I am using DRF with JWT (JSON Web Token) authentication. I want to use django's built-in reset password functionality. So, I have included the urls:
url('^', include('django.contrib.auth.urls')),
But, of course, under an API, calling https://.../password_reset/ results on a csrf token missing error. I am wondering which aproach should I take to solve this. Should I change the built in reset_password view and remove csrf protection? Is it a better idea to create a DRF endpoint that accepts the email (reset_password view post parameter) and then somehow generate a csrf token and send it to the view with redirect(reverse("reset_password"), email=email) ... but then, redirect will not send a post request to the reset_password view. Maybe saving the email to session? Any advice will help.
I think in the case of a password reset endpoint it is safe to remove CSRF protection. CSRF protection is for authenticated endpoints to prevent other websites from using a user's stored credentials to gain unauthorized access. Since the PasswordResetForm used by Django doesn't do anything other than send an e-mail, an attacker can't really do much other than annoy a user by spamming them with password reset emails.
You could use a third party for this, but if all you're doing is adding a password reset endpoint, you just need a few lines of code.
views.py
import json
from django.contrib.auth.forms import PasswordResetForm
from django.http.response import HttpResponse
from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.http import require_http_methods
#csrf_exempt
#require_http_methods(['POST'])
def email_password_reset(request):
# the POST body should be in the format {'email': 'user#user.com'}
try:
# you could also uncomment the following line if you wanted this view to be anonymous only
# assert not request.user.is_authenticated()
assert request.META.get('CONTENT_TYPE', '') == 'application/json'
body = json.loads(request.body)
except (AssertionError, TypeError):
pass
else:
form = PasswordResetForm(body)
if form.is_valid():
form.save()
finally:
return HttpResponse(status=200)
urls.py
urlpatterns = patterns(...
url(r'^/api/password_reset/$', 'email_password_reset', name='email-password-reset')
...)
Related
In my frontend i'm logging into another app's api in the browser, I'm then redirected back to my app, that hits a View in my backend which gets a code from the other app's api, sends code back in a post request then receives an access token and stores it in a model associated with the current user.
My problem is that after the user gives permission to other app in the browser it redirects back to my backend view without the users token in the header so if i have permissions_classes set it wont allow user to access that view... but if i take the permissions_classes off, the view won't know who the current user is.
View #1 that prepares the other app's API url:
class getAPIAuthURL(APIView):
authentication_class = [authentication.TokenAuthentication]
permission_class = [permissions.IsAuthenticated]
def get(self, request):
scopes = 'scopes'
url = Request('GET', 'https://accounts.api.com/authorize',
params={
'scope': scopes,
'response_type': 'code',
'redirect_uri': REDIRECT_URL,
'client_id': CLIENT_ID
}
).prepare().url
return Response(url, status=status.HTTP_200_OK)
View #2 that gets data and stores it in model (this is the REDIRECT_URL from previous view):
class APICallback(APIView):
authentication_class = [authentication.TokenAuthentication]
permission_class = [permissions.IsAuthenticated]
def api_callback(request, format=None):
code = request.GET.get('code')
if not code:
return Response({'Error': 'Code not found in request'}, status=status.HTTP_400_BAD_REQUEST)
response = post('https://accounts.api.com/api/token', data={
'code': code,
}).json()
print(response)
user = request.user
access_token = response.get('access_token')
token = APITokenModel(user=user, access_token=access_token)
token.save()
return redirect('frontend')
I have other Views that make requests and it has been able to get the token to know who the user is, but when this View is called I get a 401 Unauthorized error.
How do I let Django know the token I'm receiving from the other app's api belongs to the current user?
also... when I take off permissions and authentication class from the View it returns the user as Anonymous User
First, what authentication class are you using? You should know that your TokenAuthentication class uses the Authorization header in your request to authenticate you. If that's not been passed then you should fix that.
It would be worth knowing that you don't send auth tokens as GET and should not be sent as those. Unless of course you want to write an Authentication class of your own.
EDIT
In lieu of our discuss in the comments, try this redirect...
# import the class
from django.http import HttpResponseRedirect
# now redirect
return HttpResponseRedirect(redirect_to="url", headers=dict)
I'm using django for my API and react for my frontend app. My problem is I do not know how to get csrf token which is needed to submit the login form (I do not need registrition form, just few users). This is the code for handling the /accounts/login :
from django.contrib.auth import authenticate, login
from django.http import JsonResponse
from json import loads
def login_user(request):
body_unicode = request.body.decode('utf-8')
body = loads(body_unicode)
username = body['username']
pwd = body['pwd']
user = authenticate(request, username=username, password=pwd)
try:
if user.is_authenticated:
login(request, user)
email = User.objects.get(username=username).email
return JsonResponse({"username":username, \
"pwd":pwd, \
"email":email }, \
status=200)`
except Exception as expt:
return JsonResponse({"error": str(expt)}, status=401)
And in my react app I'm trying to make a request for logging /accounts/login using the X-CSRFToken header and the csrf token goten by the getCookie() function (found here), but it is always null and the response always rejected with 403 status code.
Could you please show me how I can handle that situation please ? (I do not want to use csrf_exempt which pose security issues).
I've gone through the docs of Provider and Resource of Django OAuth Toolkit, but all I'm able to find is how to 'authenticate' a user, not how to register a user.
I'm able to set up everything on my machine, but not sure how to register a user using username & password. I know I'm missing something very subtle. How do I exactly register a user and get an access token in return to talk to my resource servers.
OR
Is it like that I've to first register the user using normal Django mechanism and then get the token of the same?
You can do what you are asking, and its your lucky day. I faced that problem when I first started working with django and oauth-toolkit.
The following is my implementation using django-rest-framework. It will register the user, authenticate and return an oauth response.
The thought is this:
Using django models we save the new user using the proper serializers and models.
In the same response, we create a new oauth token and return it to the user.
serializers.py
from rest_framework import serializers
import models
from django.utils.translation import gettext_lazy as _
class RegisterSerializer(serializers.ModelSerializer):
confirm_password = serializers.CharField()
def validate(self, data):
try:
user = models.User.objects.filter(username=data.get('username'))
if len(user) > 0:
raise serializers.ValidationError(_("Username already exists"))
except models.User.DoesNotExist:
pass
if not data.get('password') or not data.get('confirm_password'):
raise serializers.ValidationError(_("Empty Password"))
if data.get('password') != data.get('confirm_password'):
raise serializers.ValidationError(_("Mismatch"))
return data
class Meta:
model = models.User
fields = ('username', 'first_name', 'last_name', 'password', 'confirm_password', 'is_active')
extra_kwargs = {'confirm_password': {'read_only': True}}
view.py
from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework import status, permissions
from oauth2_provider.settings import oauth2_settings
from braces.views import CsrfExemptMixin
from oauth2_provider.views.mixins import OAuthLibMixin
import json
import models
import serializers
from django.utils.decorators import method_decorator
from django.http import HttpResponse
from django.views.generic import View
from django.views.decorators.debug import sensitive_post_parameters
from django.utils.translation import gettext_lazy as _
from django.db import transaction
class UserRegister(CsrfExemptMixin, OAuthLibMixin, APIView):
permission_classes = (permissions.AllowAny,)
server_class = oauth2_settings.OAUTH2_SERVER_CLASS
validator_class = oauth2_settings.OAUTH2_VALIDATOR_CLASS
oauthlib_backend_class = oauth2_settings.OAUTH2_BACKEND_CLASS
def post(self, request):
if request.auth is None:
data = request.data
data = data.dict()
serializer = serializers.RegisterSerializer(data=data)
if serializer.is_valid():
try:
with transaction.atomic():
user = serializer.save()
url, headers, body, token_status = self.create_token_response(request)
if token_status != 200:
raise Exception(json.loads(body).get("error_description", ""))
return Response(json.loads(body), status=token_status)
except Exception as e:
return Response(data={"error": e.message}, status=status.HTTP_400_BAD_REQUEST)
return Response(data=serializer.errors, status=status.HTTP_400_BAD_REQUEST)
return Response(status=status.HTTP_403_FORBIDDEN)
urls.py
rom django.conf.urls import url
from oauth2_provider import views as oauth2_views
import views
urlpatterns = [
url(r'^user/register/$', views.UserRegister.as_view()),
]
You have to create the user using normal Django mechanism (For example, you can add new users from admin or from django shell). However, to get access token, OAuth consumer should send a request to OAuth server where user will authorize it, once the server validates the authorization, it will return the access token.
You must register users separately.
django-oauth-toolkit is necessary if you're going to, e.g., support an Alexa Skill that requires "linking" accounts. Amazon needs a token representing an existing user on your system.
django-allauth makes it easy to provide signup via third parties, e.g. Amazon, Google or Slack. You might consider using it to streamline user registration, e.g. during Alexa account "linking".
For a toy Slack command integration I wrote, I added custom code to create new django users based on their unique Slack user id, skipping the OAuth "sign in with Slack" workflow entirely. Only once those django users exist can django-oauth-toolkit issue tokens for them.
I'm registering user with regular django mechanism combined with django-oauth-toolkit's application client details (client id and client secret key).
I have separate UserRegisterApiView which is not restricted with token authentication but it checks for client id and client secret key while making post request to register a new user. In this way we are restricting register url access to only registered OAuth clients.
Here is the registration workflow:
User registration request from React/Angular/View app with client_id and client_secret.
Django will check if client_id and client_secret are valid if not respond 401 unauthorized.
If valid and register user data is valid, register the user.
On successful response redirect user to login page.
I am working on django website and I am using django Auth for user authentication and for authorization of user i am using request.user.is_authenticated() code in django view but using this i have to write this code in each and every view, because in my site there is only homepage, registration page and login page which can be accessed without login. So in each and every view i have to right this code.
def dashboard(request):
if request.user.is_authenticated():
return render(request, 'home/dashboard.py')
else:
return HttpResponse('User is not logged In')
That's why I want to ask is there any way to write code only once for all views those can not be accessed without login as we do in CakePHP using authcomponent.
Yes, just use the login_required decorator or LoginRequiredMixin
from django.contrib.auth.decorators import login_required
#login_required
def dashboard(request):
return render(request, 'home/dashboard.py')
from django.contrib.auth.mixins import LoginRequiredMixin
class MyCBV(LoginRequiredMixin, GenericView):
What this will do is redirect anyone attempting to access the view back to the LOGIN_URL (which can be overridden here) with a next get parameter back to the view, so that they must login before continuing. This isn't the same as what you currently do, but its much friendlier
If your entire website needs to be logged in, then you can use a middleware to make this the default
You can use #login_required instead. See here
I use Django 1.9.7 & Python 3.5
I implement creating user mechanism and tried to test with POSTMAN(chrome application), but it doesn't work and it shows something like belows:
Forbidden (CSRF cookie not set.): /timeline/user/create/
This is the code :
urls.py
from django.conf.urls import url
From. import views
app_name = 'timeline'
urlpatterns = [
# ex) /
url(r'^$', views.timeline_view, name='timeline_view'),
# ex) /user/create
url(r'^user/(?P<method>create)/$', views.user_view, name='user_view'),
]
views.py
from django.contrib.auth import authenticate, login, logout
from django.shortcuts import render, HttpResponse
from timeline.models import *
def timeline_view(request):
return HttpResponse('hello world')
def user_view(request, method):
if method == 'create' and request.method == 'POST':
print("hi")
username = request.POST.get('username')
username = request.POST.get('username')
user = User.objects.create_user(username, password=password)
user.first_name = request.POST.get('name','')
user.save()
profile = UserProfile()
profile.user = user
profile.save()
return HttpResponse('create success')
else:
return HttpResponse('bad request', status=400)
POSTMAN :
I tried Django CSRF Cookie Not Set but I think this post is for past version.
for testing i used the #csrf_exempt decorator.
from django.views.decorators.csrf import csrf_exempt
#csrf_exempt
def user_view(request, method):
...
now you should be able to call this function without the csrf cookie.
(last time i tried it, i was using django 1.8.7)
source:
https://docs.djangoproject.com/en/1.9/ref/csrf/#edge-cases
You should put CSRFToken in request headers.
After sending request via postman, look at the response Cookies section, take csrftoken value and put in Headers section of request, like this:
key:X-CSRFToken
value: jSdh6c3VAHgLShLEyTjH2N957qCILqmb #your token value
Sometimes Version problem in 'Postman' :
I have face the same problem. While sending the data using the oldest version of postman in POST method.
That time I have received the empty json data in server side.
And I have fix this problem, Once I uninstall the oldest version of postman and installed with latest version.
Use this below statement on top of each and every view function definition (views.py). We don't need to use CRF related statements.
#api_view(["POST", "GET"])
eg:
#api_view(["POST", "GET"])
def GivenInput():
return Response(e.args[0],status.HTTP_400_BAD_REQUEST)
Note*:
But I didn't know that any alternative way to make it global throughout the file.