How can I log a Django user into WooCommerce without prompting? - django

My workflow takes the user from a Django web application to a WooCommerce store. For example, they fill in example.com/register and are taken to store.com/checkout.
Both applications are backed by the same LDAP database, so at the moment I prompt the user to enter their credentials a second time.
This is functional, but not the greatest UX. How can I transport them from the Django to store domain and sign them into the store, without user intervention?
(Because the domains are different and I expect third-party cookies to be disabled, I obviously can't generate a cookie for the store domain while still in the Django domain.)

Related

django special multitenancy with keycloak

i am planning a web application with multiple tenants (or i call it companies).
Every model in django has a foreign key to a specific company, to separate the data. It is possible that a user has access to multiple companies.
You can see this in the following diagram:
The user can login over a login page and then the user sees all companies he related to. Now he can choose one of the company to work with the data.
Up to this point i have no problem.
Some of the companies would like to use their own active directory or other systems to synchronize theirs users with my web application and authenticate them.
I found keycloak during my search and it looks like good for my plan because i also would like to split my web application in smaller services in a kubernetes cluster.
But i can't find informations about if keycloak work with my plan and the requirement for linking multiple active directories or other systems.
I think keycloak would have to check the username (email address) and decide from the domain if an external service is configured for the domain or the normal login page is used.
For example for domain abc.de is configured a active directory and for domain example.com another active directory. If User 3 or User 2 try to log in they should redirect to the active directory of their domain.
But User 1 should still login over the normal login page with username and password.
But is that possible with keycloak?

How to map one social account to several user account with django-allauth

I need to map one social account (created on a Django server with django-oauth-toolkit) to several different logins in a Django website. I already managed to connect and the server passes all allowed accounts so that the client connects as one of them.
I'd like to add the possibility to prompt for the choice of which of the accounts should be used. I'm currently connecting the user in the pre_social_login method of the account adapter.
The only idea I have is to persist in the session the available accounts and redirect to a page to select the preferred one. I'd like to understand if there's a better way.

How can I implement individual django session for individual users visiting my page without user registration?

I am making a restaurant-ordering website where customers open the site from their own smartphone and order food. I don't want them to have their own user accounts but the website must recognize these users(from cookies or something). In short, different users must have their own sessions provided they open the website from their devices. Is this possible in Django?
You have to generate a unqiue anonymous user id(like anonymous_user_id) on client side for a user, first time user visit the website and save it in cookie for a api domain (if same domain of client side otherwise save it in local storage and explicitly pass it in headers or query param).
On backend side, you can create a middleware in Django to check whether a cookie or header exist, and create or get user from anonymous user store(i.e Database table) by id, and load that user in request.user, so that for you rapplication, an authenticated user will be request.user.

Session Hijacking in Django 1.7.7 and python3

I have developed a small application for submitting some data to database server(Oracle 11g). When we are reviewing security of this small application, we observed as follows:
1. We have deployed django with https and all secure configurations like Secure Cookie and Secure Session, No Cache, etc.
2. Using BURP tool for this sample review
3. We have created two different user in this system say Normal User and Admin User
4. Opened 2 browsers(Mozilla and IE 11), On mozilla we login with Admin user and captured session id using burp tool.
5. On second browser we login with Normal user and replaced session id Normal User with Admin User.
6. whoila......On second browser, I got Admin user access by just changing the session id
I have used default session backend for this application.
I would like to know whether this is flaw in django and how to resolve this issue..
Thanks in advance
This is an inherent risk of using session-based identification. It's called session hijacking, and if you search for that term you will find lots of information.
Mitigations generally have one of two goals: making it harder to steal the token, or making the damage less severe if it is stolen. In the former camp are techniques like using HTTPS and SESSION_COOKIE_HTTPONLY. In the latter are things like limiting the length of a valid session (SESSION_COOKIE_AGE). In the end, though, it's difficult or impossible to stop someone from impersonating another user if they get their token, since that's the very thing that establishes identity.

Reuse Abandoned Django User IDs?

I have a new public-facing Django/PostgreSQL-based web site that requires users to create a new username/password and then fill out a profile that requires three more screens (forms) after the initial username/password page to complete their membership. As you would expect, I have a small number of users that don't complete the entire signup process leaving me with abandoned user IDs. Do either Django and/or PostgreSQL provide any convenient means of recovering and reusing these abandoned user IDs?