I have developed an API using django rest framework and have used Token based authentication, Now I have trying to use it from separate project. How I can login using userid and password and get token in response and use token in header in all next url calls.
From Shell I have checked token for one of the user and tested api from terminal and it's working like,
http://127.0.0.1:8000/corporate/company/ -H 'Authorization: Token 9f4702dfddbf89e0346b2ffd10fd69173c178273'
But how to use this token in http calls?
I have included rest_framework.authtoken in installed app and included url in urls.py as:
url(r'^api-token-auth/', 'rest_framework.authtoken.views.obtain_auth_token')
Now I have trying to get it accessed from another project, where I have made one of the login form? Now the Question is where to post form and what fields should be there in form. If I have posted form then token will be returned in response then how Can I parse and use in headers on next calls?
I have gone through tutorial and API guide but no help. On how to access api in my project while Api is ready and login is working through browser-able api url.
Django rest framerwork supports many auth options. You can use Basic Auth if you want.
If you want to use the token you will need to set an http header with the correct token for your user.
From the docs you need to set it as (replace 99... with yours)
Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b
Related
I am new to APIs and I need to be able to authenticate users using a GET request, in order to automate processes in airflow.
Is it possible to authenticate using GET request? For example:
hhtp://localhost:8000/transformar?user:password
In general, it is a very bad idea to do password authentication in a GET request. The obvious reason is that you have the username and password in the URL params (after ?).
The standard way of doing it is having a login API something like
POST http://localhost:8000/login and provide the username and password in form-data. When you authenticate the user, you can return a token. This can be an API Key of a JWT token, etc.
Now, using this token you want to send any following requests. So, in the next GET request, place this token in your header under "Authentication". Once you verify the token, you can return response data or, otherwise, raise a 403 Unauthorised error.
FastAPI provides proper documentation on how to implement this here.
I've tried to implement two ways of logging into the Django API: token-based authentication and session authentication.
Token based authentication works fine when session based authentication isn't implemented, but when I activate session based authentication, the token based authentication endpoint only returns ""CSRF Failed: CSRF token missing or incorrect".
Now, I know with session based authentication I need to set the csrf header, but is there a way to bypass this for specific endpoints, or for when a token auth header has been included in the request?
Thanks for any answers :)
I am developing a native frontend application which communicates with a backend rest api built using python django rest framework.
The rest framework uses django rest framework token authentication in which every user has an authorization token and the token will have to be attached to the header of every http request to the rest api in the form of “Authorization: Token ”.
My application provides the user with two main ways to login. The first one is to register an account with username and password. This will create a django User model object and a token will be generated. This login method works well.
The second login method is to login with the user's social account. My idea is whenever an user login with their facebook account, the app will be redirected to my website which will then redirect the user to the social media of their choice. After authorizing the social media api will redirect them to my website again which a user and a token will be created. Then my website will redirect back to my native app using a custom uri with the token attached in the uri like this:
myapp://authenticate#token=xhskscjndjnccjdsdc
The native app will then parse the uri and obtain the token.
The part that I am worried about is security. This method works but attaching a token in an uri seems a bit insecure to me. Is there any best practice that I can follow? Thanks!
I can propose you to use django-rest-auth for dealing with Authentification and Registration.
With that package/library you can use Social Authentication through Facebook, Twitter, Google or other provider.
Using allauth and django-rest-auth to create a facebook login api. I've followed the both packages documentations and using example from rest-auth doc. I've followed all the steps and I can successfully use this API from DRF browse-able API view and it is successfully performing the registration. When I try this API from somewhere else like postman it asks for CSRF token.
I tried to use csrf_exempt decorator but that doesn't seem to be effective on this url.
Here is my url config:
url(r'^rest-auth/facebook/$', csrf_exempt(FacebookLogin.as_view()), name='fb_login'),
Rest of the things are same as they mentioned in the documentation for django-rest-auth.
I can't figure out what am I missing, or where should I look for a fix. Any help to diagnose the issue would be appreciated.
TL;DR Set authentication_classes = () in your FacebookLogin view.
The login and register views are supposed to have no authentication checks. I assume you have your DRF DEFAULT_AUTHENTICATION_CLASSES set to token auth and session auth in the order. So when your request is processing the server doesn't find auth token so as a fallback it tries to do session auth which requires CSRF which inturn causes the CSRF failure.
I am making an API in Flask for a simple jQuery mobile + PhoneGap app to be packaged and downloaded. As I understand, all the calls to the database should be made with JavaScript, AJAX, and JSON. Since the app is about the user, and all of the views draw data from the logged user, I am not sure how to proceed with the authentication. As I understand, the workflow should be:
user logs in (json encoded username and password)
server generates token with expiration (i.e. 24h) for that user
this token is saved on the mobile app as a cookie or in localstorage
all of the calls to the server are done with this token which identifies the current user: /api/token=12345
when the toke expires, a new login prompt is required
I thought of implementing this with Flask-Security's authentication token. Is there a more straightforward way of accomplishing this?
Flask-JWT seems like a pretty straight-forward solution.
Then on the front end you can just add an HTTP interceptor to add X-Auth-Token to the headers or something.