I have a problem regarding AngularJS using Django as backend. The Django framework has its authentication system, using its csrftoken.
The thing is, that over the client side, i need to make sure that the client is logged in, to let him see AngularJS' views. The problem is that the $cookieStore returns undefined when asking for the Django cookie ( $cookieStore.get('csrftoken'); ).
Currently i'm adding the auth token, by sending it in the response body from the server ( $cookieStore.put('authToken', responsePody.session_key) )
After adding the cookie 'manually', i'm manipulating it (removing when user logs out etc..)
My question is how can i access the Django cookies using cookieStore, or if there is a better way of implementing this?
Related
I'm working on a project which has it's backend on python/django and front end in react and redux with client side routing using react-router. Please suggest me some ways of doing user login authentication/validation in react with the django token generated/stored at the backend. The login flow should be something like this:
User table with email and password created in django, auth token generated by django.
User logs in for the first time, api gets called by react, on successful validation server responds with a token which I'll be storing in a session. All the subsequent calls to the api will include this token for authorization.
Secondly, I'm confused about how the secured client side routes will be authorised? On the basis of the user logged in state or what?
PS: I'm only asking suggestions for the best ways to achieve this and nothing else.
With this a year old, you may not need this, but maybe others could use it. I ran into a similar problem and wrote a package so I wouldn't have to keep writing authentication for django...
drf-redux-auth
It's just provides actions, reducers, and basic (example) components for authenticating with Django Rest Framework using token authentication.
I'd be interested to hear how you decided to handle the authorization piece with react-router...
I am developing a back-end for a webpage using Django Rest Framework. The webpage will be public, and it will only fetch information from this service. Thus, I have to deploy both service and webpage.
Since the webpage is public access (without any type of login) I can avoid having to set up the SSL stuff. However, by default, the DRF comes with the browsable API and the login field. I know I can remove the browsable API, but is it enough?
For instance, the configurations I would have would be:
(removing the BrowsableAPIRenderer)
'DEFAULT_RENDERER_CLASSES': ( 'rest_framework.renderers.JSONRenderer',
'rest_framework.renderers.JSONPRenderer',
'rest_framework_csv.renderers.CSVRenderer', )
and:
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_METHODS = (
'GET',
'HEAD',
'OPTIONS',
)
I am using https://github.com/ottoyiu/django-cors-headers for the CORS stuff.
Would this be enough to avoid unwanted login atempts? Is there any specific way to disable this option?
What 'DEFAULT_PERMISSION_CLASSES' shoul I use?
Best regards and thanks for any help!
If you have a login, but you don't have SSL, then your users are vulnerable to packet sniffing of credentials on many wifi and ethernet networks. Such a vulnerability can be trivially exploited with the Firesheep firefox plugin. Due to users' habit of reusing passwords, you could end up compromising their security to a more critical website. This is very unfortunate. It isn't entirely your problem if users reuse their password, but SSL should be a base layer of protection to your users.
While it is possible to use Django templates with Django Rest Framework (DRF) as the backend, you are not limited to using Django for your front-end. Consider AngularJS with DRF. Anyways, there is a significant learning curve for AngularJS, but you needn't limit yourself to having Django supply your front-end.
As far as removing the DRF BrowsableAPIRenderer, you will get some protection from "security through obscurity", but you really need to lock down your APIs through a proper permission model as an attacker can easily look at traffic generated by your front-end to your back-end and then manipulate the requests to your back-end. So, discoverability of your interface by an adversary will not be significantly reduced through getting rid of BrowsableAPIRenderer. It will only obscure back-end resources that your front-end isn't currently using and it will also make your life as a front-end dev a little more painful.
For DEFAULT_PERMISSION_CLASSES, take a gander at DRF permissions documentation. If you only have two user groups - logged in/authenticate and not logged in, then IsAuthenticatedOrReadOnly is a good place to start. If you start to have per-model permission bifurcation for different user groups, then
DjangoModelPermissions is a good place to dig into.
I have a website in Django and I'm developing an Android app. In one activity I have to login the user. I have installed the Django Rest Framework but I'm afraid that is insecure to send the username and password. What's the best way to do a login using Rest Framework?
You may use basic authentication, by providing an user name and password, but it has to be done over https. Otherwise, there are different other authentication mechanism you may use. Have a look here. The appropriate one for a mobile application would probably be token authentication.
One of the most popular ways to authenticate with REST APIs is through tokens. What this essentially means is to set up an API endpoint that receives the "username" and "password" and responds with a token. And then each request make to the API should go with this token as a header or a param, and get resolved and validated before running the function behind the API. This way you username and password will only be send once. Of course, even with this, it is recommended to use HTTPS.
A good way to do this is to use djangorestframework-jwt (http://getblimp.github.io/django-rest-framework-jwt/). This is an app providing JSON Web Token functionality for Django Rest Framework APIs.
I have a web application written in raw python and hosted on apache using mod_python. I am building another web application which is django based and will be hosted on same server using mod_wsgi.
Now, the scenerio is such that user will login from the web page which is using mod_python and a link will send him to my application which will be using mod_wsgi. My question is how can I maintain session? I need the same authentication to work for my application.
Thanks in advance.
If you're using django with mod_wsgi and a raw python page which only serve a link to django application, you don't need to maintain session on both page. When user click on first link and reach the django application, just check session there.
Django have session_db which use memcache. More information can be found here:
Django Sessions
SSO across web applications is poorly supported. One thing you can look at is:
http://www.openfusion.com.au/labs/mod_auth_tkt/
What you can do is really going to depend though on what authentication database you are currently using in the mod_python application and how you are remembering that someone is logged in. If you can provide that information, may be able to suggest other things.
Conceptually: store a cookie using your raw python web page that you process in a "welcome" view or custom middleware class in Django, and insert them into the sessions db. This is basically what hungnv suggests.
The most ridiculous way to do this would be to figure out how Django deals with sessions and session cookies, insert the correct row into Django's session database from your raw python app, and then custom-set the session cookie using Django's auth functions.
After searching the internet, people normally deal with this situation---the front-end is generated by django view function which can send user the cookie of csrf token. When user has a request to server using ajax, people can rewrite the ajaxSend behavior which send the csrf to server.
However, my situation is that my front-end is totally separated from back-end, ie, my front-end is in a dedicated server running nginx, and I only have one html providing all of the different pages using hashbang. My back-end is running in different server using different domain name, and in this case, how does client obtain the csrf cookie? My back-end only provided json api return.
Thank you.
This post is quite old but for people who still wander here:
For client-server setups, such as native desktop and mobile clients (and separate front end like the OP's case), it is best to use Django Rest Framework's Token Authentication. Link
If you look at the CRSF token source: you can see that all the csrf_middleware does it check the cookie against the post value. You just need to get the post value back to your server since the cookie should of already been set though ajax. If you look at the template tag source you can see that it is just taking the variable out of the context. Either stick it in your response by pulling it out of the context if it is available or calling the context processor directly. Now you just need to send it back as the POST variable crsf_token.
Lets say, frontend has the domain frontend.example.com, and backend domain backend.example.com. (If you are something like Django rest framework)
If you can use there are two ways you can enable security layer i.e.,. CSRF Protection or CORS
For CORS,
pip install django-cors-headers
and then configuring this to INSTALLED_APPS, MIDDLEWARE_CLASSES and add the frontend domain to CORS_ORIGIN_WHITELIST.
CORS_ORIGIN_WHITELIST = (
'frontend.example.com'
)
CORS will block any http request arising from any domains other than frontend.example.com
For CSRF,
CSRF_COOKIE_DOMAIN = ".mydomain.com"
and if you are using an Angular App, do like below,
$httpProvider.defaults.xsrfCookieName = 'csrftoken';
$httpProvider.defaults.xsrfHeaderName = 'X-CSRFToken';
$httpProvider.defaults.withCredentials = true;
and then add headers while make a http request.
headers : {
"x-csrftoken" : $cookies.csrftoken
}