Website with Django Rest Framework and Rest-Auth

Question

I am quite familiar with developing web applications using Django and have now begun exploring using DRF for developing Django based back-end systems for mobile applications. As I learn and experiment, I developed a simple web application using DRF and DJ-Rest-Auth modules.

The web application has 1 model - Book. Books are created by Users and Users can view or edit only their own books. It was very simple to enable API end-points using DRF and also a simple token based authentication system.

So if I use a tool like httpie and send a POST request as below

POST /dj-rest-auth/login/ HTTP/1.1
Content-Length: 34
Content-Type: application/x-www-form-urlencoded
Host: 127.0.0.1:8000
User-Agent: HTTPie

username=Test101&password=SomePassword

I get back

HTTP/1.1 200 OK
Allow: POST, OPTIONS
Content-Length: 333
Content-Type: application/json
Cross-Origin-Opener-Policy: same-origin
Date: Fri, 12 Jan 2024 14:51:51 GMT
Referrer-Policy: same-origin
Server: WSGIServer/0.2 CPython/3.12.1
Set-Cookie: books-auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzA1MDcxNDEwLCJpYXQiOjE3MDUwNzExMTAsImp0aSI6IjEyZjliNTU1ZTE1MDRlOTg5NmIzNTMxYzc0ODFhZDYwIiwidXNlcl9pZCI6MX0.S3hzqTcXRIQ_Z3MI41z8H0y5fwDeeaQ4JyoRJG6iZAw; expires=Fri, 12 Jan 2024 14:56:51 GMT; HttpOnly; Max-Age=300; Path=/; SameSite=Lax, books-refresh-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTcwNTE1NzUxMCwiaWF0IjoxNzA1MDcxMTEwLCJqdGkiOiIyNzhlODIyNGY4ODM0MDZiOTAyMGE2MWMzNzI4ZTY1YSIsInVzZXJfaWQiOjF9.us8xk9Jjbhqcf58WxIiCdxl2USSKWY0kGgACLEnHQyQ; expires=Sat, 13 Jan 2024 14:51:51 GMT; HttpOnly; Max-Age=86400; Path=/; SameSite=Lax, csrftoken=0t5c56RNzLPSnaET0zzNXaEpZrP5dKHw; expires=Fri, 10 Jan 2025 14:51:51 GMT; Max-Age=31449600; Path=/; SameSite=Lax, sessionid=mphnpsa8hi9slueo794anwnhm8eaws8p; expires=Fri, 26 Jan 2024 14:51:51 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
Vary: Accept, Cookie
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

{"access":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzA1MDcxNDEwLCJpYXQiOjE3MDUwNzExMTAsImp0aSI6IjEyZjliNTU1ZTE1MDRlOTg5NmIzNTMxYzc0ODFhZDYwIiwidXNlcl9pZCI6MX0.S3hzqTcXRIQ_Z3MI41z8H0y5fwDeeaQ4JyoRJG6iZAw","refresh":"","user":{"pk":1,"username":"Test101","email":"","first_name":"","last_name":""}}

And then I am able to use the access token to get list of books assigned to user.

GET /api/books HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzA1MDcyODU5LCJpYXQiOjE3MDUwNzI1NTksImp0aSI6ImE2NTYyM2E1NGI5ODQ4YjVhYmU5OTlhYjgzY2JkM2NmIiwidXNlcl9pZCI6MX0.EwErQRCQy3G_hd4jiWPpxtLVPCrLFDD-oDNLBqjDmFc
Host: 127.0.0.1:8000
User-Agent: HTTPie

My questions are

1. This still seems to be using some level of session based state management. How would the Django back-end know my user id without me sending it in the GET request. Is this session management ok for a mobile front-end?
2. In a traditional web application, once the user has logged in the user would be redirected to a home page or a profile page. How does one do that in a RESTful application? Is that logic contained in the javascript / AJAX that I am using in the front end?

Answer 1

Part 1 of the question has been solved.

I had JWTTokenAuthentication enabled and this results in a JWT token being created with the user information encoded in the same. If you take the access token and go to jwt.io you can see the decoded information, which (in my case) looks like below

{
  "access": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzA1ODUwODA2LCJpYXQiOjA1MDYsImp0aSI6ImI0OTQ0NDJhMWQ4MDQ5YjM5M2Q4NGQxMDAyOTAwMjA3IiwidXNlcl9pZCI6M30.qbqcDRhq6LBCnlA7pGO2FrphGQkEuScY62ReEa8",
  "refresh": "",
  "user": {
    "pk": 3,
    "username": "testuser",
    "email": "[email protected]",
    "first_name": "Test",
    "last_name": "User"
  }
}