I am making an API in Flask for a simple jQuery mobile + PhoneGap app to be packaged and downloaded. As I understand, all the calls to the database should be made with JavaScript, AJAX, and JSON. Since the app is about the user, and all of the views draw data from the logged user, I am not sure how to proceed with the authentication. As I understand, the workflow should be:
user logs in (json encoded username and password)
server generates token with expiration (i.e. 24h) for that user
this token is saved on the mobile app as a cookie or in localstorage
all of the calls to the server are done with this token which identifies the current user: /api/token=12345
when the toke expires, a new login prompt is required
I thought of implementing this with Flask-Security's authentication token. Is there a more straightforward way of accomplishing this?
Flask-JWT seems like a pretty straight-forward solution.
Then on the front end you can just add an HTTP interceptor to add X-Auth-Token to the headers or something.
Related
I am new to APIs and I need to be able to authenticate users using a GET request, in order to automate processes in airflow.
Is it possible to authenticate using GET request? For example:
hhtp://localhost:8000/transformar?user:password
In general, it is a very bad idea to do password authentication in a GET request. The obvious reason is that you have the username and password in the URL params (after ?).
The standard way of doing it is having a login API something like
POST http://localhost:8000/login and provide the username and password in form-data. When you authenticate the user, you can return a token. This can be an API Key of a JWT token, etc.
Now, using this token you want to send any following requests. So, in the next GET request, place this token in your header under "Authentication". Once you verify the token, you can return response data or, otherwise, raise a 403 Unauthorised error.
FastAPI provides proper documentation on how to implement this here.
I have a reactjs app that already has a user logged in. I attached a link to the web app that make the user able to access Django admin page, but for now it still requires the user to login.
I'd like to bypass the login as the user is already authenticated when logging into the react app.
How do I bypass the log in page and tell django that this user is already authenticated? What if I still want to get the email from request? where can I access the request object?
EDIT:
I should specify that I would like to check for auth token which I already have in my localStorage, then authenticate the external user directly. If the auth token is not present, I should still hit the django admin login page
EDIT2:
Created a custom page just to deal with Auth0 authentication. But I'm not sure what to do next. The request.user at this point is AnonymousUser which I can't really operate on. There is no way to identify who this is (but I can successfully check if this user has permission)
I plan to create a user and give it superuser permission? Is that the right approach?
EDIT3:
login(request, request.user, backend='django.contrib.auth.backends.RemoteUserBackend')
return HttpResponseRedirect("/my/url")
and i got
'AnonymousUser' object has no attribute '_meta'
Is it part of the auth problem?
You should not "bypass the login" you need to use authorized tokens... to identify that client whos is consuming the API is really you and not the anyone else
The process is really simple, once you send username and password to your backend (django) you will retorn one autorization token to your frontend (react) and every request from your frontend you will add it to header
Use django_rest_framework or something like that (as tastypie)
http://www.django-rest-framework.org/api-guide/authentication/
I am developing a native frontend application which communicates with a backend rest api built using python django rest framework.
The rest framework uses django rest framework token authentication in which every user has an authorization token and the token will have to be attached to the header of every http request to the rest api in the form of “Authorization: Token ”.
My application provides the user with two main ways to login. The first one is to register an account with username and password. This will create a django User model object and a token will be generated. This login method works well.
The second login method is to login with the user's social account. My idea is whenever an user login with their facebook account, the app will be redirected to my website which will then redirect the user to the social media of their choice. After authorizing the social media api will redirect them to my website again which a user and a token will be created. Then my website will redirect back to my native app using a custom uri with the token attached in the uri like this:
myapp://authenticate#token=xhskscjndjnccjdsdc
The native app will then parse the uri and obtain the token.
The part that I am worried about is security. This method works but attaching a token in an uri seems a bit insecure to me. Is there any best practice that I can follow? Thanks!
I can propose you to use django-rest-auth for dealing with Authentification and Registration.
With that package/library you can use Social Authentication through Facebook, Twitter, Google or other provider.
I'm using oauth2_provider + rest_framework. I have configured several client applications, and they successfully authenticate and receive access tokens.
I would like to have the client app in the request (Eg. request.client). Perhaps I should create some kind of middleware, which sets it, but I'm not sure what is the proper way to do it. Or maybe this functionality is already provided by the oauth2_provider/oauthlib, and I have overlooked it?
The client should be set when:
a valid access token is provided
valid app credentials are provided (like when requesting access token)
Python v3.5.3, Django v1.10.6
oauth2_provider AccessToken has a foreign key
to the application issued that token
You can get the application form the access token like this: application = request.auth.application
AbstractApplication class has foreign key to settings.AUTH_USER_MODEL https://github.com/evonove/django-oauth-toolkit/blob/0.12.0/oauth2_provider/models.py#L62
So if you are using default Application class you could get the clients by request.user.oauth2_providers_applications
I have read multiple tutorials on authentication but I am just as confused. I am trying to log a user in using an html form on the client device, which means I'm not using Django templates. Does it work like the following?
I send a post to rest backend with username, password combo
Django rest checks to see if valid user, and sends token back?
I save token in local storage, and send with every request of user?
What do I send from the front end to make this happen?
Yes, send a post request to a RESTful backend with username and password combo
Django authenticates the username and password and logs the user in which sets a sessionid associated with the user which I believe you are referring to as a token. This is done via the login() method. https://docs.djangoproject.com/en/dev/topics/auth/default/#django.contrib.auth.login
Normally Django would set a sessionid as a coookie or session variable on the client's machine, but I'd imagine you could save it in local storage and then retrieve it each time and validate it's a valid sessionid on each request but it's easier to just let Django's middleware take care of everything by just using sessions.