#724: Exempt API views from LoginRequiredMiddleware to enable basic HTTP authentication when LOGIN_REQUIRED is true

netbox/netbox/settings.py

@@ -185,6 +185,8 @@ SECRETS_MIN_PUBKEY_SIZE = 2048
 REST_FRAMEWORK = {
     'DEFAULT_FILTER_BACKENDS': ('rest_framework.filters.DjangoFilterBackend',)
 }
+if LOGIN_REQUIRED:
+    REST_FRAMEWORK['DEFAULT_PERMISSION_CLASSES'] = ('rest_framework.permissions.IsAuthenticated',)
 
 # Swagger settings (API docs)
 SWAGGER_SETTINGS = {

netbox/utilities/middleware.py

@@ -2,6 +2,7 @@ from django.http import HttpResponseRedirect
 from django.conf import settings
 
 
+BASE_PATH = getattr(settings, 'BASE_PATH', False)
 LOGIN_REQUIRED = getattr(settings, 'LOGIN_REQUIRED', False)
 
 
@@ -11,5 +12,8 @@ class LoginRequiredMiddleware:
     """
     def process_request(self, request):
         if LOGIN_REQUIRED and not request.user.is_authenticated():
-            if request.path_info != settings.LOGIN_URL:
+            # Redirect unauthenticated requests to the login page. API requests are exempt from redirection as the API
+            # performs its own authentication.
+            api_path = '/{}api/'.format(BASE_PATH)
+            if not request.path_info.startswith(api_path) and request.path_info != settings.LOGIN_URL:
                 return HttpResponseRedirect('{}?next={}'.format(settings.LOGIN_URL, request.path_info))