I am maintaining a web application built in python.
Access control for the app is handled at the Apache layer (using the Apache htpasswd file).
Right now, the app works the same no matter who is using it. The app doesn't even know who is logged in. But now I need to add a feature to the app that requires knowing who is logged in.
So the question is this: is there some way to access the Apache session information and see the user name of the user logged i non this session?
Of course I could completely redo the security model so that the app handles user login, but if there is any way to just access the Apache info, that will save me lots of work.
Thanks in advance!
If you are using Basic Auth, you can check the Authorization HTTP header:
>>> request.headers["Authorization"]
'Basic YWRtaW46aHVudGVyMg=='
>>> request.headers["Authorization"].partition(" ")[2].decode("base64")
'admin:hunter2'
Alternatively, you can check the REMOTE_USER environment variable (although this isn't guaranteed to be set in the same way tha the Authorization header will be):
>>> import os
>>> os.environ['REMOTE_USER']
'admin'
Related
I'm trying to make an app and I can't figure out how to sign in to a user with the python library firebase_admin. I don't have any code as of this moment. Let me know if you can help me out.
The Firebase Admin SDK is designed to be used in a trusted environment, such as your development machine, a server you control, or Cloud Functions/Cloud Run. It gets its authorization from its context or from a credentials file that you provide to it, and which gives it full, administrative access to the project. Therefor it doesn't need, and doesn't have a way, to sign in as a specific user.
If your use-case requires that you sign a user in to Firebase from your Python code, you can consider calling the REST API to authenticate. But the use-case for this would typically be to then pass the ID token you receive back to a user (similar to the use-case in creating custom tokens).
There are one project using Python Django, another stand alone project using python cgi. Both has it own user auth. module. What would be a simple way to merge user management together?
I mean signin already built in python cgi, i want to use the same signin for python django, how i can pass authenticated user_id and username from python cgi to python django.currently i am using mysql database for both application
usually in django we will passing authenticated user as follows in views.py
user = request.user
But signin is built using python cgi, how can i pass athenticated user from python cgi to python django(views.py)
Thanks
I think you can use one of the Django authentication middleware like RemoteUserMiddleware or PersistentRemoteUserMiddleware.
They are middlewarer for utilizing Web server provided authentication.
You can see Authentication using REMOTE_USER for usage details.
When the Web server takes care of authentication it typically sets the
REMOTE_USER environment variable for use in the underlying
application. In Django, REMOTE_USER is made available in the
request.META attribute. Django can be configured to make use of the
REMOTE_USER value using the RemoteUserMiddleware or
PersistentRemoteUserMiddleware, and RemoteUserBackend classes found in
django.contrib.auth.
you need to do a single sign on, take a look at this
https://github.com/namespace-ee/django-rest-framework-sso
personally i use an ldap database to store the users, everytime a user is accessing my app for the first time, a query is sent to a server where i have a rest api set up which verifies if the user logged in before, and didn't log out.
I have a site with static elements like images. I wanted to protect them (so that you cannot access them directly using a hotlink). For this purpose I used the part "Authentication with mod_wsgi" from the Django documentation:
Authentication with mod_wsgi
I don't like that fact that the user has to log in twice (one time Django auth and then Apache auth when there is an image on the page) but it's not the main issue (if you know how to handle this it would also be nice)
My main problem is that after I log out I still can access the protected image. I know that this is because the fact that Apache uses only Djangos check_password method but maybe there is a way to synchronise it?
You should take a look at Apache 'X-SENDFILE' header: https://tn123.org/mod_xsendfile/
It allow Django to check if your user can access it and if he the access is granted the static file is then served by Apache.
With this solution your user don't have to log twice and you can have any kind of control your want !
I wrote a blog post about it here with nginx, but it work the same way :)
I asked a question about the default app as it related to microservices on app engine and got a great response here, but I have another related question.
Does my default app have to be accessible via appspot.com? When I run the deploy command that's where it puts it, but I'd rather have it not accessible like that. I really just want a semi-empty (like hello world sized) app that satisfies the default app requirement.
It does seem like Google is shoehorning multi-app/microservices into an environment that was originally setup to only serve a single web facing app backed by other modules. It seems very ungraceful and hacky.
You can customize your app to perform differently based on the URL that was used.
For example, you can use domain specific routes with webapp2 or you can check the domain in your handler by checking the value of self.request.url and responding accordingly.
You could for example, have myapp.appspot.com return a 404 but have www.mydomain.com provide content to users.
It depends what you mean by "accessible".
Yes, the app will have a presence on appspot.com, in the sense that requests can make it to some instance of some version of some service inside your app, based on the Routing via URL rules, the most generic ones being:
Sends a request to the named service, version, and instance:
https://instance-dot-version-dot-service-dot-app-id.appspot.com
http://instance.version.service.my-custom-domain.com
Also, from Default service:
The default service is defined by explicitly giving a service the name
"default," or by not including the name parameter in the service's
config file. Requests that specify no service or an invalid service
are routed to the default service. You can designate a default version
for a service, when appropriate, in the Google Cloud Platform Console
versions tab.
But what your app code responds to such requests is really up to you. Nothing stops, for example, your default service handler from simply returning a 404 or your "Hello world" page, for example, if you don't want it to do anything else. As if it wouldn't be there. Yet it still serves the role of the default service.
I have a simple site made with python (django). User registers, inputs some basic info and it stores it to mysql. User then is able to log in with his username/password which he created...
Now i want to add a flex application which will run once the user is logged in, but i dont want the user to have to log in twice (once into django, once into flex app). For the sake of learning i just want the flex app to also load some information from the mysql database, like the users firstname or something.
So my question is how would i go about passing session information into the flex app? Any info or guidance, or opinion would be great.
If your Python/DJango app uses cookies for tracking sessions; then you just have to make sure that your SWF is served off the same domain that the Python app is served from.
The Flash Player will pass the appropriate cookies to the remote server whenever it makes a call to that server. As long as your "Flash Call" exists in the same Application space on the server, it should have access to the same session variables available on the server.
If you want to validate the user has logged in before loading the SWF; just make a remote call from the SWF to the server side to validate that the session exists, and the user is appropriately logged in. Don't activate any of the controls in the app until you get confirmation from the server that the user is allowed to use the app.