I want to implement a web service for an iOS application in django.
I need some kind of authentication, and I googled and heard good things about django token-api.
The only thing I don't understand, is how I make sure one authenticated user can not perform actions for another.
For example, If i have a view that has the #token-required, that only promises that a valid token has been sent, however someone can just change the PK in the request itself and make changes for another user.
How do I make sure the user who has the token, can only perform actions for himself?
On a very broad level, you need to distinguish between authentication and authorization. You can read this page as an example, or google it for more, but the basic distinction is that authentication determines that a user is who he says he is, while authorization determines what a certain user is able to see or do.
As you noted above, you can use the django-token-api to help with the authentication issue. But once you've determined that, you need to move to authorization. This is more an issue of permissions that you can see on a per-user (or per-group) basis for individual objects, views, etc.
As Ambroise noted in the comments, using an API framework can make this easier. Here is the django-rest-framework documentation for setting permissions once you have authenticated the user.
Related
Hi Guys I am deploying a django project to elastic-beanstalk on AWS it currently is working fine, however I would like to know if it's a good or bad practice to allow the BrowsableAPIRenderer to be able to handle requests on my browser, I try to find anything related to it but there is really not too much documentation if not any at all. My App has a really strict permission policy, even when I access through the browsable API, it returns the following:
{
"detail": "Authentication credentials were not provided."
}
however it displays some sort of "information" about the endpoint. It's in that part where I find it difficult to define if I should allow it so that other developers can easily know what is going on, or on the other hand if it is a big risk to be accessible to the public.
You may find this question and its answers useful. Based on this answer, it is true that providing the BrowsableAPIRenderer would help development:
It provides simple UI interface to interact with model objects.
It can provide detailed debugging information.
A list of URLs can be shown in some API root
Based on your current settings, a user would at least need to log on either in DRF login page or Django ADMIN page to see and interact with your API.
You can enable the BrowsableAPI in development but disable it in your production settings following this answer.
In production, I wouldn't want other users, who have write permission, to interact with the APIs via BrowsableAPI. It will force the other users to use the front end app or other secure app to interact with APIs. That would provide a secure layer to forbid descriptive actions done using BrowsableAPI.
I am trying to come up with a nice way of allowing a "non-interactive" authentication for access to certain views in my Flask webapp, which currently makes use of flask-login.
At the moment, users authenticate using a web form. Credentials are then checked, and if there's a match, I call flask_login.login_user(user), where user is the user object associated with the provided username and password. I then decorate any view that requires an authenticated user with the #flask_login.login_required decorator. This works well.
I now have the need to allow access to some specific pages using a headless browser, for PDF generation. What is the best approach for accomplishing this? I'm thinking either HTTP Digest Auth or token-based (supplied through the view through a GET parameter, perhaps?), but am not sure of the best way of going about this, and how it will fit in with flask-login.
Ultimately, I'll need to call flask_login.login_user(user) (where user is the system user associated with the provided token/digest credentials) somehow, but bypassing the normal redirect back to the login page in cases where alternative credentials have been supplied. Should I be writing a new decorator (like #token_required), or is there a better way of accomplishing this?
I'm building an app with a Django backend, Angular frontend, and a REST API using Django REST Framework for Angular to consume. When I was still working out backend stuff with a vanilla frontend, I used the provided Django authentication to handle user auth- but now that I'm creating a REST based app, I'm not sure how to approach authentication.
Since all user data will be either retrieved or submitted via the API, should API authentication be enough? If so, do I need to remove the existing Django authentication middleware?
Right now, when I try to hit API endpoints on an early version of the app, I'm directed to what looks like the normal Django login form. If I enter a valid username and password, it doesn't work- just prompts to login again. Would removing the basic Django authentication prevent this? I want to be prompted to login, however I'm not sure how to handle that with these technologies.
The package django-rest-auth seems useful, and the same group makes an Angular module- but the docs don't go much past installation and the provided endpoints. Ultimately, I think the core of this question is: how do I entirely switch authentication away from what's provided by Django to something like django-rest-auth or one of the other 3rd party packages recommended by DRF?
edit: I made this comment below, but I realized that I need to figure out how combined auth will work. I'm not building a single page app, so individual basic pages will be served from Django, but each page will hit various API endpoints to retrieve the data it needs. Is there a way to have something like django-rest-auth handle all authentication?
To anyone that stumbles onto this question, I couldn't figure out how to make the hybrid approach work. Having Django serve pages that each contained API calls seemed OK, but I never saw any requests made to the API- I believe due to some other security issues. I'm sure it's possible, but I decided to go for the single page app implementation after all to make things simpler.
I've read about a lot of different apps for django for integrating social authentication to django projects. But, I'm having some trouble understanding how this integration works
Does it extends the default USER models? Where do I find those kind of information in the applications?
I basically need a user system that has groups (for permission purposes). The user would be able to register using a common registration proccess or facebook. Will I be able to achieve that with any kind of application?
Thanks in advance.
There is an app called django-allauth. If you read their official documentation, it is pretty easy to follow. As per their instructions, you install the core app, and any other authentication you need (like facebook, oauth which google uses). Then, you have to go to facebook, get developers key, and add it to your django admin.
Basically, when somebody tries to login using facebook, the signin process sends the keys to facebook, and check if the user exists. If it does, then the authentication app creates user on the backend, just like a normal signin process. You can get javascript from facebook to make a login window.
Looking to implement social authentication in our application with LinkedIn, Google, Facebook. I'm currently using flask-security to help manage users/roles in our application. I'm looking for some guidance on best practices with Flask/Flask-Security and Social Authentication.
I've seen the flask-social plugin, but I'd like to have the option of local form-based login, too.
So far, I'm planning on writing a new login view implementation for flask-security that can determine whether I'm using a social site (via passing a query parameter when user clicks on "login with XYZ") for the login. After social authentication occurs, I was planning on running the regular flask-security login to set all the appropriate session tokens and user and roles so the #login_required decorator will continue to work.
I didn't really see any hooks for overriding the login view function in flask-security, so I'm planning on either 1) copying the existing implementation into my own app or 2) calling flask_security_views::login.
However, I'm wondering if there's some of this that's already been implemented somewhere, or a better start. It seems like I'm really going to be cutting up a lot of existing code.
Thanks
Mark Hildreth is correct.
flask-social allows you to log in via a form (username/password) or via social.
So you can use it in conjunction with flask-security, flask-login, or whatever password-based authentication you want. I have used flask-social in conjunction with flask-security and can confirm they work quite well together.
flask-social links each User object to zero or more additional social accounts, which are stored in a separate table/datastore. Thus, it does not replace the existing password infrastructure...it just augments the User model and adds additional social methods to also allow for the user to log in alternatively via social accounts.