I am trying to make a application in django. I have an authentication api from another application. I take input from user via form and post the input to the api in json. After I get success message from api and my user is authenticated to api I want to make that user as request.user in django.
Is there any way I can do it. I am thinking of doing it in middleware in process_view. Is this right approach ? But I have no idea how to do it.
Any suggestion will be appriciated.
If you are really doing it thru Django views, you can manually login the user with:
# imports needed
from django.contrib.auth import login, logout
from django.contrib.auth.models import User
# hard way to login a user
user = User.objects.filter(username=INPUT_USERNAME).first()
user.backend = 'django.contrib.auth.backends.ModelBackend'
login(request, user)
If you need to logout:
logout(request)
Related
The Problem
I am trying to connect a superuser to the Django test client, and then access a page in the Django administration interface with a GET method. However, I get a redirect to the login page, even though the superuser is properly logged in.
The Code
def test(self) -> None:
client = Client()
user = User.objects.create(username='user', is_superuser=True)
client.force_login(user)
response = client.get(f'/admin/management/establishment/', follow=True)
print("Redirect chain\t", response.redirect_chain)
print("Request user\t", response.wsgi_request.user)
print("Is superuser\t", response.wsgi_request.user.is_superuser)
The Output
Redirect chain [('/admin/login/?next=/admin/management/establishment/', 302)]
Request user user
Is superuser True
Additional Information
Same result with a user having a password and an email
Tested on a new Django project
The Question
Do you know why I have this redirection and how I can avoid it?
Problem source
It seems that setting a user as superuser with is_superuser=True does not allow them to access the Django admin interface.
Only staffs can log in, so the is_staff=True attribute must be added to the user creation.
It's surprising that superusers are not considered staff by default.
Solution
Creating the user with the following line does not redirect to the login page:
user = User.objects.create(username='user', is_superuser=True, is_staff=True)
I am using the Django-two-factor-auth library for my sites login. Everything is working fine, however when I try to login and redirect a new user to their profile page after sign up using login(request, user) I keep getting redirected to the login page.
The login works fine when the user re-enters their new login credentials however I want to redirect the user straight to their profile page after signup instead.
I am aware Django-two-factor-auth overides Django's built in authentication (Django.contrib.auth), however I am unsure why the login() function is not marking the user as authenticated.
views.py
from django.contrib.auth import login
def signup(request):
...
user = signup_form.save()
login(request, user)
return redirect('/profile')
You can add that to your settings:
LOGIN_REDIRECT_URL = 'yourUrl' # this is the name of the url
Resolved. Turns out the 'is_active' field of the newly created user was being modified by a model signal elsewhere in my code resulting in the user being redirected to the login page.
I have created a view which allows the user to sign in.
def signin(request):
email = request.POST['username']
password = request.POST['password']
user = authenticate(request, username=email, password=password)
if user is not None:
login(request, user)
How should I verify that the user is signed in?
Is it when the user is accessing an API that requires user to be logged in first?
The documentation shows that we can use request.user.is_authenticated is True or not to verify.
However, I am not using django templates but reactJS to send POST requests.
How should I do it?
Should I include a User attribute in json body in the POST request?
It doesn't matter whether you use django template or use reactjs to send Post request. So this function will be in the views.py file, you can add the #login_required decorator for all required endpoints, django have it own authentication(by default it will associate with the User model, but you can change it)to protect the API, and you can use DRF token or JWT in your application to post to serve(check this for details:http://www.django-rest-framework.org/api-guide/authentication/)
I am using Allauth to login with twitter in my Django app.
I have a problem to logout from existing account to login with different one.
I make logout in function logout in my views.py
and within it i tried to call:
from django.contrib import auth
auth.logout(request)
but it didn't work.
I also tried to expire session using this:
request.session.set_expiry(1)
to expire the session after 1 second, but it also didn't work.
By the way I use my own signup and login (I just save mail and password)
So Any ideas?
All auth takes care of it, jut build a url to:
/accounts/logout/
No need to write your own view. If you want to know what it does you could override their view.
I am using Django 1.9.
Base on the Django documentation:
" To log a user in, from a view, use login(). It takes an HttpRequest object and a User object. login() saves the user’s ID in the session, using Django’s session framework."
So how do I retrieve the information in that session.
For example: (this is also taken from the documentation)
from django.contrib.auth import authenticate, login
def my_view(request):
username = request.POST['username']
password = request.POST['password']
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active:
**login(request, user)**
# Redirect to a success page.
else:
How do I retrieve the user information such as username or if possible the password out on the success page.
P.S
If you could also kinda explain the solution in layman term as possible
EDIT
I was playing around with the framework back then. So I was testing if it can be done.
You don't get it from the session.
The authentication middleware adds the current user to the request, as request.user.
(And you definitely do not ever retrieve or display the password.)