I have a Tornado app which uses Google Oauth 2.0 Authentication, gets the email and sets that in a cookie. Now I don't want anyone else to access this cookie, copy the value and get another user's details on my app. So I want to make this cookie httponly and secure cookie. However when I pass these as arguments its not able to set the cookie:
self.set_secure_cookie('trakr', email, secure=True, httponly=True)
I am suing Tornado 3.2.2 and Python 2.7.5.
since its not able to set the cookie, it keeps redirecting to google auth page. Here is my code:
class GAuthLoginHandler(BaseHandler, tornado.auth.GoogleOAuth2Mixin):
#tornado.gen.coroutine
def get(self):
if self.get_current_user():
self.redirect('/products')
return
if self.get_argument('code', False):
user = yield self.get_authenticated_user(redirect_uri=settings.google_redirect_url,
code=self.get_argument('code'))
if not user:
self.clear_all_cookies()
raise tornado.web.HTTPError(500, 'Google authentication failed')
access_token = str(user['access_token'])
http_client = self.get_auth_http_client()
response = yield http_client.fetch('https://www.googleapis.com/oauth2/v1/userinfo?access_token='+access_token)
user = json.loads(response.body)
self.set_secure_cookie('trakr', user['email'], secure=True, httponly=True)
self.redirect(self.get_argument("next", "/products"))
return
elif self.get_secure_cookie('trakr'):
self.redirect('/products')
return
else:
yield self.authorize_redirect(
redirect_uri=settings.google_redirect_url,
client_id=self.settings['google_oauth']['key'],
scope=['email'],
response_type='code',
extra_params={'approval_prompt': 'auto'})
The code works perfectly fine when I remove secure and httponly arguments. It also works if I just send httponly argument, however it doesn't seem to set the cookie when I pass both the arguments.
Am I doing something wrong?
The issue is not with Tornado or Python, but with my server as I was not using HTTPS:
A secure cookie has the secure attribute enabled and is only used via
HTTPS, ensuring that the cookie is always encrypted when transmitting
from client to server. This makes the cookie less likely to be exposed
to cookie theft via eavesdropping. In addition to that, all cookies
are subject to browser's same-origin policy.
Related
I'm currently developing a Django-React web app and using django-rest-framework-simplejwt and dj-rest-auth for authentication.
At first I was storing JWT in frontend cookies (js-cookie) and sending tokens in the headers to get access for restricted endpoints. Since local client cookies are not HttpOnly and after some research I found out that it was not a safe method to store it on the frontend. So I decided not to store them in the client cookies.
It seems like best solution to use HttpOnly cookies, in django settings I declared cookie name as JWT_AUTH_COOKIE = 'myHttpOnlyCookie', so when I make a request from client with username and password to log-in server responses with the cookie that has the access_token.
For the login part, I didn't write any code since dj-rest-auth handles it well so I use their standard loginserializer and view.(https://github.com/jazzband/dj-rest-auth/blob/master/dj_rest_auth/serializers.py). Well maybe I should modify it.
However the problem is I can't add the token in the header of client requests since I'm not storing the token on the client and it is HttpOnly. Well I really don't know how to authenticate the user if I can't send the token in requests.
Once you make a login request to the server, tokens are added to httponly cookie by default. On consecutive requests cookies are sent by default.
Axios request for login.
axios.post('http://localhost:8080/api/auth/login/',
{'email':'test_email', 'password':'test_password'},
{withCredentials:true},
{headers:{
'Content-Type': 'application/json',
'Accept': 'application/json'
}}
)
"withCredentials" must be always set to "true", this will ensure cookies are added to the every request. Once you login, tokens are stored in httponly coolie. For next requests , refer below pseudo code.
const axiosGetReqConfig = {baseURL: '', withCredentials:true, headers:{'Content-Type':'application/json, 'Accept':'application/json'}}
axiosGetReqConfig.get('test/').then(resp => {console.log(resp)}).catch(err => {console.log(err)})
axiosGetReqConfig.interceptors.response.use(
// If request is succesfull, return response.
(response) => {return response},
// If error occured, refresh token and try again.
(error) => {
const originalRequest = error.config;
console.log(originalRequest)
// Make a call to refresh token and get new access token.
axios('http://localhost:8080/api/auth/token/refresh/', {
method:'post',
withCredentials: true
}).then(resp => {
console.log(resp);
}).catch(err => {
// push user to login page.
console.log(err)
})
// Return original request.
return axios.request(originalRequest)
return Promise.reject(error)
}
)
In the above code, I am creating config object using some basic details and implementing interceptors to refresh token if, access token is expired. If refresh token is expired, user will be re-directed to login page.
Main part with including httponly cookie is the variant that we use in making axios request and "withCredentials". There is an open issue with JWT. Since dj-rest-auth uses JWT, if you need to refresh token, you have to implement middleware in django. Refer below link to implement middleware and add that middleware to settings.
https://github.com/iMerica/dj-rest-auth/issues/97#issuecomment-739942573
I have a Python/Bottle server application, a Seaweed media server, and an NGINX web server.
I need to check the client's permission before allowing shim to download a file.
So:
User requests to download a file.
Backend checks user permission. If granted, redirects it to the file location.
But the problem is that the Seaweed secured by JWT and an Authorization header must be set.
Can I set Authorization header and then redirect user?
Yes, you can set headers on redirects. Here's one way to do it in Bottle:
#route(...)
def handler():
# after you've authorized the user, set your auth header:
response.set_header('Your-auth-header', auth_token)
# perform the redirect
response.status = 302
response.body = ''
response.set_header('Location', file_location)
raise response
(That's off the top of my head; not tested code.)
In this way, I want to set my cookie. But it fails to set.
#app.route('/')
def index():
res = flask.make_response()
res.set_cookie("name", value="I am cookie")
When I print res it shows <Response 0 bytes [200 OK] But not set cookie
You have to return the response after setting the cookie.
#app.route('/')
def index():
resp = make_response(render_template(...))
resp.set_cookie('somecookiename', 'I am cookie')
return resp
This way a cookie will be generated in your browser, but you can get this cookie in the next request.
#app.route('/get-cookie/')
def get_cookie():
username = request.cookies.get('somecookiename')
The cookie you set will be visible if you either use other tools to see it (ex: Press F12 for Developer Tools in Firefox or Chrome) or use a piece of code of JavaScript inside the rendered response.
The cookies are set on the browser by either browser itself (JavaScript) or as a response from a server.
The difference is of great importance as even if the cookie is set by the server the cookie might not be set on the browser (ex: cases where cookie are completely disabled or discarded).
So even if the server might tell "I set up the cookie" - the cookie might not be present on the browser.
For the server to be sure that the cookie was set a subsequent request from the browser is needed (with the cookie present in the request's headers).
So even if the Flask's response (res variable) will mention that the cookie is set we can only be sure that it was set by the server but it will have no confirmation about it from the browser.
Advanced
Another aspect is about how Flask or any other API is creating the responses. As the payload (html/template code) and headers (cookie) are set at same time - the "code" inside the payload (html/template code) might not have access to the cookie.
So you might not be able to set a cookie and display it in the response.
An idea might be to (be able to) first set the cookies and THEN to render the context and the order of setup to be important - so that the html/template to be aware of already setup values. But even in this case is only the server's confirmation that it set up the cookie.
A solution
#app.route('/')
def index():
res = flask.make_response()
res.set_cookie("name", value="I am cookie")
# redirect to a page that display the cookie
resp.headers['location'] = url_for('showcookies')
return resp, 302
This response will set cookie in you browser
def func():
response = make_response( render_template() )
response.set_cookie( "name", "value" )
return response
I am trying to setup token based authentication in python. using Django/DRF. but this is more about http in general i think.
When users put in username/password I return to them their token via JSON.
The client then can post the token in HTTP Header for me to check.
My problem is I want the token to persist in the header automatically, just like cookies.
When the server says "set-cookie" to browser (Chrome/FF), the browser will automatically send up the cookie without me actually doing anything. Is there something I can do with this token?
I have tried storing it in header: "Authorization", but the browser didn't return it. Is there something like "Set-Authorization"?
thanks
No, only cookies stored in browser persistently. All other headers are transient by HTTP protocol definition.
I am trying to authenticate an application with the API.
Here's How:
I am opening a URL using webbrowser.open.
The user authenticates the application, and is redirected to another URL, which is
https://stackexchange.com/oauth/login_successwith arguments encoded with this URL.
A sample redirect url is:
.../login_success#access_token=xyz&expires=00000
My Current code:
auth_url = 'https://stackexchange.com/oauth/dialog'
def authenticate():
scope = "write_access,private_info,read_inbox"
url = make_url(auth_url,client_id=132,
scope=scope,response_type='code',
redirect_uri='https://stackexchange.com/oauth/login_success')
webbrowser.open(url)
How can I get the redirect URL (the URL the user is taken to) after the user authenticates themselves???
Try to fire up your own little HTTP server for just one request, let the API redirect to it and wait for the redirected request to appear. This is not a complete example, just the basic concept:
import BaseHTTPServer
auth_url = 'https://stackexchange.com/oauth/dialog'
# replace with your own http handlers
def wait_for_request(server_class=BaseHTTPServer.HTTPServer,
handler_class=BaseHTTPServer.BaseHTTPRequestHandler):
server_address = ('', 8000)
httpd = server_class(server_address, handler_class)
return httpd.handle_request()
def authenticate():
scope = "write_access,private_info,read_inbox"
url = make_url(auth_url,client_id=132,
scope=scope,response_type='code',
redirect_uri='http://localhost:8000/login_success')
webbrowser.open(url)
wait_for_request()
You probably need to use HTTPS though. In the long run, you might be better off with an existing OAuth implementation.
After the user authenticates with stack exchange, the SE page will redirect back to your page ("redirect_uri" below). Your code currently redirects to https://stackexchange.com/oauth/login_success ; instead, you should redirect to a page you control.
Open a new window at https://stackexchange.com/oauth/dialog, with these query string parameters
client_id
scope
redirect_uri
state - optional
The user approves your app
The user is redirected to redirect_uri, with these parameters in the hash
access_token
expires - optional, only if scope doesn't contain no_expiry
source: https://api.stackexchange.com/docs/authentication