user authentication using async websocket instead of django channels - django

I have a websocket service previously written using python websocket package which can access django models. Is it possible to check if the messages are coming from an authenticated user without using django channels?

Well, no answers, so you get to watch me at work.
I made an alternative login api rate limited to 3 requests per minute which would return the token if you send it a username and password.
I changed the django login template to include the token query
token query works before username and password is posted to the django server
token is retrieved before login and placed into browser's session storage
user logs in, websocket page is loaded, we've got the token in the session storage
websocket connection is created using the token in the session storage so webscoket server now has the token for authentication
use token for authentication to retrieve the account data on server side and route requests to the websocket object according to that.

Related

Is saving user's id and login token in local storage a good idea?

I am developing Django + React project and I'm caught with this security approach concerning login and managing views for the logged in user.
I am using django-rest-framework or DRF for my RESTful API. And I'm using django-rest-knox for authenticating user logins since I am implementing Token-based authentication (instead of session-based which uses CSRF).
Question: Is it a good idea to save user's id and token in local storage?
Currently, I have a /auth/login/ API endpoint that handles the backend logic of logging in user and returns JSON response of login details upon successful login (including user id and token).
In my frontend, I use redux and redux-persist so the user's login details are kept even when the site is refreshed. The way redux-persist do it is that it saves the response in local storage. This means that the user id and token can be accessed and changed anytime thru dev tools.
If user will then make a POST request to an API that requires a Token authentication header, the frontend will look into that local storage for the token value to be supplied to the request header.
If user will then make a POST request to an API where the user id is required in the request data, the frontend will also look for the id in the local storage.
Localstorage is not safe, especially for storing tokens and ids. Any user can go to the browser's developer tools, see and also edit its contents, for example.
You could check on Django's sessions, so you can store data securely at server side and keep its contents associated with a specific user. There is a great tutorial at Mozilla that explains sessions in a clearer way than the official documentation.

Firebase Token Authentication using Django

I am new to django and am trying to get the user authenticated using firebase admin sdk. I am trying to do token authentication and have setup the admin sdk in my django app. Also I have received the client id token in the android app.
Now I am unable to understand how to send this id to the backend and verify it as a user and create users accordingly.I did find this answer but couldn't really understand how to go about this.
Also if a user is verified how do I add and update its data. Do I pass the token again or is there any other way to do it?
Your Android App should send its ID token along with all requests sent to the backend server. You can decide how to include that (as a header, as part of a JSON payload etc). In the backend server, you should always call auth.verify_id_token() and return an error (e.g. 401 Unauthorized) if the token fails to validate.

Can DjangoRestFramework accept JWTs that have more than username/password in payload?

I have a Django application that uses the Django Rest Framework. At first I was just using Session, and Token authentication, but now want to implement JWT Token authentication. I downloaded a package called djangorestframework-jwt that allows you to use JWT for authentication in DRF. The crux of the problem is that my client side application is using Auth0 which can return a lot of different information, first name, last name, userid, etc. We are using Auth0 with gmail as an identity provider to log into our client side EmberJS application. For our data adapters to get data from Django though, we are using 1 consistent token that we configured in our Auth0 account that is tied to a user in Django. What I would like to accomplish is to use the JWT returned from Auth0, instead of this 1 token, to authenticate all our requests to Django. Can you authenticate yourself in Django without using a Django User object?

Type of authentication when using HTTP and websockets

I have a website where I am using regular HTTP API requests and a websocket authenticated connection for realtime data.
I am using token authentication for API requests, authenticating websocket connection upon connection via header token.
I would however still like to somehow uniquely identify a "session", if a user was using the same token on two machines. Do I save a random string generated upon login along with the authentication token, to uniquely identify a session?
Or did I go about this the wrong way and is token authentication really just not appropriate for my case?
Because token authentication is just so much easier to implement on the frontend, as I am using React.

Can I authenticate with OAuth in a Javascript app without saving a token on the client side with rauth?

I want to be able to authenticate users of an angular.js application using oauth, but I do not want to store any tokens on the frontend because I have seen that it can be fairly complicated to do so securely. Is there a way to pass some sort of credentials of a user to my django web application, where is can authenticate the user with some oauth provider and save that information in a session? To make it simple, here is the process I want
User is logged into some oauth provider, i.e. stackexchange
They click a "login with stackexchange" button on the front end angular app
Their login credentials are sent over to the django application through a restful api
The django app which receives these credentials attempts to get a token using rauth
If the server receives a token, the user is logged in and their information is saved in a session, otherwise they are given an error
Is this sort of process supported by OAuth2 providers?
Step 3 is incorrect: that authentication process is handled entirely off-site, on the OAuth provider's infrastructure, e.g. StackExchange.
This kind of flow is certainly possible. I would check out the Facebook example, which uses Flask, but provides a similar framework for how you might go about this in Django.