Ensure admin API always uses SessionAuthentication backend

Fixes #5585 and (at least partly) #5628

wagtail/admin/api/endpoints.py

@@ -1,5 +1,7 @@
 from collections import OrderedDict
 
+from rest_framework.authentication import SessionAuthentication
+
 from wagtail.api.v2.endpoints import PagesAPIEndpoint
 from wagtail.api.v2.filters import (
     ChildOfFilter, DescendantOfFilter, FieldsFilter, ForExplorerFilter, OrderingFilter,
@@ -13,6 +15,7 @@ from .serializers import AdminPageSerializer
 
 class PagesAdminAPIEndpoint(PagesAPIEndpoint):
     base_serializer_class = AdminPageSerializer
+    authentication_classes = [SessionAuthentication]
 
     # Use unrestricted child_of/descendant_of filters
     # Add has_children filter

wagtail/tests/settings.py

@@ -220,3 +220,13 @@ WAGTAILADMIN_RICH_TEXT_EDITORS = {
         'WIDGET': 'wagtail.tests.testapp.rich_text.CustomRichTextArea'
     },
 }
+
+
+# Set a non-standard DEFAULT_AUTHENTICATION_CLASSES value, to verify that the
+# admin API still works with session-based auth regardless of this setting
+# (see https://github.com/wagtail/wagtail/issues/5585)
+REST_FRAMEWORK = {
+    'DEFAULT_AUTHENTICATION_CLASSES': [
+        'rest_framework.authentication.BasicAuthentication',
+    ]
+}