My implementation of BaseAuthentication's authenticate had a bug where an AttributeError was thrown. DRF handles that by catching the thrown AttributeError and then accessing and returning "user" on Django's request instead.

The perform_authenticate tries to authenticate when "user" is missing (see invoke _authenticate but if the code for authenticating throws an AttributeError, then Django's request's user will be accessed instead, see __getattribute__.

The result of this behaviour was that the request was authorised when entering the DRF view but when executing request.user inside the view an AnonymousUser instance was received instead of an instance of my class that inherits BaseAuthentication and implements authenticate(self, request).

AttributeError thrown when accessing "user" attribute on a DRF request shouldn't be caught and it shouldn't access user on Django's request.

One simple but ugly way to solve it would be to check if attr is "user" at https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/request.py#L357 and in that case rethrow the AttributeError instead of accessing the attribute on _request.