I'm using Django TastyPie for my API. I have a completely separate HTML application that my user views and will see basic read only info from the Django API. My question is what authentication method should I use in this situation. The HTML application is technically me not the user and they don't login. The app is not Django but pure javascript, hiding a key or anything else is pointless.
will see basic read only info from the Django API.
It sounds like you probably just want to make those bits of the API publicly available for read-only access, and then not use any authentication method.
As you say attempting to hide a key isn't a sensible way to go, and if there's no kind of user login then you can't really authenticate in any secure way.
Related
Have developed a pretty decent API utilizing Django and Django Rest Framework to make my data available for consumption. Decided to build a React JS front end to be a little more dynamic than the standard Django templates. I have numerous views within DRF which work fine, I'm able to make calls against them and get or post to them no problem. Currently I'm working on implementing a login capability for the React frontend so that users will be given access to a couple protected views and will be presented with information relevant to them.
Maybe I'm not understanding what is supposed to be happening, web development isn't exactly my area of expertise. Have referenced the Django documentation a bunch trying to understand sessions and session authentication. I have a 'login' view which is taking a username and password provided to it, searching for a related 'User' record based off of the username and attempting to leverage the django.contrib.auth login method; this all seems to be working, the user is getting authenticated. After this step, I'm pretty much completely lost as to what is supposed to happen.
In my React component, I've attempted sending the username as a 'session' attribute in the header, I've tried including the csrftoken in the headers, I've tried to just enable 'withCredentials' in the callout. Really not sure what I'm supposed to be doing here. Is my login view supposed to be returning some attribute that I would then store in the react components to include in calls to protected views?
Been stuck on this for a while and am getting lost in reading documentation.
Thanks
I have a Django project that will ultimately consist of three apps. Two of which will be "normal" Django apps, the third is a djangorestframework app. I also plan on creating a desktop client for the project at some point.
I want the rest app to be the only entity communicating with the database. Hence I use requests to communicate with the rest endpoints from the views of the "normal" Django apps and I will do the same for the desktop client. I want all apps to be accessible only for authenticated users, so I'm using Django's authentication backend.
My question is how to pass on the authenticated user/session from the pure Django apps to the rest endpoints when using requests in the views.
I managed to authenticate on the rest API using request's HTTPBasicAuth, but that requires me to have the user's password at hand in plain text. Sure, I could create a technical user to do these requests. But that would also mean that each and every request would need to go through authentication first and that doesn't feel like the best approach.
I have tried to extract the session cookie from the request object that is provided to the views and pass it on through requests.get, but did not manage to put it into the requests.get call the right way.
As of now, using requests and the established sessions looks like my best bet, especially since that will be the way the desktop client will do things, too. So I'm currently looking for the right way to provide requests.get with the session cookie, but I'm certainly open for better solutions.
You should use tokens.
Basically any kind of authentication out of your django project should be managed with secure tokens.
And yes, authentication check should happen everytime you send a request. To make it faster, you can store tokens in memory. (You can use redis or maybe even load your db on memory or ... ) but this is the right and common way to it. Even django does this check everytime using it's builtin functions.
DRF docs recommended some few packages to manage these tokens:
DRF: Third party packages
I used knox for many projects and it's pretty good.
Basically to authenticate your users over all of your projects or microservices, you have to take the token from user, set it as header or ... for your request to the main database or authentication project.
Most of the apps use token in headers which you can simply add to all of your requests calls:
Requests docs: Custom Headers
I am evaluating if Firebase authentication to see if it works well with Django/Djangae. Here comes some context
require email/password authentication, able to additional field like job title, and basic things like reset password email.
use Djanage framework (Django that uses datastore as data storage), app engine.
really good to make use built-in authentication tool provided by Django, like session, require-loggin, etc.
Drop-in authentication seems to be a candidate. Does it work with Django authentication, like permission, group, etc.
Thanks for advance.
Firebase authentication only supports login/signup, reset password or email.
but for that you need firebase admin credentials.
For other field you need local model. There is no problem with using django, but also no existing integration I'm aware of, so you'd have to hook it up yourself.
if you want auth-system like firebase and other functionality than you can use social-django-restframework. you can integrate all login system with your django app and control user with inbuilt user model.
I'm writing a Django app that uses django-allauth for Facebook integration, and uses django-tastypie for a backend for an iOS app. The iOS app will use the native Facebook iOS SDK. I'd like to be able to sign up and verify both Facebook and non-Facebook users from the iOS app, in addition to the website.
The issue is that django-allauth doesn't seem to have an API that can be accessed externally. The only clean way to plugin to allauth's functionality seems to be via Django template tags. Is there a way I can expose this functionality to be used with tastypie?
Django-allauth is all open source, so I've tried to parse through the code. My initial idea is to authenticate users on the iOS side using the native Facebook SDK, and then manually fill in information for SocialAccount, SocialToken, and add the SocialAccount to SocialApp (those are all django-allauth models). However, that seems to be quite a hacky solution. I'd love a way to cleanly create all those models given a Facebook ID, or something similar.
Update:
There's been some discussion concerning this issue on the GitHub. Basically, there's no built-in functionality yet. I'm going to whip up a custom solution that only deals with Facebook (because that's all I'm using in my application). I'll post what I did here later if it works.
Quick look into django-allauth shows that they are using SocialAccount model to hold data on specific method of authentication and type of social account.
You need to create an API endpoint based on SocialAccount model. You need to pass there variables like: account type (facebook, local, twitter etc), additional auth variables needed by social auth providers. Then, in your code you can create SocialAccount model instances, feed with data received from API endpoint call and trigger corresponding auth call via django-allauth. Finally you should return result of your auth call.
I don't see a big reason to use django-allauth for local/facebook auth only, with some small effort you can have whole range of social auth providers.
I used requests library to deal with facebook API and it works great, I think no social login plugin for Django works for others but the author, if you want to do something seriously.
PS. I used django-rest-framework to build the rest backend for mobile apps, also including local account login and social site login.
I have got an Django application that uses the RemoteUserBackend in combination with Apache and mod_auth_kerb to authenticate against Kerberos.
However, this has some drawbacks:
There is no proper logout without closing the browser tab. You may click "Logout" in your Django application, but I would expect to be asked for my credentials when I try to log in again - the latter is not the case. (Side note: It is quite possible for my application that two users want to log in one after another, which increases the lack of comfort and may be problematic when one users performs actions with the other user's rights.)
The application is currently tailored to the Apache/RemoteUser solution, so it does provide no flexibility to switch over to other authentication methods, e.g. authentication against the Django database. The possibility to use alternative authentication methods would also ease the development of the application.
That said, I would like to use a form-based authentication (username/password). This would move the control for the authentication to Django, so login/logout should work properly then. Also, this form could be used as well with different authentication backends, without a need to modify the GUI.
How can this be done? Is there already a solution to this or a project that adresses my issue? Most implementations I saw like the ones in the answers here just use Apache or an LDAP authentication, but not Kerberos.
Related, but unanswered question: Django user logout with remote authentication
Sorry this is delayed. I am the author of the above recommended Kerberos + Django post (roguelynn.com).
For your first issue, take a look at kobo: https://fedorahosted.org/kobo/ - it uses Kerberos + RemoteUserBackend + Apache with Django, but implements a logout mechanism (in kobo/django/xmlrpc/auth.py: https://git.fedorahosted.org/cgit/kobo.git/tree/kobo/django/xmlrpc/auth.py).
http://www.roguelynn.com/words/django-custom-user-models/
That blog post explains quite nicely how to use Kerberos as a Django 1.5 backend authenticator. Hot off the presses as of May 15th. She's got a bunch of nice kerberos examples.
For posterity's sake just in case the blog goes away someday, the author stores her blog posts as static files in her github repo.
https://github.com/econchick/roguelynn/blob/master/_posts/