I'm attempting to implement a Forgot Password button, utilizing the url /rest_auth/pasword/reset.
My assumption, from reading the docs on this endpoint, is that you only need to pass an email to the endpoint, and then the reset email will be sent, prompting the user to reset their password.
The issue is, this flow only works when the user is actually logged in, thus when the session has a valid token key to send back to the server.
If the user forgets their password, they obviously won't be logged in, and thus won't have a token to send back to the server. This is the error I get when trying to post to the endpoint with just the email and no token header.
{"detail":"Invalid token header. No credentials provided."}
I didn't think that we should need to include a token in the header because that defeats the purpose. Am I misunderstanding how this endpoint is supposed to be used?
Found out I was still sending an Authorization header by accident with an empty token when calling endpoints that didn't need a token key.
Related
I am using django version 3.2.4 in combination with Django Rest Framework.
I also use https://github.com/jazzband/djangorestframework-simplejwt for JWTs.
Problem:
I need to enable Two Factor Authentication in the following way.
User uses an endpoint that he submits his username & password. He receives back a jwt token that includes in a claim the verification code he needs to enter hashed.
At the same time an email with this code goes to his email.
Once the user receives the email he posts in another enpoint the verification code received and the jwt token he received in the previous step.
If the code the user submitted matches the hashed code then he obtains the jwt token that it will be used in the subsequent requests.
P.S. Any other ideas, that achieve something similar with the above are welcomed.
The way I would approach this is by adding a confirmation_code field to user model and handle login using one view with two cases:
1st case, I have username and password in request but no code, after checking username and password, I would create manually and return a short lived access token only without refresh token (which would expire in 3 minutes for example), I'd create a confirmation code, save it in db and send it via mail or sms etc...
2nd case the user posts the received confirmation code using the access token in the request, but no username and password, this way I'd be sure the user has an available access token and confirmation code, I would then return access token and refresh token as usual, in this step I would blacklist the access token after login is confirmed.
In my login First place I wanted to send OTP and second place I wanted to verify the OTP and then return the token.
I am using rest_framework_simplejwt JWTAuthentication. First place I am verifying the user and sending the OTP, not returning the token and second place I am verifying the OTP and returning the token.
Let me know If this is the correct way to use? If not how can I implement this using JWTAuthentication.
OR If this is not correct way to use, can I implement like first place use Basic authentication to verify the user and second place jwt authentication to verify the OTP and send the tokens. Let me know your solution.
What I understood?
You need to send an OTP to the current user who is hitting your send_otp route after checking if the user exists or not in your system and then verify_otp route which will verify the OTP that the user has sent in the API alongwith it's corresponding mobile_number/email_id.
How to do it?
send_otp - Keep this route open, you don't need an authentication for this, not even Basic Auth (that's how it works in industry), just get the mobile_number from the user in the request, check whether it exists in the DB, and send the OTP to this number, and set the OTP to the corresponding user in your cache maybe for rechecking (redis/memcache). Use throttling for this route so that nobody will be able to exploit this API of yours.
verify_otp - This route will also be open (no authentication_class/permission_classes), get the mobile_number/email id + OTP from the user, verify it in cache, if verified, generate the token using TokenObtainPairSerializer and send the refresh + access token in the response, if the OTP is incorrect, send 401.
I have implemented an endpoint for login, using the django-rest-framework and TokenAuthentication. What i want, is after the login, the user to be authenticated and can navigate on the website.
I know that any get request on any protected using authentication uri should contain the token in the headers, so that the user can be authenticated. Everything is fine with that, if i could do all the get requests adding the token manually.
But what i do not understand is, how can i add the token in the headers when for example the user manually does the request by writing the url?
Let's say that the uri /api/ is protected and requires an authenticated user.
The user logs in, and i save the token either on the cookies or in the localstorage.
Now the user does a http get request on /api/. The token is not placed in the headers, so the response is: "Not authenticated".
So the question is, how can i add the token on any subsequent request after user logs in successfully? Maybe the backend could check the cookies for a valid token, but isn't there any better and safer solution than this?
As I believe from the question you want to add the token to all API which is consumed by your client whether App/Web. So in both people prefer to store that token either in cookies or in local storage. Once user logged out api consumer also flush that key.
I have a dataprovider with a REST service. They said that the authentication goes as follows:
1. Username and Password are passed in the request header
2. If the authentication is successful I get a token which I have to store and use this token to make further requests.
Now I started reading into REST Authentication and just do not understand what kind of authentication they use. I guess I have missunderstood something, so please correct me.
There are three kinds of authentication
1. Basic Authentication (sending username and password base 64 encoded in the header)
2. OpenID (here I send my username and password to a provider to receive a token)
3. OAuth (The caller is identified with a trusted token to let application call another application on a end-user's behalf without requiring the calling application to store the users's username and password)
I cannnot see, where to classify my providers method. 1. I am not sending UserName Password everytime. 2. I do not use a provider, 3. I am not doing application calls and do not use only tokens. Could anyone help me here?
When you send username and password to provider if correct, provider will create a token for this user and this token will be sent to you by provider.
After this, you can use this token in any session and you can check only this token for expiration, you do not have to send username and password everytime.
I have managed to get working the authentication which i know return a token (JWT) to the client. This token has an expiration date/time so I was thinking about saving the token in a cookie so future logins were authenticated but this is probably not going to work.
I then though about saving the username and password in a cookie although i know this isn't recommended??
Currently i have a form that accepts a username and password, a successful login will provide a token which is used to access other endpoints.
The form needs to include a "Remember Me" so an automatic login can occur.
What is the best way of achieving this ?
Should i be storing the username and password in the cookie, if not how do i automatically authenticate the next time the user arrives to my site. The token that i provide is going to be expired so is there any point in even storing this ?
thanks in advance
Do not store the user name or password in the cookie. Even if the cookie is encrypted, it is better to store a credential with short expiration time like the token in a cookie than a credential like password which has more shelf life.
Even in the ASP.NET Web Forms or MVC world (Forms Authentication), typically "Remember me" works only until the time the cookie expires. "Remember me" does not mean remember me for ever and there must be a finite time period for remembering. That time can be derived from a cookie. You can put the JWT in the cookie and set the cookie's life time same as JWT, say an hour. When the user comes back to your app within that time, the cookie will not expire and the user is automatically logged in. Otherwise, they have to re-login. Do not think about storing the user name - password and systematically logging in. Let the user enter the credentials and that approach will be more secure. BTW, make sure cookie is encrypted and is an HTTP only cookie.
This mechanism will be similar to Forms Authentication. In place of the authentication ticket, you will use your JWT. Instead of FAM reading the cookie, you will need to have your own HttpModule or a message handler to do that and establish the identity for the requests.
Google's authentication coookie is good for 14 days.
http://ben.onfabrik.com/posts/dog-fooding-our-api-authentication