[DEPR]: BasicAuthentication as default authentication class in edx-platform

[robrap]

Proposal Date

2023-08-16

Target Ticket Acceptance Date

2023-08-18

Earliest Open edX Named Release Without This Functionality

Quince - 2023-10

Rationale

BasicAuthentication was unintentionally a default authentication class for DRF endpoints in edx-platform because the defaults were never made explicit in edx-platform, and thus the default of [SessionAuthentication, BasicAuthentication] from DRF itself was being used.

BasicAuthentication is simply going to be removed from the default list.

This will simplify the authentication story for the platform, and is actively being pursued as part of a variety of other clean-up efforts in this area.

Note: Additionally, if a deployment wants to be hidden behind basic auth, this can lead to login errors if these credentials are passed through to the LMS service.

Removal

A recent change was made to make this default more explicit, and this line will be removed:

edx-platform/lms/envs/common.py

Line 3334 in 62718f2

'openedx.core.djangolib.default_auth_classes.DefaultBasicAuthentication'

We will also remove DefaultBasicAuthentication, which was simply added for monitoring purposes to double-check the assumption that this was not being used:

edx-platform/openedx/core/djangolib/default_auth_classes.py

Line 36 in 62718f2

class DefaultBasicAuthentication(BasicAuthentication):

Replacement

SessionAuthentication is already in place, and will serve as a replacement.

Deprecation

No response

Migration

No response

Additional Info

Separately, JwtAuthentication is being added as a new default. I'd like to fast track this removal, based on the fact that it was never explicitly added, and no endpoints that have overridden the defaults (for example to add JwtAuthentication) ever added BasicAuthentication.

Hopefully, this DEPR is just a formality in cleaning up something that does not need to exist.