Django Frontend Autho key and refresh key - django

I would like to separate my Django frontend and backend. Literally creating 2 Django servers.
What is the best way to store auth access-token and refresh-token on frontend?
What is the best way to validate auth when API is called?
Thanks!

Read about storing jwt on frontend here :
Should JWT be stored in localStorage or cookie?
Basically, there can be two ways, either storing it in localstorage or HTTP Cookie. Read about pros and cons of both approach and decide what suits you best.
In API, it's best to pass access token in header of request and validating the same using a Django Middleware. Send a refresh request from your frontend if the reponse returns an Unauthorized error and error message something like "Token Expired", which will be created by you on the backend. See this package for more :
https://django-rest-framework-simplejwt.readthedocs.io/en/latest/

Related

Is it secure to create API in Django without Rest Framework?

I've created an app in my Django project which works the same as API.
But for post requests, logins I'm doing something like this.
request "GET"(URL: example.com/api/get) this returns a csrftoken which is then used by my applications as a cookie.
request "POST"(URL: example.com/api/login), Here the frontend application logs in the user. The csrftoken from example.com/api/get is used in cookies and the same is used as csrfmiddlewaretoken in post data.
My question here is, it is secure to create an API like this and use it instead of Django RestFramework.
Any suggestion will be appreciated.THANK YOU

Django DRF with React: How to obtain CSRF cookie?

I have a React frontend running at frontend.example.com and a Django backend with DRF running at backend.example.com. I am using Django Session Authentication and I want to properly implement CSRF protection.
Taking the React login page frontend.example.com/login as an example. It's the first time for a user to visit the page. There is a form with a user and password and on submit a new POST request is created to the Django backend. To the best of my knowledge, the CSRF token cookie should already be included in this request, right?
How to obtain that CSRF token from the Django backend? I am thinking of doing a GET request to the Django backend on loading the login-page to obtain that CSRF token cookie. Is that the way to do it or is there any other best practice?
Django has a section for AJAX request and how to handle CSRF: AJAX
Using this method you should send the token over and over again for each post request. The other method is using CORS. in this method, you only respond to the domains that you already whitelisted with headers that are whitelisted as well. So, instead of getting and passing CSRF token, you check if the request is coming from the right domain and then you can respond to it. And combining with a token system for user authentication, you should be good.
You can use this package for handling CORS if you use DRF: django-cors-headers
Using rate limiting can also help you avoid spams and robots to do noticeable harm.

How do I send csrftoken from Django Rest Framework backend to React Native front-end?

I am building an application after finishing up my website. Now, the backend for both of these should be common, but Django's csrf token is meant to be a security against this. Since I am not using a web browser, I am unable to get a csrf token cookie. At the same time, django will need it to access its APIs.
Is there any way I can get the cookie from Django and get it into React Native?
Not clear what you want to do. But if you are writing a native application, why don't you use a token identification mechanism?
There are lots of simple (and less simple solutions out there).
Assuming you are using django rest framework.
Simple built-in Token authentication
https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
Token, but with expiry and DB encryption
https://github.com/James1345/django-rest-knox
JWT
https://github.com/davesque/django-rest-framework-simplejwt
May I know your login URL? Use rest-auth login URL. Allauth URL gives Csrf issue.

Secure authentication between ReactJS and Django

Been reading and watching quite a bit, and asking a lot of questions regarding ReactJS and Django.
This particularly helped me to understand the the flow of data from Django REST Framework to ReactJS and from ReactJS to Django REST Framework.
Django Forms and Authentication with Front-end Framework (AngularJS/ReactJS)
However, the one thing I am trying to understand is authentication to the Django REST Framework. I understand from the documentation that it has built in authentication. Since this is sensitive data, I would obviously want it protected people retrieving it just by going to http://www.my_site.com/info/api.
I would need to setup ReactJS to be the only thing that can request data from the API whether that is through a key or username/password credentials. I am just curious how this is handled? Obviously I don't want that hard coded in ReactJS because it will compile with the rest of ReactJS.
Here's how I'd approach it: I'd use a JSON Web Token (JWT) for authentication and authorization.
You'd use your back-end to protect ALL API requests from invalid JWT's except for routes where a user won't have a token (ie, registration/log-in pages).
Here's how the flow of the application will go:
A new user registers to your app with standard credentials such as email and password.
Your back-end will create a new user, sign a new JWT token (usually with the user's ID). You'll probably use a third-party library to sign/verify tokens (I don't have experience in the Django community but I am sure a quick Google search will give you answers). Your back-end will send back this token. This is the only time the back-end will receive email, passwords or any other sensitive information on registration.
From this point on React will only use this token for authorization. React will save this token somewhere (ie, localStorage) and send this token along with the other parts of a request to the API routes you created with your back-end. You'll send this token in the authorization headers in the request.
Your back-end will validate this token using a third-party library. If it's invalid the request stops and an unauthorized error is returned. If it's valid the request continues.
This achieves the following:
Your API routes are protected against unauthenticated users
Each request to your API is verified for authorized users which protects anyone from requesting any part of your API.
You can further solidify this by only allowing requests for users to modify their own data. For example, protect Suzy's profile from being modified by people other than herself by only allowing her token with her ID to modify her account/data.
Important Note- Your backend will never save these tokens in storage. It will verify the token on each request. Read more about JSON Web Tokens (JWT) and how it works.
Django Rest Framework has built-in token authentication and a third party package for JWT Token Auth.
If you the standard token auth would work for you, then it could be pretty simple with drf-redux-auth. If you need JWT for some reason, as suggested by Keith above, you could easily fork the above...

Oauth2 workflow of creating and returning access tokens (using Django)

After reading a lot about Oauth2.0, I am still confused regarding following points:
When to create access token? When a user tries to log in or when a user tries to register? Is this token to be sent in HTTP response after logging in?
The client has to store access token somewhere so that it can be sent in every HTTP request by the client. Where should it store it?
Note: I am not doing any third party authentication, just authentication for my own app. I am using Django as the web framework, Django-tastypie for REST API and Django-oauth-provider for Oauth. I followed this excellent tutorial but still have certain doubts. It will be appreciated if the answer is given in the context of these frameworks.