Have developed a pretty decent API utilizing Django and Django Rest Framework to make my data available for consumption. Decided to build a React JS front end to be a little more dynamic than the standard Django templates. I have numerous views within DRF which work fine, I'm able to make calls against them and get or post to them no problem. Currently I'm working on implementing a login capability for the React frontend so that users will be given access to a couple protected views and will be presented with information relevant to them.
Maybe I'm not understanding what is supposed to be happening, web development isn't exactly my area of expertise. Have referenced the Django documentation a bunch trying to understand sessions and session authentication. I have a 'login' view which is taking a username and password provided to it, searching for a related 'User' record based off of the username and attempting to leverage the django.contrib.auth login method; this all seems to be working, the user is getting authenticated. After this step, I'm pretty much completely lost as to what is supposed to happen.
In my React component, I've attempted sending the username as a 'session' attribute in the header, I've tried including the csrftoken in the headers, I've tried to just enable 'withCredentials' in the callout. Really not sure what I'm supposed to be doing here. Is my login view supposed to be returning some attribute that I would then store in the react components to include in calls to protected views?
Been stuck on this for a while and am getting lost in reading documentation.
Thanks
Related
currently I plan on using AWS Cognito to handle my authentication for users. I want to do a simple registration and login.
So far, I have created a function which calls cognito's initiate_auth method. Currently my flow works like this:
User goes to /signup
After filling the form, I create a new user in the cognito backend and send them a verification mail
User is redirected to the /login page
The login function in the backend calls initiate_auth with the username and password, and retrieves some token information like this
{'AccessToken': '***', 'ExpiresIn': 3600, 'TokenType': 'Bearer', 'RefreshToken': '***', 'IdToken': '***'}
I believe these tokens are in the JWT format. My question now is, what exactly do I do with this? I know that I need to store this data, securely, somewhere, but I'm not sure what the best practice is.
I've heard that these tokens/data need to be saved in cookies in order to access them properly, but I also heard that there are some encryption problems, which is why I was looking for a library which handles this for me. I've come across this library: https://github.com/SimpleJWT/django-rest-framework-simplejwt
However, it seems like in order to use this library, I need to be using the DRF. However, my app is currently not the server handling/issuing out the tokens - it just retrieves them from Amazon. Do I need to convert these tokens for my application in some way?
Let's say I did have to use the DRF - then do I need to wrap the token handling functionality in it? I really don't know where to go from here. I am assuming that my authentication functions should be part of an API anyway, since, if I want to expand to a mobile version of the app, I can simply call the authentication function from my API. But I suspect that this would be a different step...and maybe I can kill two birds with one stone here.
I'm currently building an app with a python backend (django/tastypie) and a frontend built with Angular.js. I'd like to create a password reset form but I can't find a proper way to do it. It seems like the password reset view depends from Django's templates. (Doc)
I can't find a clean way to integrate Django reset method without using any of the templates (I want to use my own templates with Angular.js).
Any advice on how to tackle this problem?
It seems that this question has been unanswered for quite some time so I don't know if you are still looking for a solution but I came across a blog post here that provides a pretty good solution to the problem.
Essentially you need to create two api endpoints: one to initiate the password reset (send an email with a link to a reset form) and another to accept the new password.
The link in the email could be a route to a dedicated page in your angular app along with a token (something like /reset_password/:reset_token). You would strip of the token and send it back with the form data to the second endpoint.
I'm using Django TastyPie for my API. I have a completely separate HTML application that my user views and will see basic read only info from the Django API. My question is what authentication method should I use in this situation. The HTML application is technically me not the user and they don't login. The app is not Django but pure javascript, hiding a key or anything else is pointless.
will see basic read only info from the Django API.
It sounds like you probably just want to make those bits of the API publicly available for read-only access, and then not use any authentication method.
As you say attempting to hide a key isn't a sensible way to go, and if there's no kind of user login then you can't really authenticate in any secure way.
I have a website that essentially requires that the user be logged in to see anything. If they are not logged in then they are redirected to the front page and a login form.
I currently use Django's standard authentication and test for authentication server-side before returning the page.
I now want to add Facebook login and authentication. Does this mean that I need to make a server-side call to Facebook and verify authentication every single time that a user navigates to any page? It seems that this will add quite a number of calls and potential page delays.
Or, is this not really a concern (Facebook call is fast) or is there some other clever way that I am missing? Somehow move the call client-side where I believe that Facebook uses caching?
I've looked at some of the Django/Facebook packages, but none seem to explain the overall strategy, which is what I'm looking to understand. The tutorials that I have looked at describe how to login, but don't worry about what happens once a user logs out of Facebook.
Basically, the user logs in once using facebook (this will make a request to facebook).
once is logged in, it will behave just as a normal django user (most apps create a Django User for each facebook user)
Only when the access token is expired (the "password" for using the facebook data) than you will need to make a connection to facebook again.
Ill recommend you to use Python Social Auth which basically does everything for you.
I have created Django's registration process using django.contrib.auth and have also set up user profiles. Now I want to add an option to fetch the profile's information from third-party sites like Facebook, Twitter, and LinkedIn. I have found django-socialregistration, but I don't know how to override the default setup view. What is the best and easy solution for the task?
Here's the basic idea of the setup that I use, although it's only for Facebook:
Integrate the Facebook JavaScript SDK
Bind a JavaScript function which calls FB.login to a "login with Facebook" button, request all the permissions that you need for that user
In the function(response) section of the FB.login call, handle the returned response, then do an Ajax POST to a Django view (I use jQuery for this) which takes the response, parses it to retrieve the access token for the user and store it in the user profile object for that user.
You can then use this access_token to make Facebook Graph API requests on behalf of that user server-side, or if you want, you can actually just use the JavaScript SDK to make all your calls entirely on the client-side with lots of Ajax to interact with the Django backend.
I find this to be a much easier solution than trying to use one of the Django packages, because most of them are out of date.