I have a new public-facing Django/PostgreSQL-based web site that requires users to create a new username/password and then fill out a profile that requires three more screens (forms) after the initial username/password page to complete their membership. As you would expect, I have a small number of users that don't complete the entire signup process leaving me with abandoned user IDs. Do either Django and/or PostgreSQL provide any convenient means of recovering and reusing these abandoned user IDs?
Related
My workflow takes the user from a Django web application to a WooCommerce store. For example, they fill in example.com/register and are taken to store.com/checkout.
Both applications are backed by the same LDAP database, so at the moment I prompt the user to enter their credentials a second time.
This is functional, but not the greatest UX. How can I transport them from the Django to store domain and sign them into the store, without user intervention?
(Because the domains are different and I expect third-party cookies to be disabled, I obviously can't generate a cookie for the store domain while still in the Django domain.)
My company has decided to use FreeIPA in order to make available Single Sign On feature for our employees. I am not familiar at all with Kerberos/LDAP and similar because i have never used those technologies before.
We have 70 users - they have Windows OS machines and SSO should be used for several Python (Django) web apps, WordPress web sites and possibly for Roundcube web email and OpenVPN access. They don't have access to web servers at all so SSH accounts are not important for this story.
Our python web app has database table with users' data which is in relation with some other tables and it is very important for us to have every single user added to those tables (via our web app interface) because otherwise our app will not work properly.
Having that in mind, i would like to know if there is a way somehow to reference user from FreeIPA's database to our web app's and wordpress' databases, example below:
Not every user has access to every web app and not every user has the same privileges in those apps.
We have already defined user privileges in every web app separately and everything works perfect, so main aim is just to make avaliable SSO for our users. I don't want to bother with user groups and privileges in FreeIPA system, will be i able to avoid that?
When user gets Kerberos ticket i want those web apps to recognize his/her account which is referenced to corresponding user account in FreeIPA database, and so has certain privileges in those apps.
In this scenario it is obvious that i will have to add every new user two times - in FreeIPA database and in web app's database, but that's not a problem, i just want to connect/reference those user accounts somehow.
EDIT to Michael Ströder's answer:
As i see, i would have to add every existing user manually to FreeIPA with "--uid" command because FreeIPA gives those attributes to every user automatically. I agree, i would not use user names for UID but only integers. So, i have imagined to make it like this - i would have to link every user's uid number to application's DB user's table ID column. Let say, if John has UID #7 he should also have ID #7 in WordPress wp_users table, and that looks fine to me. I think i could easily manage this in my custom python app, but i'm unsure how to manage this in WordPress, is there some plugin that could be use for such things? I've found AuthLDAP but i'm not sure if that is the right way to do it? Thanks in advance
The usual way is to have unique and persistent user names (String), usually stored in attribute uid in FreeIPA (or other LDAP servers) and use this as key in your application's DB table.
Note that uid does not contain the POSIX-UID (Integer) which is actually stored in attribute uidNumber.
I'd strongly recommend not to derive user names stored in uid from personal names because these often change. Also you should never reuse user names.
FreeIPA also has attribute nsUniqueId which contains a UUID generated during creation of the entry. It will not be modified during life-time of the entry. If you want to use that you have to take care that entries are not deleted/re-created by an external identity management systems all the time.
(Other LDAP servers are using standard attribute entryUUID).
I am using Django rest framework to build my application backend. I have used Django-rest-auth (https://github.com/Tivix/django-rest-auth) to enable login and registration for my app. It is already working.
However as per my new requirement, I have a list of usernames and only those usernames can register into my system. How can I achieve this?
I had few ideas (do not know if they make total sense):
1. A new model to store usernames, so that in future more usernames can be added via admin interface
2. Whenever a user makes a call from client: the entered username is checked against this new usernames table and if it exists in the table registration is allowed.
Or there can be a still easier way to do this? Any code snippets?
I am working on SPA AngularJS application which allows users to collaborate on projects and stores history of edits for each user. The requirement is to allow unauthenticated users to manipulate data too. Once the user registers, I need to associate her history of edits with the newly created account. The backend is Django.
What is the best option to track actions of anonymous users?
I can create “anonymous” user at the firs visit, issue JWT, store it in the browser and use to track all the user’s activity. Later on when registering user, just update her profile.
The drawback is that there is a potential to get a lot of orphaned users that need to be periodically cleaned up.
This is similar to https://github.com/danfairs/django-lazysignup, but adapted to work with https://github.com/GetBlimp/django-rest-framework-jwt.
Use JWT or cookie to track user session. Allow using session identifier instead of user key to track user’s activity. When creating real user update all references to the session with user’s pk.
Anything else?
From my experience go for solution 1. The orphan user is often not a problem because from business plan point of view it's user and the more is better.
Also having only a notion of user is really simpler. They are users who haven't fully completed their profile that's all.
I have a webapp that allows authenticated as well as anonymous users to start entering some form data. If a user is happy with his/her input, he/she can save that form to the server. This is a very similar problem to a shopping cart application that does not require login until checkout time.
For the authenticated user, implementing a save button is trivial. However for the anonymous user, the form data need to be stored somewhere while authentication is taking place, then correctly retrieved after logged in. Can someone please suggest some general strategies to go about this?
I found this link that is promising but I want to be thorough about this topic.
I think the correct way of doing this is to use django sessions. Basically each user (anonymousUser included) has a session during its stay on the website (or even more).
If you have a form that you want to store for a specific session, you can do it by using
request.session['myform'] = form
you get it by
request.session['myform']
and you can delete it using
del request.session['myform']
Basically Django pickles a dictionary of the session and saves it in a place (typically the database, but can be on other place as explained in django sessions).