I'm enhancing the website architecture for an open-source community. I want to provide some options(or features) to authenticated users only because an open-source community always contains thousands of members which leads to a chance of spamming. I'm adding OAuth using GitHub which can prevent user spamming.
All I would like to know whether should I add OAuth on an open-source community website or not? Is it a good practice? or there is some another way I should do to prevent user-spam?
I want to prevent spamming, for example, user-2 can not update the profile of user-1 (just an example don't want to achieve this task)
If you are not building an anon targeted website, then yes, user profiles are a need. If your website user flow suggests editing other user's profiles, you can allow it in django, but why? User profiles usually are only editable by owners.
Research what OAuth provider your users might prefer. django-allauth and similar apps give you a way to easily add OAuth of any of hundreds of providers, so it's only a question what your users want to use.
Related
I am struggling to find good info on setting up auth for a web page. I need it to have three levels of access.
ADMIN, which can control everything i.e. allowing the other levels to exist.
Editor, which can see the posts made in a backend situation. Editors will have to be approved by the ADMIN.
Authors, who can put, read and delete (only their own posts).
I don't want the authors to have to wait to make posts on the site. But Editors and ADMINS need to be approved. I feel that making a separate site for Editors and ADMINS is the solution to this.
Can anyone point me in the right direction concerning this?
Questions I need to be answered:
How Do I set up the three levels?
Is there one login that the ADMIN has to view and approve? I need it to be secure but not CAPTCHA or MFA Secure. I know AWS and Amplify uses Cognito which is fine. I would prefer to not use a Social provider login. Just an email login.
Since this website will require a database (S3 bucket) for the info that will be uploaded by the authors, will the login info be stored in a different database (DynamoDB for instance)?
I want to use Amplify, Next.js, and AWS.
Sites I have been reading and I'm sure have the answer but I am not seeing.
https://docs.amplify.aws/cli/auth/overview/
https://nextjs.org/docs/authentication
https://next-auth.js.org/providers/cognito
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
What is the best authentication app for Django that:
has configurable required fields, for example allows using email as username
integrates with other authentication APIs, such as Facebook, Twitter, Google
password recovery flow is configurable, sends temporary password vs. recovery link
preferably has invitation system, so the registration process can be controlled
I don't think there is any that has all these features, so I'm looking for one that covers as much as possible. But these are features that almost any well design web service should have. So I don't want to reinvent the wheel.
There isn't one django package that will cover everything, instead there are numerous great projects that tackle each of the requirements you mention:
general auth : django-auth - this is a part of the django distribution but needs to be eneabled
social authentication : django-social-auth - integrates social authentication with the default django-auth flow
registration and passwords : django-registration - adds the registration flow, including sign up and email confirmation etc.
invitation system : django-invitation - allows registration to be limited to invitations
profiles : django-profiles - allows you to extend the users account with a profile
You could also have a look at django-userena which is a new hosted solution to user management for your django app. I haven't looked into how it works or how comprehensive it is, but it looks promising.
Finally, have a look at django packages for other authentication apps:
http://djangopackages.com/grids/g/authentication/
EDIT:
This post is a little outdated
django-social-auth has become python-social-auth
django-allauth: There is another good all-in-one auth app called django-allauth. I haven't used it extensively but I believe it takes care of auth, social-auth, registration and profiles in one app
Configurable User Models: Django 1.5 introduced a configuratble User models in the auth module so you can now edit what fields you want to make use of for your user (email only, no username etc.). This is also useful if you want to add profile-like information to your user without having to join with another table (like you would with django-profiles or a OneToOne relationship with a custom profile model)
Here is nice and official comparison for only Facebook Authentication Packages
Facebook Authentication
Go for django allauth. it Covers all authentication flows, Custom user model. and over 50+ social authentication providers. We are using it from a long time and it has evolved a lot over the time.
First you have to install social-auth-app-django:
pip install social-auth-app-django
Then add it into your INSTALLED_APPS (in settings) then you have to create API keys, using the steps below for the networks you want to enable:
Google
Create a project on Google Cloud Platform
Facebook
Log into Facebook developers and create API keys
Twitter
https://apps.twitter.com/app/new
After creating project you will get the App ID and App Secret (don’t share it with any one) then add these ID & Secret in setting and provide a redirec valid url for more info
I'm building a Django-based review website where public users create all of the content on the site. Users create reviews for given items and they also create the items themselves that will be reviewed (providing a description and brief summary of the item, along with a few tags).
My question is this: Should I be using Django's admin features for this website (as in, exposing admin controls to the public users)? Or should I just stick with normal forms? I'm not too familiar with the admin-aspect of Django, and so far I've just been using forms for the website, but I've seen a lot of people talking about Django's admin features, and I'm starting to wonder if I should be using them.
Thanks for any feedback!
Maybe. If the admin functionality covers most of what you want to offer, there's no reason why you shouldn't use it as a starting point.
django.contrib.admin is an application like any other, and provides basically a CRUD interface to your models. Access can be controlled via groups/permissions, just like you would for an application you write yourself. You can give full access to a model with a one-liner, but obviously will have to configure properly when opening up to others.
See also my question
Django AdminSite/ModelAdmin for end users?
and similar questions Exposing django admin to users. Harmful? and How to make Django admin site accessed by non-staff user?
Regarding arguments about the "intended use" of the admin, please note Django's security update at the end of last year: http://www.djangoproject.com/weblog/2010/dec/22/security/ regarding querystring parameters in object lists. Such an update (quote: "an attacker with access to the admin [...]") is a clear indication that the admin's implementation of the permission system is being constantly scrutinized.
No. The django admin is not intended for any end-user.
The django admin feature is intended to assist the website developer, and that is all. Even usage by site administrators is contra-indicated, although in practice most small sites get away with it since they're only talking a few people who can call on the developer personally if they get into trouble.
For your purposes, the review items and the workflow in creating the items is a critical part of your application feature set. The admin will give you ideas, but it would be a mistake to attempt to build your application upon it.
I wouldn't expose the admin interface to regular users. You can use the authentication and user-management side (for your purposes), but it's usually best practice to give users a separate way to manage their objects. You also don't run as much of a risk of granting the wrong privileges to users (or allowing them to grant their own).
Have a read though the docs if you want a better overview about what it can do.
I want to implement Facebook connect login for my Django site and I've checked the already existing apps.
So far, I have found Django-Socialauth, django-socialregistration, and django-facebookconnect for this purpose.
The question is which one to choose, and I would like to hear from other developers who have experience with any of these apps.
It is important for me that the Facebook Connect login app plays nicely with #login_required, with the default auth system, and with django-registration.
Please share your experience :)
Update (11/26/2013): I'm updating my recommendation. Since a sufficient amount of time has passed since I wrote this answer, I would recommend python-social-auth or django-allauth as the best tools for the job. They are active projects with good documentation and support for a lot more than just Facebook. I've had success using both.
I have had the most luck with adapting django-socialregistration with django-registration (0.8). Since you're working with django-registration, you're going to have to do a little bit of work, since all three of those packages assume the role of both the creation and the authentication of the user.
I was just going to explain what needed to be done, but you inspired me to finally get my version out: hello-social-registration.
Like I alluded to, it separates gives the registration functions to a django-registration backend and handles all the authorization itself. I've been using this on my near-beta application for a while now with no problems (I also handed it to a friend to use a few months ago and he got it to work without much modification).
It's definitely not ready to be a plug-and-play reusable application, yet, but hopefully it'll provide you with some insight. :)
By far the most commonly used package for Facebook authentication in Django is Django Facebook:
https://github.com/tschellenbach/Django-facebook
It also gives you access to the facebook APIs using the included Open Facebook api client.
I wanted to implement a basic "Login using Facebook" functionality in my Django app. I didn't want to show the user a form to fill or have her choose a password. I preferred to make it seamless.
Based on my requirements, django_facebook_oauth was the best app for me. It simply allows the user to login using facebook, and gets the user info my Facebook app requests from her (based on my Facebook Auth Dialog). It creates a new user in Django with the user's facebook email, a username and a blank password.
I highly recommend it.
Hi Take a look at fbconnect app that we (actually, Hernani, a guy on our team) put together for osqa (a clone of CNPROG).
You will have to, probably, tinker a bit to adapt that to your needs. It does work with #login_required decorator and the standard django.contrib.auth system, but we do not use django-registration.
Our app also works with openid and password login, but the openid part is tightly coupled with the Q&A component at present.
We may separate it though some time in the future, if anyone might be interested in "anything-signin" django pluggable app or has something better already - pls let us know.
I've used django-allauth and django-facebook on two different projects.
django-allauth was great and provided very good support for logging in and creating user profiles. It could also work with other auth providers, which I didn't implement.
django-facebook worked out of the box, but it's only compatible with Facebook. It also provided simple APIs for fetching users' likes and friends from Facebook directly into the db, which I liked very much!
facebook.get_and_store_likes(user)
facebook.get_and_store_friends(user)
I played with .NET based libraries and found them to be frustratingly out of date. Facebook seems to change their APIs frequently, so if you cannot find a library that is routinely maintained, you will find that you will get halfway through your implementation before you realize that there are serious problems.
I had some success with the javascript API that Facebook publishes and maintains. While the documentation may not be always up to date, I found that I was always within striking distance of the correct implementation (one or two changes needed).
Just fishing for ideas here.
Do any of the major template presentation frameworks (such as Smarty, Django) have prebuilt login/security handling? I want to save time on the security handling because it will consume a lot of time to worry about that. I want to build a site from ground up but I dont really want to go so far as starting with a completed content management system like Joomla or Drupal... thats way overkill. I prefer Java, C#, or PHP and I want to start from as close to "scratch" as I can.
Yes, Django has a complete authentication/authorization framework - see the docs here.
For registration, James Bennett's add-on project django-registration is excellent and popular.
Edited after comment: Django itself supplies the mechanism for allowing admins to create user credentials, storing them in the db, validating them on login, and restricting access to areas of the site based on privileges.
django-registration provides the mechanism for a user to sign up for a username via the site, via an email with a one-time confirmation URL which sets the login up as valid. There are various other plug-in projects which provide variations on this userflow, which may be useful depending how you want your site to work.