I have created Django's registration process using django.contrib.auth and have also set up user profiles. Now I want to add an option to fetch the profile's information from third-party sites like Facebook, Twitter, and LinkedIn. I have found django-socialregistration, but I don't know how to override the default setup view. What is the best and easy solution for the task?
Here's the basic idea of the setup that I use, although it's only for Facebook:
Integrate the Facebook JavaScript SDK
Bind a JavaScript function which calls FB.login to a "login with Facebook" button, request all the permissions that you need for that user
In the function(response) section of the FB.login call, handle the returned response, then do an Ajax POST to a Django view (I use jQuery for this) which takes the response, parses it to retrieve the access token for the user and store it in the user profile object for that user.
You can then use this access_token to make Facebook Graph API requests on behalf of that user server-side, or if you want, you can actually just use the JavaScript SDK to make all your calls entirely on the client-side with lots of Ajax to interact with the Django backend.
I find this to be a much easier solution than trying to use one of the Django packages, because most of them are out of date.
Related
My question may sound stupid, but I just want to know if this is possible to browse the web pages which needs authentication after doing the authentication with python requests library.
I've a script to login into the application, which successfully authenticate the user into application, but is there a way to reflect that in a browser like in Chrome? so that user could directly access the authenticated page without having to fill the form and login. It's happening inside my application, so I'm not breaching any privacy policy of such things.
Any suggestions would be great.
For example I authenticated myself into http://example.com/login through the script, I want to be able to directly browse http://example.com/user/home in the browser. How this could be possible?
The simplest way is to have your python application log in the web application, and the have it request an token. Then the script will open the browser, passing along the token. Your web application takes that token and uses it in lieu of the login form to authenticate your user and create their session.
Take a look at OAuth, I think it has specific workflows for this kind of scenario. Otherwise you can craft your own.
How would you generate a token with django-rest-framework-jwt and pass it to a template that can store the token in localstorage, when signing in with allauth?
I know django-rest-framework-jwt lets you generate tokens via POST:
$ curl -X POST -d "username=admin&password=abc123" http://localhost:8000/api-token-auth/
But how would you implement this in the login/signup flow of allauth?
(I have not used JWT but I don't believe there is anything special about JWT compared to regular tokens, other than the extra security and more importantly, not having to keep a database table of tokens. So, my answer is for regular tokens, assuming/hoping you can adjust to JWT)
I am assuming you are trying to write stand-alone client, in which case, the problem is that django-allauth is not really intended for use with cleints/APIs, so a lot of the magic cannot be used through an API. See this some how old issue, which I believe is still valid: 3rd party REST/JSON APIs.
If you scroll to the end, you will see somebody recommending the use of django-rest-auth to handle the social login for the API, while keeping the main django-allauth handing the native django web site side of things.
I have not yet used them both together (I am currently not supporting social login on the API side, so haven't had to deal with it).
This post shows an excellent example for developing an Angular Client using django-rest-framework. You will see how it creates its own APIs to registering and logging in. You should be able to replace that part with django-rest-auth, but the point is that django-allauth won't really play a big role on anything that comes via the API (unfortunately).
Finally, you may also want to check my own implementation here. Look at the 'authentication' app, and look at the tests for how is used, which is my version of link 3
allauth is basically for multi page Apps, for API login i recommend relying on
rest_auth Rest Auth Docs
It has built in Login/Register etc built on top of all-auth but for Single page apps.
then update settings, to
REST_USE_JWT = True
'DEFAULT_AUTHENTICATION_CLASSES': [
'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
'rest_framework.authentication.BasicAuthentication',
],
Now You should receive jwt token in response to login calls.
I'm using Django TastyPie for my API. I have a completely separate HTML application that my user views and will see basic read only info from the Django API. My question is what authentication method should I use in this situation. The HTML application is technically me not the user and they don't login. The app is not Django but pure javascript, hiding a key or anything else is pointless.
will see basic read only info from the Django API.
It sounds like you probably just want to make those bits of the API publicly available for read-only access, and then not use any authentication method.
As you say attempting to hide a key isn't a sensible way to go, and if there's no kind of user login then you can't really authenticate in any secure way.
I have a website that essentially requires that the user be logged in to see anything. If they are not logged in then they are redirected to the front page and a login form.
I currently use Django's standard authentication and test for authentication server-side before returning the page.
I now want to add Facebook login and authentication. Does this mean that I need to make a server-side call to Facebook and verify authentication every single time that a user navigates to any page? It seems that this will add quite a number of calls and potential page delays.
Or, is this not really a concern (Facebook call is fast) or is there some other clever way that I am missing? Somehow move the call client-side where I believe that Facebook uses caching?
I've looked at some of the Django/Facebook packages, but none seem to explain the overall strategy, which is what I'm looking to understand. The tutorials that I have looked at describe how to login, but don't worry about what happens once a user logs out of Facebook.
Basically, the user logs in once using facebook (this will make a request to facebook).
once is logged in, it will behave just as a normal django user (most apps create a Django User for each facebook user)
Only when the access token is expired (the "password" for using the facebook data) than you will need to make a connection to facebook again.
Ill recommend you to use Python Social Auth which basically does everything for you.
I'm building a site on Google App Engine, running python and Django non-rel. Everything is working great for HTML and posting/reading data. But as I'm moving forward I'd like to do many of the updates with AJAX, and eventually also over mobile devices like Android and iPhone.
My pages use django non-rel and my login/logout authentication works great for the HTML. But update information sent over JSON would have to be authenticated that the user can make the changes. I see how doing authentication for just AJAX calls wouldn't be too difficult since your still hitting the website, but what about when throwing in mobile phone authentication?
So I'm new to this, where do I start?
How can I set up services on gae so I can do authenticated CRUD operations? Ideally I'd like to use the exact same REST services for ajax, android, etc.
Python makes this pretty easy, you can just create a decorator method of checking the auth and add the decorator to any method requiring auth credentials.
def admin(handler_method):
"""
This decorator requires admin, 403 if not.
"""
def auth_required(self, *args, **kwargs):
if users.is_current_user_admin():
handler_method(self, *args, **kwargs)
else:
self.error(403)
return auth_required
...
#admin
def crudmethod_update(self, *args, **kwargs):
...
Mind you, this assumes a few things about how you are grabbing user data and such but the principal is the same with any setup. The notion you may be laboring under is that ajax calls are handled somehow differently on the server, but just like any restful method you are really getting the same headers. If you can check the authentication on the standard html request you can quite literally hijack the form submission with an ajax request and get the same result back. You may want to get JSON back instead or a smaller piece of HTML and for that you want to either:
Add something you can check in the request to know that it is an ajax request and adjust accordingly.
Implement an RPC Model for handling ajax requests specifically.
For actually handling authentication you can use the google.appengine.ext users library and ride on the google accounts auth or you can write your own. Writing your own of course means implementing a session mechanism (for retaining state across the user session) and storing the passwords in a hashed and salted state for verification.