I have a web app created in django, running in gunicorn app server behind nginx webserver/reverse-proxy. I need to have external application to access some processed data (csv/json), for which I need some sort of authentication. The basic django auth/login is not optimal as a simple script needs to pull the data with a simple request, no cookies etc (not created by me).
For now, I have
set up the service being available with https/tls only
created an IP-filter in django to reduce the "attack surface" with:
request.META['HTTP_X_REAL_IP']
and using nginx to forward the ip with:
proxy_set_header X-Real-IP $remote_addr;
Next I was thinking to include and application key (hash of a pw or something) which needs to be included in the request, and is checked against db for a list of valid keys.
Is this a suitable api authentication or is there something else which can be used/recomennded? some sort of application key framework?
There are many authentication methods beside of session/cookie based ones. For your case I will suggest simple token authentication. Just save same token in your django app and external app and on each request from external app to django, send additional header:
Authentication: Token YOUR_TOKEN_KEY
Now all you need to do in django is to fetch that token and check if it matches one saved locally.
If you want more auth options for API, check Django Rest Framework documentation.
Related
I have a python-Flask website I've created for an employee self-service portal. I've registered it in my companies Azure AD tenant. I'm going to deploy it to a single node (its a low-traffic site) and I want to secure it with a certificate since it will be pulling our AD credentials and Single Sign On session information.
I downloaded the sample code here: https://github.com/Azure-Samples/ms-identity-python-webapp
After a little work I managed to re-write my site using that as a guide and I can now authenticate with SSO on my laptop!
To try and deploy it to a server, I followed the guide at DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-uswgi-and-nginx-on-ubuntu-18-04
Now's the problem: How do I deploy this to a server? I need to register the new url in the authentication tab in Azure: Done. I'm using https:// and https://<myservername/getAtoken. I need a certificate: I generated a self-signed cert and uploaded it to my Azure application.
Now the problem is: how do I get Azure to recognize my app when its on the server? If I try to login I just get an error that: "AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ".
EDIT: I found something. In the URL when I query Azure the return URI being sent is: https://login.microsoftonline.com//oauth2/v2.0/authorize?client_id=&response_type=code&redirect_uri=http%3A%2F%2F%2FgetAtoken&scope=User.ReadBasic.All+offline_access+openid+profile&state=SpOcEwhzdGBXxMsv&code_challenge=<information I'm not sure is wise to sure.
It's sending the URL as http, not https!
To deploy to the server you need to add the certificate identity a client and give the client access to web services calls in your application. Read more about the certificate here. To get Azure to recognize your app when it’s on the server you need to first register your application in Azure AD.
The error AADSTS50011 is referring too when trying to sign into a SAML-based single sign-on (SSO) configured app that has been integrated with Azure Active Directory (Azure AD). You received the error AADSTS50011 when trying to sign into an application that has been setup to use Azure AD for identity management using SAML-based SSO. Learn more here.
I found my problem. In the nginx.conf file I needed to add:
proxy_set_header X-Forwarded-Proto $scheme;
I am currently developing a server in python for a mobile application integrated with facebook. Mobile application sends me user's facebook acces token. Is it safe enough to just check if this token belongs to my facebook application (app id from token matches my app id) or should I implement some more advanced form of authorization/security?
It's my first facebook integrated app, so sorry for that basic question.
You can enable App Secret Proof in the App Settings and add the appsecret_proof parameter to every call on the Server: https://developers.facebook.com/docs/graph-api/securing-requests
After that, every call has to add that parameter, and since it is generated with the App Secret (which is only used on the server), it should be pretty safe.
I cannot see how I could authenticate a server with vs GAE.
Let's say I have an application on GAE which have some data and I somehow need this data on another server.
It is easy to enable OAuth authentication on GAE but here I cannt use this since there is no "account" binded to my server.
Plus GAE doesn't support client certificate.
I could generate a token for each server that needs to access the GAE Application, and transfe them on the server. It would then use it to access the GAE Application by adding it in the URL (using HTTPS)...
Any other idea?
That is exactly what you need to do. On the server, generate a key (you choose the length), and store it in the datastore. When the other server makes a request, use HTTPS and include the key. Its like an API key (it is actually).
I have a api app that sits behind a few client facing apps. The client facing apps have users that login to them and then request resources that the client facing apps in turn request from the api app.
The api app keeps track of who is allowed certain types of resources. The client facing apps are nto meant to know the details.
If i want the api app to know what client the request is for, so it can decide whether the person has permission, what should the client facing apps pass to the api app?
Should I add a unique identifier to the user model that can be used to refer to a user?
You should definitively consider the existing apps that help making an API with access control.
This should get you started in configuring your API rather than implementing it from scratch.
I'm trying to figure out how to make the Django test client play nice with my app that puts each user on it's own subdomain. i.e. each account has account1.myapp.com, account2.myapp.com.
A user could be members of multiple subdomains (similar basecamp's model) so i handle which subdomain the request is being issued against in middleware.
As I'm writing my unit tests, I realized that all requests are issued to "http://testserver" which my middleware then redirects and the subsequent 302 is not followed as it's determined to be an external request.
Anyone aware of a way to enable this with the test client? I'm currently hacking a bit in django to enable it.
in your tests, when using the client, add the HTTP_HOST parameter:
response = c.post(reverse('my-url'), data={}, HTTP_HOST='account1.myapp.com')
on your middleware now you should see the host changed!