Authenticate VueJS app to Django DRF back end using sessions - django

Good afternoon,
I am writing an app structured with two docker containers. Docker1 is the front end VueJS app, Docker2 is the backend Django DRF API. I would like to manage access using Sessions (NOT JWT's).
I am having trouble finding resources to help me get started on this approach. Does anyone have any good resources on how to interact with authenticating and managing Django sessions over DRF? Most of the examples use a DJango template form to do initial authentication which is not an option in this case.
EDIT: To be more specific, I intend to make the ajax calls via axios and expect to post to the built-in auth views. My question is around how to handle the csrf_token items.
Thanks for your help.
BCBB

Related

Django rest_api and React

I am creating an am using Django and React. I have created custom user model api in Django using rest-framework, but i am confused about the whole login and signup system. Do we create login and signup modules in Django or React.
Can anyone please guide me through it, or suggest any tutorial.
You create the templates (login, signup, etc. pages) in React and connect them to DRF. There are multiple ways to perform authentication. Take a look to Authentication docs on DRF. https://django-rest-framework.org/api-guide/authentication

Communication between Django and React

I'm trying to setup a project using Django for backend and React for frontend. The project has several screens, a lot of information in DB and images generated by the backend, and will include some authentication and user permissions for different screens.
According to what I found - the best way to do it is having Django render an html file:
def index(request):
return render(request, 'frontend/index.html')
which references a .js file:
<script src="{% static "frontend/main.js" %}"></script>
Which is created using Webpack.
This main.js retrieves the data it needs from Django using a REST api:
fetch("...some Django endpoint..").then(response => ... this.setState(...retrieved data...))
Unlike when just using Django for backend + Django templates for frontend where the backend can just send the context directly to the template:
def index(request):
context = {'information': .... retrieve info from DB}
return HttpResponse(loader.get_template('bla/index.html').render(context, request))
and the template can use this info directly, without referencing the backend again:
{% for bla in information %}
I'm wondering if it is a reasonable setup?
It seems excessive to have the frontend use REST for retrieving each piece of information it needs and the backend exposing another REST api for each part of data it needs to supply (Instead of just pushing all of the information to a single dict and sending it over along with the template),
Also, it requires at least 2 RTTs to render the full page (which I guess usually is okay)
According to what I found - the best way to do it is having Django render an html file:
I disagree with this line. I would say it would be best to keep the react app and Django app totally separate.
I believe, the Django application should solely provide APIs and adminsite(maybe, depending on your needs).
And the frontend should be a standalone app which can be served through NGINX/ExpressJs/Apache etc.
There are several advantages of this setup.
From Django application's perspective, the advantages are:
Django will not be burdened to serve the Frontend. Use gunicorn or uwsgi to serve the Django APIs.
As Django will provide data through API only, it will provide clarity on how the frontend application will communicate with the backend. I know that you can send data using context when Django serves the react app, but this might cause confusion because of API and context's co-existence.
You can use Token based authentication, JWT etc instead of Django's own session based authentication, which have a lot of other advantages.
Freeing your frontend application from backend is the best thing can happen for the frontend. Like for example:
if you had Django to serve the frontend, you were almost forced to use session based auth(its not like you can't use other auths, but whats the point of having multiple auth systems)
You couldn't have used server side rendering with Django rendering the frontend.
Lets say, you are have no idea about how Django works, but you will be forced to setup a Django application in your local machine, because it serves the frontend.
You couldn't have used ExpressJs to serve the frontend, or use the advantages of using NGINX to serve those contents.
Deployment would be complicated if you have docker setup. In this case, you would have had to use one Docker Container to serve everything, else you could have used multiple docker containers to serve backend/frontend.
Lets say, you want to serve the Django application in one server, frontend from other server, but with Django tightly coupled with Frontend, you can't do this setup.
You can easily connect external RESTful API services without bothering about Django. Even you can use any other frameworks like Tornado, Flask etc(but DRF+Django ORM is awesome) to develop APIs.
There are some more generic advantages of having backend and frontend separated.
There is a fantastic tutorial which you can read on medium about setting up separate Django + ReactJs app.
You can use GraphQL, it has several advantages over REST, f.e.:
only one endpoint for entire app;
ability to fetch data with relations between them;
easy data structure modifications on both sides;
advanced client with cache/normalization/subscriptions/optimistic updates (I prefer apollo to relay);
can be used as datasource for static site generation (SEO);
you can stich other services/APIs;
... many more.
Using react Server Side Rendering you can get pages without additional requests - 'prefilled'/rehydrated, ready for interactions - better Time to Interactive.
Tutorial/demo: django-graphql-apollo-react-demo

Ember application with an admin site

I'm creating a basic Ember application. I am trying to set up a backend that stores posts. I would like to have a system where I can go to some admin site that has a form that has all the fields for a post that allows me to add, update, and delete posts. For example, if I have a Post model with attributes like Title, Contents, Date_created, and Image, I would like to have these fields in a form in some kind of admin site.
One example from a past tutorial I have done is the Django admin site. Is it possible to set up a Django backend for my Ember app? The Django admin is here: (scroll to bottom)
https://docs.djangoproject.com/en/1.10/intro/tutorial02/
I know that asking how to set up a backend for my Ember application is a very general question, but I am confused as to where to start. I have already created a Post model with various attributes. I can create an Ember route that is a form to add a post, but then there comes authentication for that which I'm not really sure how to deal with either. That's why I came to Django because I remember they had a very nice admin site.
If it is not feasible to use Django to accomplish this, what are some other routes I can take to be able to get to some admin page where I can manipulate records and add new data to my website?
This is a pretty big question, but I feel your pain. Most tutorials are all, "so... just build out a rails app... or use all this long lost stubbing stuff... or here's a super outdated node server on github to use."
I would suggest breaking it down into pieces. Ember is really great, but–Yes–you need a backend. You could make a backend with Django(python), Rails(ruby), WordPress(PHP) + ember-wordpress, express or hapi(node), phoenix(elixir)- or really anything that will generate an API. You could also build an admin with Ember and then use that to send data to a service like parse or firebase. Those could get you an MVP while you learn more about how to build out a traditional back-end.
Django + http://www.django-rest-framework.org has a pretty great admin setup that builds out the admin and fields from your API specifications. I can see why people like it.
I would also mention, that ember-cli-mirage is great when you aren't sure what backend you'll have, but you need to have a mock-server to build off of.
If you can, choose something that will spit out an API with jsonAPI.
I would split this into 2 parts.
build out an Ember app with Mirage or some other temporary data.
build a back-end somehow.
Then you can connect them ~ without being stuck beforehand.
Good luck!
So pretty much a blog site where only person can create/delete/edit posts? If so then all you have to do is create a user with a predefined username and password in your Django app. You login through your Ember app. For this protected view you will need to use ember-simple-auth, which is the simplest way to implement something like this. Google ember-simple-auth and run its dummy app to see what they are doing.

Using Django Rest Framework for only certain apps inside Django Application

I'm not sure if this is possible since an extensive search gave me nothing. Or I might be searching the wrong terms.
Now I have a few apps inside my Django application as follows:
--AppOne
--AppTwo
--ExtendedAdmin
manage.py
Now, AppOne and AppTwo use Django Rest Framework and its related Token Auth Mechanism. For the extendedAdmin, I'd like to use native Django Auth or even SessionAuth of DRF since I'm trying to add quite an extensive admin panel to the application. I've not been able to find a satisfactory way of customizing Django Rest Framework to work it's auth mechanisms only for certain applications. Is there a way to do this? If not, what should I be doing different?
So far, I know you cannot. Because django rest framework intercepts the url and then performs its own logic of token validation. But there are solutions that you can use to keep both Session and Token Authentication.
I am using this for all my projects -
I keep Session Authentication for all urls that will be accessed for normal browsing
and I use api urls with django rest framework to be prefixed with /api for my api urls
For example -
The Session Based login is at http://<host>/account/login
and TokenBased login is at http://<host>/api/account/login
The easiest way to make prefixed url for django rest framework is by using Routers - http://www.django-rest-framework.org/api-guide/routers/#defaultrouter
Example -
class UserViewSet(ModelViewSet): # just a sample view set
...
router = routers.SimpleRouter()
router.register(r'api/users', UserViewSet)

How to authenticate against Django from Drupal?

I have a medium sized Drupal 6 site running (around 5 million page views per month and more than 30K registered users) and I need to integrate OSQA, a Django application, with it. I already have many users, roles and permissions in my Drupal database and I'd like to point the Django app to use the sign up and login pages I already have in Drupal to give my users a single point on entrance.
I want to keep the Django authentication part because I think OSQA would work better. I also have performance reasons in mind, the Drupal site already gets a lot of traffic and has a very busy database and I think that using a separate database for Django would help.
After some research I think I could make the Drupal sign up and login pages call Django in the background to sign up or login to the Django app. I plan to do this writing a couple of views in Django, one for sign up and another for login, and Drupal would post the username and password to those views. Of course I'd need to disable CSRF in Django for those views and probably also post some secret key that only my Drupal and Django applications know about to avoid external sites trying to use this "unprotected" Django views.
I know that my Django application may need some user data from Drupal at some points and I'm planning on using the Drupal services module for that.
Would this be a good approach? Any suggestions?
Thanks a lot!
Are there any plugins for OSQA to expose an authentication service that Drupal can talk to? (OpenID or similar).
Alternatively, check out Drupal's ldap_integration module for an example of a module that uses an external authentication service. Consider that you will need to create Drupal user accounts for each login.
Finally, why not just build the essential parts of OSQA's functionality with Drupal? Seems like the key functionality could be replicated quite easily using Taxonomy, Vote Up and Userpoints/User Badges... potentially easier to do than shared authentication, especially on a large site.
I once created a very simple [sql_authentication][1] module, which you can probably simply re-create for a more recent version of Drupal.
The idea is simple: provide Drupal with an alternative authentication callback.
In that callback-function, just check against the Django database, and return TRUE if you think the user is correct.
You could look at how openid.module (in core) extends the user-authentication for a simple example.
If you can post to the Django form, you may be able to use drupal_http_request to handle the call to Django. After using the ldap_integration module for a while, I worked on a custom authentication module that calls a Java-based REST authentication API using drupal_http_request. If you're interested in the code, let me know.