How To Secure Third Party API data using Django? - django

I'm using a third party API Key for my website. I have done some modification on that API and now I'm using it for my own site.
I want to secure that API data by adding a restriction on any user (Authenticated or Anonymous ).
I want to add a time limit on the data provided by the API. So, if anybody uses the same data after a certain period of time then it will show an error.
As well as I want some restrictions on users IP. So, a user can access my website a fixed number of time.

You might want to use the Django REST Framework JWT Authentication.
I implemented https://github.com/davesque/django-rest-framework-simplejwt
It works - the installation is rather easy - read the docs :)

if you are using DRF use the authentication class settings. If you are using normal Django views you can wrap the view with a login_required decorator

Related

is it possible to have google-auth within django template?

I have a django app that uses Google's allauth for signing up and logging in, but it first takes me to a google url and to sign in, i.e., my header and other parts of my site are not visible. Once I log in through my google account I'm redirected, so the logic works fine.
I'm just wondering if it's possible to have that process be done on my site.
For social auth I prefer to use Django Social Auth.
In regards to what OP is asking, I've never seen that before and as a user of a system I wouldn't want it like that. Who could grant me that OP wouldn't also be storing other relevant details of mine to perform that operation?
In fact, the idea of social auth is that one is passing the responsibility of authentication to Google or any other provider, hence going to their system to do that operation and then redirected back.

Should I use JWT or Sessions for my eCommerce website?

I'm building an eCommerce website for a personal project. It uses React for the front-end and a REST API running on django for the back-end. I want the user to be able to add items to a shopping cart and place an order without the need for an account.
For guest users, using a session/cookie to store info is great, but when it comes to logged in users, I would want to use the database to store items in a cart. That would require creating a user and giving them an auth token so they can perform necessary actions.
So should I use session/cookie authentication or is there a better way to achieve what I want using JWT?
Both approach can work very well. However, I am currently working on something similar and I would personally recommend the simpler option which is the classic session approach. JWT tokens can be harder to maintain and sometimes insecure if not done correctly. Also, JWT tokens will not persists between logins.
In both ways, I don't see why one would be better to create and maintain a cart except maybe that a session system can actually store the complete cart in the session itself. You can then implement sessions controllers at the API level.
ex: GET "https://{host}/api/cart" returns the items in the session's cart.
# Django session
request.session['cart_id'] = cartId
# JWT Tokens
jwt.encode({‘cart_id’: cartId} ...
little note.. It can be harder to setup the sessions if you are working on localhost for react and a remote server for your API. (The cookies are generally set per domain).
I am using JWT, and I think if you are using a database, you can create a generated JWTby user then store it in the database, you can control the availability of your jwt, in parameters, and I find the best way to secure your APIs, is to add the JWT token to the headers.
I would use Cognito authentication and integrate it with react and the backend api. It will help to manage the users outside the application.
If you’ll be hosting your application in AWS, Check out AWS Cognito, it’s an identity and a user pool service. Their free tier is quiet generous. That, together with AWS Amplify which is perfect for React, will give you out-of-the-box auth and user management.

Understanding SessionAuthentication in django-rest-framework?

I am using Django v1.8 and django-rest-framework v3.2.2. I have a site with a public-facing API, which is also consumed by my own site (on the same domain) as the Ajax back-end to a JavaScript application, using GET only.
I want public users of this API to be asked for a key parameter in the URL, which I will issue manually. But I also want my JavaScript application to be able to use the API, in a way that means that other users can't just steal the key and use it.
I have set up my custom key authentication as described here, and it's working well.
However, I'm unclear on how the JavaScript application should use the API. Obviously I could just pass a dedicated key parameter in the URL, but then won't other users trivially be able to spot the key and use it?
I think I need SessionAuthentication, but how do I even start to make this work? I can't see any instructions in the DRF documentation about how I need to change my JavaScript calls to use it.
Also I don't understand how SessionAuthentication allows the Ajax app to authenticate without other users being able to see and copy the authentication.
Very grateful for any advice.
I think I need SessionAuthentication, but how do I even start to make this work? I can't see any instructions in the DRF documentation about how I need to change my JavaScript calls to use it.
SessionAuthentication is the Django's one. It uses session to authenticate a user. It's mostly transparent for ajax request as the browser will send the cookie automatically. However, if you're posting data, you need to make sure you send the CSRF token in both headers and post body.
Also I don't understand how SessionAuthentication allows the Ajax app to authenticate without other users being able to see and copy the authentication.
As said above, it uses cookies for that. They are part of the headers and thus usually not seen on the urls.
To make sure no-one else can steal user's session you need to run the site through https.
This isn't much different from regular websites.

Secret API key for accessing Django REST framework

My aim is to restrict access to API for client applications by specifying API Key. Various services allow you to access their API by means of secret Key, which you have to get in order to perfom requests.
Note: this is not related to user auth.
Is there any straightforward solution to do this in django rest framework? Or just to pass the key in request header and then manually handle it?
Regards
Use the TokenAuthentication class, as documented here.
You'll also want to setup appropriate permissions, probably using the IsAuthenticated class.
Edit: Apologies - re-reading you post it looks like you want a global secret key, not a per-user one. I'd suggest a custom permission class that checks for the request header and fails if it's not present/not correct.
There is a third party app now for this purpose called django-rest-framework-api-key.

Tastypie/Mongoengine Authentication

I'm creating a REST API for a iOS app. Using Django, Tastypie, Mongoengine/MongoDB. I'm using python-social-auth to allow users to register via Facebook and it seems to be working perfectly.
What I'm struggling with is what happens next - when the user makes subsequent calls to the API what credentials should be passed with the request? I'm thinking that when the user is saved, I should generate an APIkey and send it back which the user would then use to authenticate in subsequent requests. Would that be the correct approach and, if so, how would that be implemented?
I can't seem to find any info/examples for non-ORM
Any help/nudge in the right direction would be greatly appreciated! Thanks!