My sites architecture. Both components are hosted on AWS via elasticbeanstalk.
Frontend: React gets data via API Endpoints served from backend
Backend: Django REST Framework
I want to restrict api access such that:
only the frontend can grab data from the REST API, some data is public to anyone on the site, some only accessible to signed in users
whitelisted developers can access data from the REST API such that they can develop the frontend display of that data
No other machine, site, service, person, alien can access the REST API unless we know about it!
Willing to research and learn required to implement a solution like this, just would like to have some guidance as I am a young Padawan.
Related
(Disclaimer : I'm just getting started with Django, and with web dev in general)
I have a backend app that stores different kinds of resources. Some are public and some are private. The application is accessible only to identified users. A GraphQL API allows me to access the resources.
On another server, I'd like to create a website that will be accessible to everyone. I want to use Django to create it.
The website will display a list of resources tagged as "public" in the backend app, with a pagination system and, say, 20 resources by page. The CSS will differ from the backend app and there will be a search section.
From what I understand, I should be able to retrieve the data through the GraphQL API, but I'm a bit confused here. All the documentation and tutos I can find about Django and GraphQL seem to be about setting up a GraphQL API server with Django. All I want to do is to build custom queries and to display them on my different html pages.
How can I do that? Where should I start?
You should connect your project with a GraphQL client. As per my research, I have found that there are implementations and examples for graphene-mongoengine in Flask (Flask has a direct GraphQL client).
Mongoengine Flask with GraphQL Tutorial
For Django you can check this out
Edit- I was able to get the data from my database with python-graphql-client. Now I am able to display them in my template.
Let me know if this helps
I am developing Django(Server) with React(Web Client).
And I want to use facebook social login.
I knew that client is public client, server is confidential. So I want to use authentication code grant way for authenticating user.
So I find out the way but there is no way to implement that. All the python oauth2 library limplements is just for django server side rendering.(Django Server + Web client).
So I confused about I am wrong or just the others just did not make the grant way.
When you use DRF(Server API) + React(public Web Client),
how do you implement for OAuth2 social login?
I wonder that. please give me some advise to me.
Thanks.
Let's start from basics, people usually split frontend and backend to improve the production speed as frontend and backend can be developed by two separate teams. But in order for the frontend and backend to work together, there needs to be a connection interface, an API.
React is a frontend that runs in the browser, so in order to talk to the server, it uses a REST protocol.
As the backend in this scenario is Django we use DRF as React uses REST API. DRF provides easy flexible pre-built packages to carry out this communication job between server and client.
Now the authenticator for web login you choose to be Facebook hence you will get the identity token from facebook, which will correspond to the rows in the Django User table which will give you access to the user's data in Django.
You don't need to do everything at once, you need to first implement the Facebook social auth and after test(test using postman app) only think about connecting React
A good place to start is this DRF documentation, look into Social OAuth2
https://www.django-rest-framework.org/api-guide/authentication/#django-oauth-toolkit
I have several websites (SPAs), each one running on it's own domain. All these SPAs use the same API, which is hosted on another domain.
I'd like to implement reCaptcha v3 on my SPAs, but I'm not really sure how exactly the entire validation process would work.
Who would be in charge of receiving the callback from Google's service? If the backend, how does the frontend validate itself to the backend?
The SPAs are made with Vue and the backend is a Django app with Django Rest Framework. The backend is stateless, so there are no cookies.
I'm building a website using service-oriented architecture (SOA) principles. When users visit the site in their browsers, the interface they see will be composed of resources delivered by several different services on the backend.
My question is how to use OpenID Connect (OIC) to implement SSO so that users log on through the site once and their browsers can automatically retrieve all the protected resources that are necessary.
The main conceptual difficulty I'm having is that everything written for implementing OpenID Connect seems to be oriented toward people creating monolithic third-party clients that authenticate with Google, Yahoo, etc. In my case, however, the client is my web portal and the resource providers are my backend services. Certain OIC concepts don't make sense to me in this context: for instance, the auth grant. Are users supposed to authorize the web portal to access their information the first time that they log on? That would be pretty absurd.
Or Is OIC the wrong tool for what I'm trying to do?
I am creating a service that will include a website, a mobile app, and a web service.
Both the website and mobile app will talk to the web service to interact with the database and any other backend items.
I would like users to be able to log in with other services (such as google, facebook, twitter, etc.)
I have two questions in implementing this:
1.) Should I use OpenID or OAuth? I'm not sure which is better for the situation. I have no need to actually access features from a users account, I just want them to be able to log in with accounts they already have,
2.) Where should I implement the authentication? Do I have to implement it both on the website and on the mobile app, or could I have both talk to the web service and do the authentication there?
Thanks
If you are just doing authentication and not syncing any account details, I think OpenID is the way to go. From a security standpoint, I would say to implement your authentication on the website and on the app and not in the webservice. You want to handle credentials the least amount possible and especially avoid sending the credentials via webservice if not using SSL.