IS there any way to disable DJANGO ALLOWED_HOST check on particular API URL,
We want to allow API requests from list of websites(HOSTS), but there is RFID reader machine which will also be writing data on our DJANGO server using REST API and we want to make only that particular REST API URL public and other REST APIs should be allowed as ALLOWED_HOST check of DJANGO.
Related
I've deployed a Django API powered with Django Rest Framework with some open endpoints and some Authenticated endpoints using Token authentication.
Which is the best way to protect the entry API allowing only to send request from the app frontend team?
I was thinking to use an Nginx basic auth, but then the Authorization header is duplicated, so Token auth is not working.
You could filter the access in your API by filtering the IP address in case that the frontend team uses a static one (e.g. ALLOWED HOSTS).
Moreover, you could add the users of the frontend team in a specific group or provided the same role and filter the access by implementing a reusable custom DRF permission.
An other option could be the usage of a custom HTTP header or an API key (e.g. X-API-KEY header).
I am new to Django Rest Framework. My API is used in 2 ways:
I have a React frontend
As a normal REST API returning JSON
However, I don't want the endpoints called for my frontend to be able to be called in the normal REST API. Specifically, I want those endpoints to only be able to be reached when called from my frontend React app. How can I do this? Thanks!
I am not mistaken you are asking for host restrictions means your endpoint can only be called from a specific host than do just add your host cors whitelist. You can configure it using django cors header package
I will roughly describe the problem:
I have a React.js application, which authenticates using IDAM and receives a token. I can use this token to make requests to the backend API. Everything is fine regarding the interaction React.js <-> API.
Now I need to redirect to a Django application from the React.js application. I already have the authentication token, and I want to pass it to the Django application. I was thinking about putting the authentication header when doing window.open to open the Django url, but I realize that it is not possible to put headers with window.open.
How can I pass the authentication headers when opening a new url?
NOTE
The API and the Django application are not related (they are different applications).
The API is a REST API (implementation irrelevant), used by the React.js frontend to request data.
The Django application is "normal" Django application (no DRF), unrelated to both the API and the React.js frontend
I recommend using REST API or Graphql, then consume the APIs from React. The POST, GET, DELETE, etc methods must send X-Token header with the http call. The backend must verify the token, if token is valid, and role has the required privileges, then your backend serves the API.
I have a difficulty to understand how to connect my Angular front-end with the Django Rest API backend.
In the front-end I like to get read-only data from the API nonetheless the user is logged in or not.
Both front-end and back-end run on the same server and Django Rest has:
ALLOWED_HOSTS = ['127.0.0.1']
Do I have to authenticate the front-end app to the API?
If so how do I keep my credentials secure?
Or do I have to mark certain endpoints as unauthorized read only?
everyone.
I have a problem securing my REST web service. It's part of Java EE web application. To secure the pages I used login-config tag and set up "FORM" authentication. Now I don't know how to secure web services, because "FORM" is not appropriate for it and I can't have two login-config tags for app. I considered splitting into 2 apps, but don't think it's a good idea. Any suggestions?
This has info on how to create secured web services using NetBeans: http://netbeans.org/kb/docs/websvc/wsit.html
Many web service providers use an api key to authenticate access to the service. You may want to consider doing something similar for your service.
It is pretty common for the REST API to have a separate subpath - that way you can specify the auth constraint just to the URL's specific to your application and for the URI's corresponding to your REST API implement authentication using jersey OAuth filter or something else.
In case your app is all written in Jersey and you would like to expose exactly the same URI's for REST clients as well as browser (and differentiate just based on the requested media type), you can have a "login" URL (for displaying a login page) and only that you could protect using FORM authentication. Then again you would add Jersey OAuth filter (or other auth filter) which would not kick in unless there is OAuth header in the request, and another filter where you would check if ContainerRequest.getUserPrincipal() is null. If it is null, you could return Response.seeOther(UriBuilder.fromPath("/login").queryParam("redirect", request.getAbsolutePath()).build()).build() - that will redirect to the login (for oauth this would not kick in, since either the oauth request would succeed, or the previous filter would fail and return Unauthorized or Bad Request status codes). In the login resource you can use the redirect query parameter to redirect back to the original page once successfully logged in.