 401