Here's my idea:
have a Django Website that receives / send JSON information so that I can create a JavaScript client for a Webbrowser, or a Unity / UE client
I want a new functionality only for Unity / UE client: realtime chat.
I'd like to use a tornado server on a specific port, let's say 8666.
Here's what I've done so far:
authenticate on the Django web site
make everything work on the Django web site
Now I'd like the client to connect to the port 8666 (pure TCP) and to send something (maybe his session cookie or something else) so that I can see on the tornado web server whether the client is authenticated, and look in the database to find out which other mates are connected too on the tornado webserver, so that when this client writes something, I can dispatch his message to all other "concerned" connected clients.
I didn't find any documentation about that. Do you know how to handle this? Any example, or if I'm not on the right track what should I do then?
If your Tornado process runs on the same domain as your Django application, the session cookie will be sent by the browser upon websocket handshake, and accessible through the WebSocketHandler.get_cookie() method.
Here is an example, assuming a global variable CLIENTS keeping track of connected authentified clients:
def open(self):
"""Authenticate client based on session cookie, add broadcast notification"""
session_id = self.get_cookie('sessionid')
if not session_id:
self.close()
self.authenticate_user(session_id)
if self.user is None:
self.close()
self.CLIENTS.append(self)
self.notify_all_clients()
def authenticate_user(self, session_id):
"""Retrieve User instance associated to the session key."""
session = SessionStore(session_key=session_id)
user_id = session.get('_auth_user_id')
if user_id is None:
return
try:
user = User.objects.get(pk=user_id)
except User.DoesNotExist:
self.close()
else:
self.user = user
Hope this helps!
Edit:
Note that to be able to use the Django ORM, you must set the DJANGO_SETTINGS_MODULE environment variable to your app's settings module path (e.g. 'myapp.settings', making sure it can be found through sys.path) and then call setup() as explained in the Django docs.
Related
I'd like to have many different clients be able to access my django website (more specifically its API) but I'm not sure how to do this with django-allauth, dj-rest-auth and simplejwt.
My current client app is using the built in django template engine and is set up with django-allauth for social authentication (Google etc). It's working using the documented installation recommendations.
I would now like to create different types of clients that aren't using the django template engine (e.g. Angular, Vue, flutter mobile etc) but I'm confused how dj-rest-auth is used so that it scales to support any number of client types.
Using Google social sign in as an example, when I create a new client, I have to register a new redirect_uri specific to that client.
To test this all out, I created a simple flask app with a single link so that I can retrieve a "code/access_token" before sending it to my Django app. The link is created using the following...
var codeRequestUrl =
`https://accounts.google.com/o/oauth2/v2/auth?\
scope=email&\
access_type=offline&\
include_granted_scopes=true&\
response_type=code&\
state=state_parameter_passthrough_value&\
redirect_uri=http%3A//127.0.0.1:5000/callback&\
client_id=${clientId}`;
...and the code is retrieved at the '/callback' endpoint in flask...
#app.route("/callback", methods=['GET'])
def redirect():
code = request.args.get('code', '')
req = requests.post('http://127.0.0.1:8000/api/dj-rest-auth/google/', data={'code':code})
return "done..."
...from where I send an x-www-form-urlencoded POST request back to a dj-rest-auth endpoint that is set up as per its documentation...
class GoogleLogin(SocialLoginView):
callback_url = 'http://127.0.0.1:5000/callback'
adapter_class = GoogleOAuth2Adapter
client_class = OAuth2Client
...
urlpatterns += [
...
path('dj-rest-auth/google/', GoogleLogin.as_view(), name='google_login'),
....
]
Django then successfully returns an access_token, refresh_token and some info about the logged in user.
But this isn't something that scales well. If I were to also create an Angular client, I'd need to register a different callback (because the Angular client would be running on a different port and/or address, and I'd also need another path set up in urls.py and associate it with a new SocialLoginView subclass that can handle the different callback_url (redirect_uri).
And with all this in mind, I have no idea how to do all of this with a flutter mobile app, which as far as I'm aware, has no concept of a callback_url, so I'm not sure how making a POST request to .../dj-rest-auth/google/ would even work given that I'd instantly get a redirect_uri_mismatch error.
Have I got it backwards and the client registered at Google is the Angular, Vue, Flash etc app? That would mean that each client would have to handle its own client_id and client_secret, which then seems to bypass django-allauth's and dj-rest-auth's functionality.
I feel like I'm misinterpreting this, so I would really appreciate some suggestions.
I feel confident enough to answer my own question.
In short, yes, multiple clients (including thirdparty) is a reasonably straight forward process. Unfortunately a lot of the blog posts and tutorials that exist take the perspective of a 'second party' client, which really confuses things. The result is a lot of error messages relating to the redirect_uri.
To their credit, the Google docs for their example Flask app was exactly what I needed, but there are a couple of observations that are really important, and what caused so much confusion for me.
First, and most important, the callback (redirect_uri) is not needed in Django at all. In Django, something like this is all that is required.
from allauth.socialaccount.providers.oauth2.client import OAuth2Client
from allauth.socialaccount.providers.google.views import GoogleOAuth2Adapter
class GoogleLogin(SocialLoginView):
adapter_class = GoogleOAuth2Adapter
client_class = OAuth2Client
urlpatterns += [
...
path('auth/google/', GoogleLogin.as_view(), name='google_login'),
...
]
So no callback attribute is required. The reason for this is that the Flask (or thirdparty app) handles all of the Google side authentication.
The second observation was that the redirect_uri in the Flask app seemed have have to be the same for both the "code" request step, and the "access_token" step.
You can see it in the linked example where the oauth2callback function (which handles the redirect_uri), but I've modified for use with dj-rest-auth
#app.route('/')
def index():
if 'credentials' not in flask.session:
return flask.redirect(flask.url_for('oauth2callback'))
credentials = json.loads(flask.session['credentials'])
if credentials['expires_in'] <= 0:
return flask.redirect(flask.url_for('oauth2callback'))
else:
data = {'access_token': credentials['access_token']}
headers = headers = {'Content-Type': 'application/x-www-form-urlencoded'}
r = requests.post(f'{URL_ROOT}/api/auth/google/', data=data, headers=headers)
response_json = json.loads(r.text)
access_token = response_json['access_token'] # JWT Access Token
refresh_token = response_json['refresh_token']
# Make a query to your Django website
headers = headers = {'Authorization': f'Bearer {access_token}'}
r = requests.post(f'{URL_ROOT}/api/object/{OBJECT_ID}/action/', data=data, headers=headers)
# do stuff with r
#app.route('/oauth2callback')
def oauth2callback():
if 'code' not in flask.request.args:
auth_uri = ('https://accounts.google.com/o/oauth2/v2/auth?response_type=code'
'&client_id={}&redirect_uri={}&scope={}').format(CLIENT_ID, REDIRECT_URI, SCOPE)
return flask.redirect(auth_uri)
else:
auth_code = flask.request.args.get('code')
data = {'code': auth_code,
'client_id': CLIENT_ID,
'client_secret': CLIENT_SECRET,
'redirect_uri': REDIRECT_URI,
'grant_type': 'authorization_code'}
r = requests.post('https://oauth2.googleapis.com/token', data=data)
flask.session['credentials'] = r.text # This has the access_token
return flask.redirect(flask.url_for('index'))
So in summary, it's a bit like this:
On the index/home page, the user presses a "Login" html anchor that points to /login.
Flask doesnt have any credentials, so redirects to /oauth2callback to begin authentication.
First, the "code" is retrieved using Googles' GET /auth endpoint, and by using your app's client id.
The redirect_uri ensures the code flow goes back to itself, but this time, with the "code" now know, do a POST request to Google's /token endpoint using your apps's client id and client secret. Again, the redirect_uri is the same (/oauth2callback).
Now that Googles's access_token is known, the Flask app redirects back to /index (although it could be anywhere at this point)
Back in /index, the Flask app now has Google's "access_token". Use that to log into Django's dj-rest-auth endpoint that you created.
Django will then return its own access_token and refresh_token, so continue to use those as needed.
I hope this helps.
Note that your flask app will need to be registered as a new Web App with Google's OAuth2 console (so it has it's own client id and client secret). In other words, don't reuse what you may have already created with an existing Django allauth implementation (which was my scenario). Each thirdparty app maker will handle their own OAuth2 credentials.
I used Flask-Restful in a project where i also use the Factory pattern to create Flask objects. The problem now is that Flask give me 404 error when i try to reach http://localhost:5000/api/v1/user/ but when i explore (via the debugger) the Flask app object's url_map, my API rule is there. So, if someone ever had the same issue, i'm taking whatever possible solution.
I have the following function creating the API app:
def create_app(settings_override=None):
"""
Returns the API :class:`Flask` instance.
:param settings_override: dictionary of settings to override.
"""
app = factory.create_app(__name__, __path__, settings_override)
api = Api(app, prefix='/api/v1', catch_all_404s=True)
# API endpoints connected to the User model.
api.add_resource(UserAPI, '/user/', endpoint='user')
return app
The code of UserAPI class (used by Flask-Restful):
class UserAPI(Resource):
"""
API :class:`Resource` for returning the details of a user.
This endpoint can be used to verify a user login credentials.
"""
def get(self):
return {'hello': 'world'}, 200
def post(self):
pass
The factory.create_app function:
def create_app(package_name, package_path, settings_override=None):
"""
Returns an instance of Flask configured with common functionnalities for
Cubbyhole.
:param package_name: application package name
:param package_path: application package path
:param settings_override: a dictionnary of settings to override
"""
app = Flask(package_name, instance_relative_config=True)
app.config.from_object('cubbyhole.settings')
app.config.from_pyfile('settings.cfg', silent=True)
if settings_override is not None:
app.config.update(settings_override)
db.init_app(app)
register_blueprints(app, package_name, package_path)
return app
Python version 2.7
Flask v.
Flask-Restful version
After some investigations and some questions on Flask's IRC channel, i found that when using custom domain name, the port number should be set via the SERVER_NAME config variable. So, the issue was not coming from the factory code.
If you want to access the server via http://myserver.io:5000/, you set the port, here 5000, in SERVER_NAME as SERVER_NAME = myserver.io:5000.
This single modification in my settings worked for me :) Thanks !
Am doing a project with Flask, Gevent and web socket using flask development server environment. I used flask_login. Here
how can get i get the Unique Session ID for each connection?
I want to store the SessionID in the Database and delete it once client disconnects.
How to get total active connections
from flask_login import *
login_manager = LoginManager()
login_manager.setup_app(app)
#app.route("/", methods=["GET", "POST"])
def login():
login_user([username], remember):
#app.route("/logout")
#login_required
def logout():
logout_user()
There is no session id.
Sessions in Flask are simply wrappers over cookies. What you save on it it's digitally signed and sent as a cookie to the client. When you make a request, that cookie is sent to your server and then verified and transformed in a Python object.
AFAIK, Flask-Login saves on the session the user ID.
To get total active connections, you can:
At login, generate an unique id and save it on the session (flask.session['uid'] = uuid.uuid4(), for example), then save it on your database.
At logout, delete that unique id from the session (del flask.session['uid']) and also from your database.
Retrieve the count of active sessions using your favourite method (ORM/Raw SQL)
The session id is in:
flask.session['_id']
I have a django server app that communicates with a gwt front-end using JSON. I want to introduce user authentication to the app and have started to incorporate the framework provided by django. At this point I have set up the server to respond with the user authentication form when necessary (using the #login_required decorator scheme described in the above link), but I'm not sure what to do with this in GWT.
If you are using GWT with django and have implemented user auth, it would be great to hear how you set things up.
Thanks.
The autotest project used gwt and django combination. Have a look at http://autotest.kernel.org/browser/trunk/frontend source code. To be specific I would modify http://autotest.kernel.org/browser/trunk/frontend/afe/json_rpc/serviceHandler.py and add something like below (which would filter login, logout and is__logged__in and for all other functions it would invoke request.user.is_authenticated() to make sure that all other json rpc are protected)
def invokeServiceEndpoint(self, meth, request, response, args):
if meth.func_name == "login" or meth.func_name == "logout" or meth.func_name == "is_loggedin":
return meth(request, *args)
else:
if request.user.is_authenticated():
return meth(request.user, *args)
else:
from studio.rpc_exceptions import AccessDeniedException
raise AccessDeniedException()
I never used Django, but you probably can set what will be returned when login is required.
You can, for instance, return a message so the client can prompt the user with the authentication form. Of course, you would need to account for this situation in every call, but then you could create a abstract request class to do this.
I want to only allow one authenticated session at a time for an individual login in my Django application. So if a user is logged into the webpage on a given IP address, and those same user credentials are used to login from a different IP address I want to do something (either logout the first user or deny access to the second user.)
Not sure if this is still needed but thought I would share my solution:
1) Install django-tracking (thankyou for that tip Van Gale Google Maps + GeoIP is amazing!)
2) Add this middleware:
from django.contrib.sessions.models import Session
from tracking.models import Visitor
from datetime import datetime
class UserRestrictMiddleware(object):
"""
Prevents more than one user logging in at once from two different IPs
"""
def process_request(self, request):
ip_address = request.META.get('REMOTE_ADDR','')
try:
last_login = request.user.last_login
except:
last_login = 0
if unicode(last_login)==unicode(datetime.now())[:19]:
previous_visitors = Visitor.objects.filter(user=request.user).exclude(ip_address=ip_address)
for visitor in previous_visitors:
Session.objects.filter(session_key=visitor.session_key).delete()
visitor.user = None
visitor.save()
3) Make sure it goes after the VisitorTrackingMiddleware and you should find previous logins are automatically bumped when someone new logs in :)
If you're already using django-tracking as suggested here, there's a much easier way to implement this:
Define a signal handler:
# myapp/signals.py
def kick_my_other_sessions(sender, request=None, user=None, **kwargs):
from tracking.models import Visitor
from django.contrib.sessions.models import Session
keys = [v.session_key for v in Visitor.objects.filter(user=request.user).exclude(session_key=request.session.session_key)]
Session.objects.filter(session_key__in=keys).delete()
Create a listener for the user_logged_in signal:
# myapp/__init__.py
from myapp.signals import kick_my_other_sessions
from django.contrib.auth.signals import user_logged_in
user_logged_in.connect(kick_my_other_sessions, sender=User)
This will institute a sort of "last user to login wins" system. If you want to allow multiple logins by the same user from the same ip, you can add an .exclude() to the Visitors lookup.
Django's middleware will probably help you achieve this. The issue is that you will probably want to allow multiple anonymous sessions from the same IP address, even authenticated sessions for different users, but not authenticated sessions for the same user.
You'll want to:
Create a user profile model to store the IP address of a user's last login. See Django's Storing additional information about users documentation.
Implement a custom authentication backend. This backend, when triggered and successfully authenticating a user (just call super) would wipe out the user's last login IP in the profile model.
Implement a subclass of Django's django.contrib.sessions.SessionMiddleware class. Implement process_request. If the request.user object's profile model has no IP address, set it and allow the request. If it has an IP, and the IP is different from the current request's IP (request.META.REMOTE_ADDR), then do whatever you like to either log out the other user, or return an error to the requestor.
Update your settings.py file so that your custom auth backend is processed first, and so that your custom session middleware is also processed first. This involves updating settings.AUTHENTICATION_BACKENDS and settings.MIDDLEWARE_CLASSES.
You'll need to do this with custom middleware.
In your middleware process_request() method you will have access to the request object so you can do something like the following:
session_key = request.session.session_key
ip_address = request.META.get('REMOTE_ADDR', '')
Now you know the IP address, so check a model you create that (roughly) would look like this:
class SessionIPS(models.Model):
session = models.ForeignKey(Session)
IP = models.CharField(max_length=20)
So when a session is created or deleted you will modifiy your session ip's table accordingly, and when a request comes in make sure the IP address isn't being used for another session. If if is, then return a Http404 (or something like it) from the middleware.
A pluggable app that can show you a lot more detail (and even includes IP address in its own model) is django-tracking.