^{Originally posted by willbeaufoy September 24, 2021}
If you call APIClient.force_authenticate() with a token param but without a user param, self.handler._force_token is set to the provided token, but then self.logout() is called, which immediately sets self.handler._force_token to None again. Surely this is not intended? The docstring and the docs say you can use either a user or a token or both, but in reality you cannot just use a token.

I discovered this while writing a unit test for an endpoint with access authorised by the OAuth client credentials method (provided by django-oauth-toolkit), where requests have a token but no user. Therefore I tried to authenticate then call my endpoint like this:

from rest_framework.test import APITestCase

class MyTests(APITestCase):
    def test_endpoint(self):
        # ... Code to create valid access_token here
        self.client.force_authenticate(token=access_token)

        response = self.client.get("/my/endpoint/")

        self.assertEqual(response.status_code, HTTPStatus.OK)

But my test fails as I get a 401 Unauthorized response.

However if I comment out the line in APIClient.logout() that sets self.handler._force_token to None, the request makes it through to my endpoint successfully and my test passes.

The PR that changed the logout() method to set self.handler._force_user and self.handler._force_token to None was done for an unrelated reason. Perhaps at the time it was overlooked that this broke the case I am trying to test above?

If you agree that this current apparently broken behaviour is a bug, then I can do a PR to fix it.