I am new to Django Rest Framework. My API is used in 2 ways:
I have a React frontend
As a normal REST API returning JSON
However, I don't want the endpoints called for my frontend to be able to be called in the normal REST API. Specifically, I want those endpoints to only be able to be reached when called from my frontend React app. How can I do this? Thanks!
I am not mistaken you are asking for host restrictions means your endpoint can only be called from a specific host than do just add your host cors whitelist. You can configure it using django cors header package
Related
I have this question. I am quite new in this area.
I have web app.
This consist of services deployed on Docker engine.
The main services/containers are:
Frontend : React on Nginx web server
Backend (API) : Django, DRF on gunicorn on Nginx
For frontend I use Auth0 provider. It works as expected. If user is not authenticated/authorized it is redirected to login page.
Now I want also to "secure" my backend that it only would accept authenticated connections from frontend.
For backend (Django) I also have CORS enabled (django-cors-headers package), but I still can connect from my browser my-site/api/ and get the response.
Does anybody know which strategy should I use.
Should I somehow secure it using JWT tokens. Somehow pass it to backend in my request?
There is various ways of authorizing API calls from your front-end applications to execute actions on your back-end. These will tend to vary in a few aspects:
Complexity
Needing to know who sent the request
Access surfaces
Duration of access
Roles
and so on...
In this case if you have authenticated users on your front-end using AuthO then a JWT could make sense since using this method you can encode specific user data that will allow you to make the decision on your backend as to if that user should have access to that action at that time.
Here is an article explaining a few popular methods of authentication
I would like to have different values for ALLOWED_HOSTS for different Django REST API endpoints. Is this possible? Here are more details:
I have a setup consisting of a Django REST API backend, a React frontend, a Postgresdb and nginx, each running in a docker container, managed by docker compose. I am exposing Django API endpoints that are accessed by the frontend from the user's browser, so I am adding the domain of the frontend to allowed hosts. However, I have one specific API endpoint that should only accept requests from the frontend docker container but never accept requests from outside. It should only be used for communication between the frontend and the backend container. So in this case i would have to restrict allowed hosts to the ip of the docker container. Both settings are possible and working, but I can only choose one of both in the global Django settings. My question is: Is it possible to set allowed hosts for an individual endpoint/url?
I suppose if there is no clean way of doing it I could run a manual check using HttpRequest.get_host() to verify the request host against the container name?
It's certainly possible.
In a pure Django context, I'd implement this as a Django middleware that intercepts the request, looks at the path and the request host, source IP and does what it needs to.
In a Django REST Framework context, I'd implement this as an additional authentication class, since it will then have access to the Django REST Framework context if required.
Finally, I'd recommend also protecting this "secret" endpoint with additional authentication – the simplest might be an additional secret header (X-Nik-Secret: very? ;-) ) that is known to the frontend container. That check can similarly be implemented in middleware or authentication.
My web application has a public API endpoint eg https://example-backend/home.
I have two frontends one for internal admin (https://example-admin.com) and the other for customers (https://example.com) both using the same backend endpoint.
The goal is to allow this API to only be available to the internal admin frontend.
I thought about using the HTTP ORIGIN header which would contain the frontend URL. Is that a good approach?
I think you need to check this:
Django allowed hosts
I've deployed a Django API powered with Django Rest Framework with some open endpoints and some Authenticated endpoints using Token authentication.
Which is the best way to protect the entry API allowing only to send request from the app frontend team?
I was thinking to use an Nginx basic auth, but then the Authorization header is duplicated, so Token auth is not working.
You could filter the access in your API by filtering the IP address in case that the frontend team uses a static one (e.g. ALLOWED HOSTS).
Moreover, you could add the users of the frontend team in a specific group or provided the same role and filter the access by implementing a reusable custom DRF permission.
An other option could be the usage of a custom HTTP header or an API key (e.g. X-API-KEY header).
I will roughly describe the problem:
I have a React.js application, which authenticates using IDAM and receives a token. I can use this token to make requests to the backend API. Everything is fine regarding the interaction React.js <-> API.
Now I need to redirect to a Django application from the React.js application. I already have the authentication token, and I want to pass it to the Django application. I was thinking about putting the authentication header when doing window.open to open the Django url, but I realize that it is not possible to put headers with window.open.
How can I pass the authentication headers when opening a new url?
NOTE
The API and the Django application are not related (they are different applications).
The API is a REST API (implementation irrelevant), used by the React.js frontend to request data.
The Django application is "normal" Django application (no DRF), unrelated to both the API and the React.js frontend
I recommend using REST API or Graphql, then consume the APIs from React. The POST, GET, DELETE, etc methods must send X-Token header with the http call. The backend must verify the token, if token is valid, and role has the required privileges, then your backend serves the API.