I'm currently building an app with a python backend (django/tastypie) and a frontend built with Angular.js. I'd like to create a password reset form but I can't find a proper way to do it. It seems like the password reset view depends from Django's templates. (Doc)
I can't find a clean way to integrate Django reset method without using any of the templates (I want to use my own templates with Angular.js).
Any advice on how to tackle this problem?
It seems that this question has been unanswered for quite some time so I don't know if you are still looking for a solution but I came across a blog post here that provides a pretty good solution to the problem.
Essentially you need to create two api endpoints: one to initiate the password reset (send an email with a link to a reset form) and another to accept the new password.
The link in the email could be a route to a dedicated page in your angular app along with a token (something like /reset_password/:reset_token). You would strip of the token and send it back with the form data to the second endpoint.
Related
Have developed a pretty decent API utilizing Django and Django Rest Framework to make my data available for consumption. Decided to build a React JS front end to be a little more dynamic than the standard Django templates. I have numerous views within DRF which work fine, I'm able to make calls against them and get or post to them no problem. Currently I'm working on implementing a login capability for the React frontend so that users will be given access to a couple protected views and will be presented with information relevant to them.
Maybe I'm not understanding what is supposed to be happening, web development isn't exactly my area of expertise. Have referenced the Django documentation a bunch trying to understand sessions and session authentication. I have a 'login' view which is taking a username and password provided to it, searching for a related 'User' record based off of the username and attempting to leverage the django.contrib.auth login method; this all seems to be working, the user is getting authenticated. After this step, I'm pretty much completely lost as to what is supposed to happen.
In my React component, I've attempted sending the username as a 'session' attribute in the header, I've tried including the csrftoken in the headers, I've tried to just enable 'withCredentials' in the callout. Really not sure what I'm supposed to be doing here. Is my login view supposed to be returning some attribute that I would then store in the react components to include in calls to protected views?
Been stuck on this for a while and am getting lost in reading documentation.
Thanks
currently I plan on using AWS Cognito to handle my authentication for users. I want to do a simple registration and login.
So far, I have created a function which calls cognito's initiate_auth method. Currently my flow works like this:
User goes to /signup
After filling the form, I create a new user in the cognito backend and send them a verification mail
User is redirected to the /login page
The login function in the backend calls initiate_auth with the username and password, and retrieves some token information like this
{'AccessToken': '***', 'ExpiresIn': 3600, 'TokenType': 'Bearer', 'RefreshToken': '***', 'IdToken': '***'}
I believe these tokens are in the JWT format. My question now is, what exactly do I do with this? I know that I need to store this data, securely, somewhere, but I'm not sure what the best practice is.
I've heard that these tokens/data need to be saved in cookies in order to access them properly, but I also heard that there are some encryption problems, which is why I was looking for a library which handles this for me. I've come across this library: https://github.com/SimpleJWT/django-rest-framework-simplejwt
However, it seems like in order to use this library, I need to be using the DRF. However, my app is currently not the server handling/issuing out the tokens - it just retrieves them from Amazon. Do I need to convert these tokens for my application in some way?
Let's say I did have to use the DRF - then do I need to wrap the token handling functionality in it? I really don't know where to go from here. I am assuming that my authentication functions should be part of an API anyway, since, if I want to expand to a mobile version of the app, I can simply call the authentication function from my API. But I suspect that this would be a different step...and maybe I can kill two birds with one stone here.
I'm working on a question and answer system with django. my problem : I want the app to get a question from an ontology and according the user's answer get the next question. how can I have all the questions and user's answers displayed. i'm new to django, I don't know if I can use session with unauthenticated user and if I need to use websocket with the django channels library.
Given that you want to work with anonymous users the simplest way to go is to add a hidden field on the page and use it to track the user progress. The field can contain virtual session id that will point at a model record in the backend, or the entire Q/A session(ugly but fast and easy). Using REST or sockets would require similar approach.
I can't tell from the top of my mind if you can step on top of the built in session system. It will work for registered users, but I do believe that for anonymous users it gets reset on refresh(may be wrong here).
I'm able to create a rancher project via the rancher API using python, but can quite figure out how to do so to add users/members...?
If you go to
https://mycluster.com/v3/users
you can add/create another user and see the api/curl request to do so.
After you create the user you also need to add a globalrolebinding so that your user can login (and do other things).
https://mycluster.com/v3/globalrolebindings
I want to make a django site which has no profile authentication or signing in. Anonymous users will be able to make a form that will be potentially open to anyone else on the site.
I'd like to do two things:
Somehow limit access to this form to certain people, without on site profiles. Maybe passwords/encryption keys distributed by email? Or secret one-time links using random URL's to make finding them/crawling them difficult, only accessible to those who know about them?
A way that the user who created the form can delete the form. Again, perhaps email a secret password upon creation to whoever created the form, which can let them delete the form?
Are there any Django plug-ins I should look into, or does anyone have tips about how I should go about this? I'm interested in the shareasecret site, and aspects of security in one time links without profile authentication, however, I'm not sure of best practices and ways to go about this sort of thing.
There is no best practice nor a plugin for this use case. It is a common-or-garden, simple use case which should not demand that much of code and logic that you look for some plugin or best practice. Just draw the picture you imagine, sit and write your code. if you have any exact problems in your code, then ask a question.
Given the specific site you're trying to recreate has an api, it would appear that the details aren't matched against the user, but the post itself. so simply make a model that has the two things that it requires
Query Params
SECRET_KEY: the unique key for this secret.
passphrase (if required): the passphrase is required only if the secret was create with one.
So either I'd suggest use the same method yourself, or just use their api.