I have two development servers written with Python/Django - one API server(it's not solely an API server; it has UI and etc.), and another one is a demo app used to serve data by communicating to the API server. I invoke the demo app with iframe in the API server. After successfully getting response from the demo app, the original user session of the API server is lost(supposed to have two sessions -- one from the user of the API server, one from communication between the demo app and the API server).
Any idea what happened?
If you are running both on the same server, the session cookie might be overwritten since they both expect a sessionid cookie. If a sessionid doesn't exist a new one is generated, so when you access the outer app, you get a sessionid cookie, and that gets passed to the iframe app which doesn't recognize it and generates a new one. Try giving each app it's own unique SESSION_COOKIE_NAME
Related
I have a Python script that should download data from a web resource using link. It so happened that resource is in Azure App Service protected by Active Directory. My user account is allowed to access the link and download data (I can do it from web browser manually, but want to automate this process). The Python script uses requests library. I can't figure out how to authenticate properly, cause when I'm trying to run the script, I get:
Error 403 - Forbidden
The web app you have attempted to reach has blocked your access.
Usual authentication with requests doesn't work (using auth parameter or session.auth or with HttpNtlmAuth).
I know one can use VS Code to authenticate to Azure and then use DefaultAzureCredential, but I can't get where you should use this DefaultAzureCredential object (cause it doesn't work with requests).
I don't need the whole Python app to be registered or somehow else recognizable by Azure resource. It's just a script to download data, that is not supposed to be productionized.
Any ideas how I can scrap the data from Azure?
Note: I'm not an admin or creator of this Azure App, so can't change any restriction settings.
In short, the part of script making request looks like:
params = {"param1": param1,
"param2": param2}
session = requests.Session()
session.auth = HttpNtlmAuth(USERNAME, PASSWORD)
url = "my-app.azurewebsites.net/the-rest-of-the-path"
response = session.get(url, params=params, verify=False)
If you want to access the Azure App Service, you have to authenticate the Azure App Service. If you don't have access for Azure App Service, we cannot access the Azure resources.
Genereally, when a web server stops you from accessing the page you're trying to open in your browser, you'll get a 403 Forbidden Error. There isn't much you can do most of the time. However, occasionally the issue is on your end.
Here are some points that can cause this error.
If you have an open public API and public access is not allowed on Azure App Service.
Your app's IP address, which you're using to call the app service, isn't whitelisted.
If you have a gateway in the middle, it's possible that it's also blocking your calls.
Here are the possible solutions that you can try:
Remove the access restrictions from your web app's Networking page.
Try adding 0.0.0.0/0 to give access to all. You can later add restrictions based on your needs.
The order of the restrictions is important, so double-check it. It may have an impact if you have a blocked call before an approved call.
You can also have restrictions based on http-headers like X-Forwarded-For. Please double-check that. This can also happen in code, depending on how you handle errors.
Protocol support for HTTP headers in Azure Front Door | Microsoft Docs
Chech this, if your API is behind the Gateway Application Gateway integration with service endpoints
I am using client side sessions. The requirement is to redirect from 1 flask server which already have a user session data to another flask app on a different server and use the same client session information to make sure the user has already logged in if not send them back to the 1st server for authentication.
If possible i would like to keep using the client side sessions. If not any information regarding the alternative will be helpful.
Thank you
Normally there is 2 options.
First, client side authentication using token like JWT (Json Web Token), this approach authenticate every request using token included in header and no need additional server.
Second, server side approach with additional session store like Redis for multiple backends.
I've developed a Python Flask Back-end app which allows me to do some HTTP requests on a Jsonfile (a sort of database) such as GET (to see a list of items) or POST (to create a new item in the Json database). Until now, I used Postman to test my app and all worked well. However, I'd like to develop a Python Flask Front-end app in order to create a graphical interface (in a web browser with jinja templates) to do the same requests. The problem is, I don't know how to begin my new app, I've googled all my questions but found no answer...
How can we "link" front-end and back-end apps in order to get the information from the web brower, make the requests via the back-end and then send the response with the front-end?
Using RESTful API.
A infrastructure solution could be (a classic one):
Your app server listening on 5000. It uses the REST architectural.
Your frontend server listening on 80/443. It makes requests to your app server to get the data and fill your html template with this data. The requests can be made with a library like requests. The requests library is one of the simpliest but you can choose another one to make HTTP requests.
Workflow:
Client <-HTTP requests-> Frontend <-HTTP requests made with requests->
App Server <--> Database
Advantage:
One of the advantage of this architecture: you can easily duplicate your servers or having multiple app servers responsible of different tasks. They can be running on the same machine or separated machines.
Serving static files:
If you are talking about serving static files for the frontend, then you should use an existing Webserver like Nginx (html/css/js files).
I've created a shopping site with a backend and a frontend.
The backend is python (3.6.5) with Flask.
I want to deploy my site to Google App Engine (gae).
When in development, everything works fine.
When deployed (in production) each rpc gets it's own 'thread' and everything is a mess.
I tried slapping gunicorn on it with sync and gevent worker class, but to no avail.
In deployment, how can I make each connection/session remember it's own 'instance of the backend'?
-instead of gae/flask/gunicorn serving a new instance of the backend for each request?
I need each user connection to be consistent and 'its own'/'private'.
It's not possible to do this. App Engine will spread the request load to your application across all instances, regardless of which one previously handled a request from a specific IP. A specific instance may also come online or go offline due to load or underlying changes to App Engine (e.g., a data center needs maintenance).
If you need to maintain session state between multiple requests to your app, you have a couple options depending on the architecture:
Keep session state in cookies with Flask.session
Keep session state in storage with Memorystore
I cannot see how I could authenticate a server with vs GAE.
Let's say I have an application on GAE which have some data and I somehow need this data on another server.
It is easy to enable OAuth authentication on GAE but here I cannt use this since there is no "account" binded to my server.
Plus GAE doesn't support client certificate.
I could generate a token for each server that needs to access the GAE Application, and transfe them on the server. It would then use it to access the GAE Application by adding it in the URL (using HTTPS)...
Any other idea?
That is exactly what you need to do. On the server, generate a key (you choose the length), and store it in the datastore. When the other server makes a request, use HTTPS and include the key. Its like an API key (it is actually).