We're using GAE Python and allow users to login using their existing Google accounts. The login code is straightforward:
def _require_login(self, target_url="/"):
if not self.user_bundle.user:
return self.redirect(
self.user_bundle.create_login_url(target_url),
abort=True
)
This creates a redirect to Google for the user to login, then upon successful login gets sent back to wherever they were originally trying to navigate.
The problem seems to be that if a user has more than a certain number of Google / GApps accounts logged in simultaneously (we're guessing 3 or more I can successfully reproduce it once I hit 5 accounts), they get an "Error 414" from Google:
My brief search on the error states that the URL is too long, since it's a GET request. Just about all of the advice states to use POST instead. The problem is, we're using Google's built-in create_login_url method, which, as far as I can tell, doesn't provide a way to specify POST instead of GET.
How can we fix this?
According to the Google Cloud Platform's Twitter account:
Unfortunately, only current fix is to logout of some accounts. >4 accounts logged in makes the URL too long (> 2048 bytes).
So now we're going to either make a pre-login page where it tells the user to log out of enough user accounts to meet the maximum number, or find an external library that allows us to let users log in without having to work around the limit.
Related
I am struggling to understand exactly how JWT-based authentication should be implemented in Django (I am using simplejwt). I am just a beginner, so please brace yourselves for some silly questions. The rest-framework-simplejwt documentation is very minimal and does not provide enough detail for a newbie like me.
path('token/obtain', jwt_views.TokenObtainPairView.as_view(), name='token_create'),
path('token/refresh', jwt_views.TokenRefreshView.as_view(), name='token_refresh'),
So, I've created the paths in my urls.py as suggested by the official documentation. Where do I go from here? I guess my confusion comes from the fact that I am not sure where exactly in the code I have to issue my tokens. Let's say, I am logging in the user. So, in order to obtain the token, do I have to send a request to the 'token_create' endpoint from inside my view? Or do I have to somehow indicate it in one of my serializers? What about the 'refresh_token' endpoint? Is there a specific method that I need to use?
Then, what do I do with the token once it has been issued? Clearly, I shouldn't save it in the database since it defeats the entire purpose of using JWTs in the first place. From my understanding, I should attach it to the headers so that the subsequent requests by the user contain the tokens in the headers.
The frontend will be written in ReactJS and will be on a separate server from my Django backend API, and the communication between the two will be configured through CORS.
In this case, how do I attach the token to the headers and make it so that the user's browser sends in the token with each request? Is there some sort of package that could be useful for that?
I think you just mixed everything up, I'm gonna explain everything however you may already know some stuff.
JWT simply is a way to authorize users, you usually create an endpoint to create a token for the users, this endpoint can be named login, create_token, 'generate_token', or anything! doesn't really matter!
However maybe if u use a specific library maybe it forces you to use a specific endpoint but in Flask it's really what you like.
This login (whatever you call it) endpoint will take a username and password and checks if it exists and it's correct, then generates a JWT with a library like PyJWT, You can configure the JWT to be expired in for example 20 mins or more, then you encrypt a dictionary(JSON?) which usually contains user_id which you query from the database. example of the JSON you provide to the user with:
{
"user_id": something,
"role": something,
...
}
Then it will be encrypted to a long string.
now when the user sends a request, he/she needs to have that long string as the Authorization header of the request.
In postman --> Authorizations, choose Bearer Authorization and then insert that long string.
We also give the user a refresh_token.
This is the example of the JSON you provide the user with when he/she calls the login endpoint:
{
token: some_long_string,
refresh_token: some_long_string,
}
So what is refresh Token?
it's just the token that when the main token expires instead of making the user enter username and password again, he just sends the refresh token we gave him while he called login.
One more point: This was the whole flow and logic you need to implement. Do it as you like, libraries or anything you like, doesn't really matter.
Im trying to send a simple email to do the password recover of a user, the input is just a email to send the new password..
But i can't... i get this error
SMTPServerDisconnected: please run connect() first
I already tried a few examples, like, https://bitbucket.org/andialbrecht/appengine_emailbackends/overview, but i get the same error
I really need this, maybe someone can tell me how to use an alternative to code in my view to send an email...Also i changed the backend to
EMAIL_BACKEND = 'djangoappengine.mail.EmailBackend'
but nothing,i don't know how to use this backend anyway :(
Plz Help :(
maybe someone can tell me how to use an alternative to code in my view to send an email...
I can help with this, seeing as it seems that perhaps this repository you're trying to use is based on an earlier version of App Engine and is throwing the error due to a required code change somewhere in the library - either that or the fact that you changed the string from what the library recommends (your version: 'djangoappengine.mail.EmailBackend') to a string that seems to not be correct, as it's different to what the author of the repository directed you to use (their version: 'appengine_emailbackend.EmailBackend'), and this is causing trouble.
Whenever possible, I'd recommend seeing if there is an "app-engine-y" way to do something, before going to a third-party library or deploying a module somebody else wrote to hack in third-party capabilities, or looking for an advanced/experimental feature (for example, use Datastore first, rather than remotely connecting to a MySQL VM, unless you need MySQL). If you absolutely need that library, this is a different story, but if you just want to send emails, the Mail API is what you need. It's a convenient way to send emails on App Engine.
I'm going to assume in the following that you are storing your user's usernames and hashed passwords in custom-defined User-kind entities in your Datastore. If you have your users using simple OAuth to sign into your site, there is never any reason to "reset/recover password":
Create the <form action="/some/route" action="POST"> element on
the page where the user requests password recovery.
Put the code responsible for handling this form submission (they will input their email, or whatever account info they need for your code to find their User entity in the Datastore in a handler that will respond on that route.
In the handler, generate a unique token and store it in the Datastore. Send the token in the email that you generate and send using the Mail API (see the example code in the link to the docs I provided). This will allow your user to return to your site, authenticate with the token from the email, and then fill out a form to create a new password. You will then hash this password (with a salt) and store it in their User entity in your Datastore.
I'm skipping over the details of how to implement a "password recovery form", given what I said about OAuth and that you are probably really only concerned with how to send mail. In the email you send, for example, you can insert a hyperlink to your site with the token already inserted as a query param, so that the user doesn't have to copy and paste, etc.
Does facebook allow to use one person's access token to fetch post info of another person (post comments, likes)?
I am thinking of implementing a pool of tokens in my app, so if token is broken I can use other persons token. Wondering if it's allowed and whether facebook have some restrictions on such a use case.
Additionally, I am currently using FQL, is there a difference for Graph API in how tokens work?
Short answer: It is not possible. That would be an incredibly large privacy problem anyway.
Also, for user postings you need the "read_stream" permission and you probably will not get this one approved:
This permission is reserved for apps that replicate the Facebook
client on platforms that don’t have a native client.
(https://developers.facebook.com/docs/facebook-login/permissions/v2.0)
About FQL: There is no difference, although keep in mind that FQL is deprecated and will be removed when support for v2.0 runs out. See this link for more information: https://developers.facebook.com/docs/apps/versions#versioning
(thanx to Tobi for clarification)
I'm doing some research, where I have a facebook app, that asks for some permissions on the users facebook to get some basic information.
I can see that my app has about 600 users, and I'd like to query them, to see some patterns in the users. i.e. how many friends do they have, how long messages do they post in updates etc.
My question is: Do I have to copy the data when the user first visits my app and grants access to his information, or can I query it as long as the user hasn't "removed" my app.
I hope the second option will be true, since I have a lot of considerations about "copying" user data, and storing it in a database - primarily ethical but also related to security issues, compliance, resources so on and so forth.
the programming language is not important, but if anyone needs to exemplify, lets say it's python.
NO. You don't have to copy the data.
You can query Facebook as long as you have a valid access token regardless of whether the user is online or offline.
However, the only thing you need to take care of is handling of expired access token, because in that case the user will need to re-authorize your application for you to get the access_token.
I am using django-social_auth to make users register and login via facebook. I want to access the phone number of the user.
Tried searching on google and stackoverflow , but didn't find any answer. Searched the facebook docs as well. There I found that there used to be permission for 'user_mobile_phone' but it has been removed.
It was also written than now it will be provided with basic permissions but it wasn't available(what I found).
I tried using Graph API, but was unsuccessful.
So, Someone please tell me the way ,if there is any, to get user data.
EDIT:17 June 2014 -
Is this possible now to get User's Mobile number via the Graph API ?
The API does not let you access the user's contact number. You will have to request the user's contact details manually using a form.