I am building a single page web application (angularjs + python) where a user first needs to login with a username and password. After the user gets authenticated, a new custom header with a token is created and sent everytime this application makes calls to the python api.
One thing I noticed though, is that if I refresh the page (with F5 or Ctrl+F5) then the browser loses this custom header, so it is not sent anymore to the api.
Is there a way to keep the custom headers even after a refresh of the page?
Store the token in sessionStorage or localStorage. In your application startup (config or run) look for this information and set your header.
Perhaps if your user selects "remember me" when they log-in; save the token in local storage otherwise keep it in session storage.
Related
How do apps like instagram, twitter etc. Know a user is logged on and when next the user starts the app, the user doesn't have to input their credentials all over. Is it by writing and reading from a file, if yes, doesn't it mean a user can find the file that the app reads from, alter it's content and change who's logged on to someone else without authentication
Save their token in LocalStorage for web front-end, for other platform
you can save in somewhere that can storage.
Token-Based api. (access with token with any resource)
So currently I have in place a system using Flask running on my localhost:8080 to add 1 song at a time to a public Spotify playlist. Unfortunately how I have implemented this it requires a browser to add a song. What I want to be able to do is URLLIB or possibly the REQUESTS library to do this without a browser. I have been unsuccessful in my attempts to do this bot URLLIB and REQUESTS only see the first page of my local host it is never redirected to my call back in the code that I linked below.
My Implementation
How would I go about implemented a non browser interface to add a song to a playlist? (Mind you this is python 3)
In order to add a song to a playlist, you need the playlist's owner to grant access to your application, so you will need a web interface at some point to carry out this step.
It's important that you obtain the access token using the Authorization Code Flow since that's how you will get an access token and a refresh token. Use that refresh token in your app to obtain access tokens without having the user to re-authorize your app.
So in brief:
Implement a web site that uses the Authorization Code. A user logs in and you obtain an access token and refresh token. Using the refresh token you will be able to generate access tokens without the user having to input their credentials.
Take the refresh token and include it in your script. Before making the request to add a track, obtain a fresh access token using the refresh token.
It's a bit cumbersome but that's the only way to use OAuth2 without exposing the user's username+password to an app.
Does this quick-start code handle refresh tokens? If so, where/how?
https://developers.google.com/gmail/api/quickstart/quickstart-python
I am working on a Python application that needs to have continuous/unfettered access to Gmail account emails, so I want to make sure that I am handling the scenario described on this page:
https://developers.google.com/gmail/api/auth/web-server#send_authorized_requests_and_check_for_revoked_credentials
Specifically, the "If your application requires offline access, the first time your app exchanges the authorization code, it also receives a refresh token that it uses to receive a new access token after a previous token has expired. Your application stores this refresh token (generally in a database on your server) for later use" paragraph.
It's not clear to me if/how this is handled by the quick-start code. Thanks!
I figured this out. The refresh token, if saved for offline access by the application, is used to perpetually request new access tokens (as they are short lived/expire). This quick-start code does save the refresh token in the stored credentials (the STORAGE file) and wraps the Oauth 2.0 methods that get new access tokens from the authorization server when needed.
If for some reason you need to get another refresh token, you can request one from the authorization server, after making the user to approve your application again:
From https://developers.google.com/gmail/api/auth/web-server
"Always store user refresh tokens. If your application needs a new refresh token it must sent a request with the approval_prompt query parameter set to force. This will cause the user to see a dialog to grant permission to your application again."
More info about authorization server requests:
https://developers.google.com/accounts/docs/OAuth2WebServer
Just to add,Limits apply to the number of refresh tokens that are issued per client-user combination, and per user across all clients, and these limits are different. If your application requests enough refresh tokens to go over one of the limits, older refresh tokens stop working.
I'm using GAE with python. I'm working on an application that opens specific files from drive.
When you try to open a file from drive with your application, you are redirected to a url like this one :
http://my-app.appspot.com/state=%7B%22ids%22:%5B%220B1AXKdjZqM9FZDNIZEhMZEh0YzA%22%5D,%22action%22:%22open%22,%22userId%22:%22102709420614967238115%22%7D
In my program, I need to check if the application is authorized by the user; and to do so, I need it to be redirected to the oauth2 util it's authorized and then come back to the previous url.. or at least I need to efficiently save the information:
state=%7B%22ids%22:%5B%220B1AXKdjZqM9FZDNIZEhMZEh0YzA%22%5D,%22action%22:%22open%22,%22userId%22:%22102709420614967238115%22%7D
How can I redirect the user without loosing the information from the initial request ?
You can use state parameter
state
Any string Provides any state that might be useful to your application
upon receipt of the response. The Google Authorization Server
roundtrips this parameter, so your application receives the same value
it sent. Possible uses include redirecting the user to the correct
resource in your site, nonces, and cross-site-request-forgery
mitigations.
All
In django project if 2 template windows are opened and if logout is triggered in 1 window the other window cookies are not cleared.How to delete the cookies also so that the logout will be triggered.
def logout(request):
//request = redirect('webbie.home.views.loginpage')
//request.delete_cookie('user_location')
return auth_logout(request)
Thanks..
In the cookie you should only store a session key. The server then needs to keep track of all session keys and associate expire date/time and user-account with them. For every user that logs in they should be given a new session key, though you may allow multiple logins/user-account. So when you check if the cookie is valid you need to consult your sever DB and see if you have this session key and that it's valid. If you now want to "kill" all active sessions for a user-account when one of them logs out you just need to remove all session keys form your servers session key list.
You should try to not store sensitive data in cookies, a session key is enough and then have the server associate data to this key. Now you have control of the signed in users.
More Django session info on there documentation: http://docs.djangoproject.com/en/dev/topics/http/sessions/
What do you mean exactly? You mean if you have to windows open with the same website, and you log out in one window, you are not logged out in the other window? I doubt that.
Of course you are not redirected in the other window to a certain page because you haven't done anything in this specific window. But if you click a link that is only available for logged in users, you should be redirected to a login page.
And no, you cannot detect on client side if a user logged out from another site, at least not without Ajax and some custom checks.