My Django app passes authentication on localhost, but not on heroku - django

So I created a simple "social media website" where by using API I GET data from a database and I can also POST to create a social media post after I register and log in.
On my localhost it all works well. I can register, login, then write a social media post and it displays on the screen.
However, when I use Heroku, GET API works fine, but after I log in (and I am sure I am logged in as I can log in on admin), I cannot write anything on my website. In my IDE I get: Forbidden: /api/posts/action/
In the network page I can see this:
Request URL: http://localhost:8000/api/posts/action/
Request Method: POST
Status Code: 403 Forbidden
Remote Address: 127.0.0.1:8000
Referrer Policy: no-referrer-when-downgrade
Any idea where should I look for an error? If there is any code I should send, let me know. Thank you!

Your server's domain in Heroku shouldn't be localhost:8000
You need to use the correct domain/IP address, and remember to put the domain/IP address in ALLOWED_HOSTS in the setting file.
If you don't set up a custom domain, then the default domain should be like:
https://<dyno name>.herokuapps.com

Related

How to use insomnia with django?

running django locally and with firefox, i login with http://localhost:8000/admin/ and after that i can access http://localhost:8000/myCustomApi successfully.
on insomnia every time i login with http://localhost:8000/admin/ i get {"code": "csrf", "reason": "CSRF cookie not set."} on the response. i tried this but didn't work. is there any tutorial to what should i do?
Install this plugin: https://insomnia.rest/plugins/insomnia-plugin-default-headers
Click on your environment and then on "Manage Environments"
3. In your environment, add a new env var:
{
"DEFAULT_HEADERS": {
"X-CSRFToken": "wSYUpsSIkXxjA8wBiojsCU7YgJGYySGFWiDHNoGhEpCWGxoIyNfIvw7hr2Au1a9J"
}
}
Replace the value with one you can find in your browser.
Now, that was for sending data to forms. If you need to make a request while being loggued, click on Cookies and add a new cookie with a name sessionid and the value that you will find in your browser.
Enjoy
Setting the X-CSRFToken didn't worked for me.
So I tried to "copy" the same request in the Insomnia environment.
In my case, what I did was:
Go to your Browser and do at least one successful request.
Go to Network tab and copy the Request Header with name Cookie.
Go to Insomnia and set this same header with it values.
Try debbugging from Insomnia.
Insomnia:
But if something seems different to you, just keep the same core: copy the request environment from browser to insomnia.
Remember the server can't see difference between an Insomnia client and the Browser if all the headers are the same.

django code 400, message Bad request version ('î\x9el\x00$\x13\x01\x13\x03\x13\x02À+À/̨̩À,À0À')

I was trying to implement 'Securing Django Admin login with OTP', however I can't login into the admin panel now. I removed the app from everywhere but still doesn't work. Any solution for this?
[05/Feb/2021 21:39:49] code 400, message Bad request version ('î\x9el\x00$\x13\x01\x13\x03\x13\x02À+À/̨̩À,À0À')
[05/Feb/2021 21:39:49] You're accessing the development server over HTTPS, but it only supports HTTP.
If you are on development version you cant use https connection on your localhost so just turn your URL to http and error will be disappear.
ex:
https://localhost:8000
or
https://127.0.0.1:8000
just turn it to
http://localhost:8000
or
http://127.0.0.1:8000
also may be at 127.0.0.1:8000

nginx API cross origin calls not working only from some browsers

TLDR: React app's API calls are returning with status code 200 but without body in response, happens only when accessing the web app from some browsers.
I have a React + Django application deployed using nginx and uwsgi on a single centOS7 VM.
The React app is served by nginx on the domain, and when users log in on the javascript app, REST API requests are made to the same nginx on a sub domain (ie: backend.mydomain.com), for things like validate token and fetch data.
This works on all recent version of Firefox, Chrome, Safari, and Edge. However, some users have complained that they could not log in from their work network. They can visit the site, so obviously the javascript application is served to them, but when they log in, all of the requests come back with status 200, except the response has an empty body. (and the log in requires few pieces of information to be sent back with the log in response to work).
For example, when I log in from where I am, I would get response with status=200, and a json object with few parameters in the body of the response.
But when one of the users showed me the same from their browser, they get Status=200 back, but the Response is empty. They are using the same version of browsers as I have. They tried both Firefox and Chrome with the same behaviours.
After finally getting hold of one of the user to send me some screenshots. I found the problem. In my browser that works with the site, the API calls to the backend had Referrer Policy set to strict-origin-when-cross-origin in the Headers. However on their browser, the same was showing up as no-referrer-when-downgrade.
I had not explicitly set the referrer policy so the browsers were using each of their default values, and it differed between different versions of browsers (https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default)
To fix this, I added add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; to the nginx.conf file and restarted the server. More details here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
The users who had trouble before can now access the site API resources after clearing cache in their browsers.

403 CSRF errors when trying to login to Django Admin over an SSH tunnel

I am trying to login to the admin panel of a Django application via another server (say 123.123.123.123). I have a ssh tunnel open like ssh -L 3000:my.website.com:443 user#123.123.123.123. I can then go to https://localhost:3000/admin/login/ and see the login page for the Django admin of the server running on my.website.com. Whatever credentials I put in, results in a HTTP 403 'CSRF verification failed. Request aborted.` error page.
I do not get this error when going directly to my.website.com/admin/login/. What settings might help to allow login via an SSH tunnel? I have already tried adding 'localhost' to ALLOWED_HOSTS. The CSRF cookies are secure (only available via HTTPS, which I'm always using) and have the HTTPOnly flag set.
Django will see that you're trying to access my.website.com domain and it will send back to you cookie for that domain.
But your browser is actually accessing localhost domain, so cookies for my.website.com won't be valid for it and browser won't send them back to Django server.
One way to fix it is to point my.website.com to 127.0.0.1 using /etc/hosts, change your tunnel port to 443 and connect to my.website.com instead.
Another approach is to set any server in between you and your django server that will rewrite cookies and other paths from one domain to another.

how to debug facebook app/django setup (url is not valid...)

I'm trying to set up a facebook app using django by following this tutorial: http://www.rkblog.rk.edu.pl/w/p/example-facebook-application-django/ . I get to the point where I start my development server at (manage.py runserver 0.0.0.0:80)
then it says: Now under http://apps.facebook.com/NAME/ you should see a basic Facebook app comming from your server:
I, however, get an error message:
The URL http://my.ip/my_app_name/ is not valid.
I think I've set things up properly:
Canvas Page URL:
http://apps.facebook.com/my_app_name/
Canvas Callback URL
http://my.ip/my_app_name/
Question: how do I go about finding out what's wrong?
Thanks in advance!
Martin
update: when i visit http://my.ip/myappname/, it redirects to http://apps.facebook.com/my_app_name/?auth_token=eac7bf38fb5e591c55ddc458d16dc9b7
where i get the 'url not valid' message... However, when I paste the url with auth_token in it, django serves the requested page as expected... why is facebook saying the url is not valid if in fact it is...?
Is your router set up to forward requests on port 80 to your development machine? If not, you will get an error, as the way Facebook apps work is that Facebook's servers contact your server, get the content, then parse it and re-serve it back to the client.
I actually find with Facebook apps that the easiest thing to do is what you describe in your last sentence - get the auth_token URL, then paste it locally and work from there.