Hello there!
Currently it's allowed that an custom authentication class returns a tuple containing(None, None). This causes the authentication to be considered successful and setsrequest.user = None and this can cause errors that are hard to track where they came from.
I know that this wrongly implemented by theCustomAuthentication class, the user should've raised anAuthenticationFailed exception instead. But this allows the user to shoot itself on the foot.

Example of a bad implemented authentication class:

fromrest_framework.authenticationimportBaseAuthenticationclassMyDumbAuthentication(BaseAuthentication):defauthenticate(self,request):returnNone,None

Later if you have a permission check for example, you would see the following error:

fromrest_framework.permissionsimportBasePermissionclassMyPermCheck(BasePermission):defhas_permission(self,request,view):returnrequest.user.has_perm("foo.bar")# raises AttributeError("'NoneType' object has no attribute 'has_perm'")

It would be nice if rest framework disallowed this totally wrong implementation.

Checklist

• Raised initially as discussion
• This is not a feature request suitable for implementation outside this project. Please elaborate what it is:
  • compatibility fix for new Django/Python version ...
  • other type of bug fix
  • other type of improvement that does not touch existing code or change existing behavior (e.g. wrapper for new Django field)
• I have reduced the issue to the simplest possible case.