I've created an app in my Django project which works the same as API.
But for post requests, logins I'm doing something like this.
request "GET"(URL: example.com/api/get) this returns a csrftoken which is then used by my applications as a cookie.
request "POST"(URL: example.com/api/login), Here the frontend application logs in the user. The csrftoken from example.com/api/get is used in cookies and the same is used as csrfmiddlewaretoken in post data.
My question here is, it is secure to create an API like this and use it instead of Django RestFramework.
Any suggestion will be appreciated.THANK YOU
Related
I would like to separate my Django frontend and backend. Literally creating 2 Django servers.
What is the best way to store auth access-token and refresh-token on frontend?
What is the best way to validate auth when API is called?
Thanks!
Read about storing jwt on frontend here :
Should JWT be stored in localStorage or cookie?
Basically, there can be two ways, either storing it in localstorage or HTTP Cookie. Read about pros and cons of both approach and decide what suits you best.
In API, it's best to pass access token in header of request and validating the same using a Django Middleware. Send a refresh request from your frontend if the reponse returns an Unauthorized error and error message something like "Token Expired", which will be created by you on the backend. See this package for more :
https://django-rest-framework-simplejwt.readthedocs.io/en/latest/
I have a React frontend running at frontend.example.com and a Django backend with DRF running at backend.example.com. I am using Django Session Authentication and I want to properly implement CSRF protection.
Taking the React login page frontend.example.com/login as an example. It's the first time for a user to visit the page. There is a form with a user and password and on submit a new POST request is created to the Django backend. To the best of my knowledge, the CSRF token cookie should already be included in this request, right?
How to obtain that CSRF token from the Django backend? I am thinking of doing a GET request to the Django backend on loading the login-page to obtain that CSRF token cookie. Is that the way to do it or is there any other best practice?
Django has a section for AJAX request and how to handle CSRF: AJAX
Using this method you should send the token over and over again for each post request. The other method is using CORS. in this method, you only respond to the domains that you already whitelisted with headers that are whitelisted as well. So, instead of getting and passing CSRF token, you check if the request is coming from the right domain and then you can respond to it. And combining with a token system for user authentication, you should be good.
You can use this package for handling CORS if you use DRF: django-cors-headers
Using rate limiting can also help you avoid spams and robots to do noticeable harm.
I am building an application after finishing up my website. Now, the backend for both of these should be common, but Django's csrf token is meant to be a security against this. Since I am not using a web browser, I am unable to get a csrf token cookie. At the same time, django will need it to access its APIs.
Is there any way I can get the cookie from Django and get it into React Native?
Not clear what you want to do. But if you are writing a native application, why don't you use a token identification mechanism?
There are lots of simple (and less simple solutions out there).
Assuming you are using django rest framework.
Simple built-in Token authentication
https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
Token, but with expiry and DB encryption
https://github.com/James1345/django-rest-knox
JWT
https://github.com/davesque/django-rest-framework-simplejwt
May I know your login URL? Use rest-auth login URL. Allauth URL gives Csrf issue.
I will roughly describe the problem:
I have a React.js application, which authenticates using IDAM and receives a token. I can use this token to make requests to the backend API. Everything is fine regarding the interaction React.js <-> API.
Now I need to redirect to a Django application from the React.js application. I already have the authentication token, and I want to pass it to the Django application. I was thinking about putting the authentication header when doing window.open to open the Django url, but I realize that it is not possible to put headers with window.open.
How can I pass the authentication headers when opening a new url?
NOTE
The API and the Django application are not related (they are different applications).
The API is a REST API (implementation irrelevant), used by the React.js frontend to request data.
The Django application is "normal" Django application (no DRF), unrelated to both the API and the React.js frontend
I recommend using REST API or Graphql, then consume the APIs from React. The POST, GET, DELETE, etc methods must send X-Token header with the http call. The backend must verify the token, if token is valid, and role has the required privileges, then your backend serves the API.
I need to access a djangorestframework api but because the django server uses CSRF token and i cant get past it. How can i configure djangorestframework to override the djangorestframework and not be redirected to login?
Im new to this so i need help.
accessing the django rest framework would be a pure python program which runs in the background of a client pc collecting data so i need to use urllib2 or request for this. any ideas?
The API needs to expose an authentication method for your client to use.
The SessionAuthentication style requires CSRF validation and is suuitable for javascript based clients, running in the context of a logged-in application. If this describes the sort of client access you're making then read the Django documentation on CSRF and AJAX requests, which describes how to pass a CSRF token to a javascript based client.
Other schemes such as TokenAuthentication do not require CSRF validation, and will successfully authentication without passing any CSRF token.
Make sure that you know what schemes the API supports and choose the right one to use for your client access.
For more information see the authentication documentation.