I have read multiple tutorials on authentication but I am just as confused. I am trying to log a user in using an html form on the client device, which means I'm not using Django templates. Does it work like the following?
I send a post to rest backend with username, password combo
Django rest checks to see if valid user, and sends token back?
I save token in local storage, and send with every request of user?
What do I send from the front end to make this happen?
Yes, send a post request to a RESTful backend with username and password combo
Django authenticates the username and password and logs the user in which sets a sessionid associated with the user which I believe you are referring to as a token. This is done via the login() method. https://docs.djangoproject.com/en/dev/topics/auth/default/#django.contrib.auth.login
Normally Django would set a sessionid as a coookie or session variable on the client's machine, but I'd imagine you could save it in local storage and then retrieve it each time and validate it's a valid sessionid on each request but it's easier to just let Django's middleware take care of everything by just using sessions.
Related
I am trying to build an external API in django, such that any third party application can log into my Django application with their specific username and password, and further use all the authenticated calls in the Django application.
As I understand, in Django, there is a GET call that creates the csrf_token, and an op_browser_state token, which is saved in Cookies. Once the user enters the username and password, and selects login. Internally, the session id is added via the middleware between request and response, after the auth.login is successful, with the username and the password. The session_id, along with the csrf_token and op_browser_state are saved in the cookies, and used for all the further calls made via Django APIs, which may be using SessionAuthentication.
So, if I am able to save the cookies for the session__id, csrf_token and op_browser_state for the Django application hostname. I should be able to solve it. I tried creating an external API, which does the login for the given combination of username and password, and returns the values of csrf_token and session_id as generated by the API. However, this didn't work, since looks like it is not storing the cookies for the Django application, and instead for the third party application. Thus, I am unable to skip the login page in the Django application to get into any other page.
Is there a way such that I can write an API, that directly logs into a Django application, that is using BasicAuthentication and SessionAuthentication, and saves the related session_id and csrf_token into the cookies, and directly allows us to log into the platform? Or if there is any other custom solution possible for the same?
I am new to APIs and I need to be able to authenticate users using a GET request, in order to automate processes in airflow.
Is it possible to authenticate using GET request? For example:
hhtp://localhost:8000/transformar?user:password
In general, it is a very bad idea to do password authentication in a GET request. The obvious reason is that you have the username and password in the URL params (after ?).
The standard way of doing it is having a login API something like
POST http://localhost:8000/login and provide the username and password in form-data. When you authenticate the user, you can return a token. This can be an API Key of a JWT token, etc.
Now, using this token you want to send any following requests. So, in the next GET request, place this token in your header under "Authentication". Once you verify the token, you can return response data or, otherwise, raise a 403 Unauthorised error.
FastAPI provides proper documentation on how to implement this here.
I have a reactjs app that already has a user logged in. I attached a link to the web app that make the user able to access Django admin page, but for now it still requires the user to login.
I'd like to bypass the login as the user is already authenticated when logging into the react app.
How do I bypass the log in page and tell django that this user is already authenticated? What if I still want to get the email from request? where can I access the request object?
EDIT:
I should specify that I would like to check for auth token which I already have in my localStorage, then authenticate the external user directly. If the auth token is not present, I should still hit the django admin login page
EDIT2:
Created a custom page just to deal with Auth0 authentication. But I'm not sure what to do next. The request.user at this point is AnonymousUser which I can't really operate on. There is no way to identify who this is (but I can successfully check if this user has permission)
I plan to create a user and give it superuser permission? Is that the right approach?
EDIT3:
login(request, request.user, backend='django.contrib.auth.backends.RemoteUserBackend')
return HttpResponseRedirect("/my/url")
and i got
'AnonymousUser' object has no attribute '_meta'
Is it part of the auth problem?
You should not "bypass the login" you need to use authorized tokens... to identify that client whos is consuming the API is really you and not the anyone else
The process is really simple, once you send username and password to your backend (django) you will retorn one autorization token to your frontend (react) and every request from your frontend you will add it to header
Use django_rest_framework or something like that (as tastypie)
http://www.django-rest-framework.org/api-guide/authentication/
I am making an API in Flask for a simple jQuery mobile + PhoneGap app to be packaged and downloaded. As I understand, all the calls to the database should be made with JavaScript, AJAX, and JSON. Since the app is about the user, and all of the views draw data from the logged user, I am not sure how to proceed with the authentication. As I understand, the workflow should be:
user logs in (json encoded username and password)
server generates token with expiration (i.e. 24h) for that user
this token is saved on the mobile app as a cookie or in localstorage
all of the calls to the server are done with this token which identifies the current user: /api/token=12345
when the toke expires, a new login prompt is required
I thought of implementing this with Flask-Security's authentication token. Is there a more straightforward way of accomplishing this?
Flask-JWT seems like a pretty straight-forward solution.
Then on the front end you can just add an HTTP interceptor to add X-Auth-Token to the headers or something.
I want to implement software client which will interact with django server. I need users loging in on client.
Is it possible check user is in database and its password, only with username and it's password ? Something like:
if user_valid(username, password):
do something;
I don't want to send open password, is it possible to send only it's hash? How can I obtain valid hash? The auth method in this case shoud be:
if user_valid(username, password_hash):
do something;
Check out https://github.com/jpulgarin/django-tokenapi
Basically you'll need to generate a token based on the user .. in the example below, the author is using user primarykey and password.
Example:
https://github.com/jpulgarin/django-tokenapi/blob/master/tokenapi/tokens.py#L15
Following that.. you can implement a custom authentication backend .. which will allow user to login using the generated token.
Example:
https://github.com/jpulgarin/django-tokenapi/blob/master/tokenapi/backends.py#L13
More information on custom authentication backend
https://docs.djangoproject.com/en/1.7/topics/auth/customizing/#customizing-authentication-in-django