Hello I'm new to Django and I'm using Django's built in forms to login my users, also I have a contact form where I'm using Google reCaptcha to avoid attacks.
I was wondering if it is needed to add reCaptcha to my login form. I have heard Django takes care most of security and I don't want to repeat code if default login form is already prepared for brute force attacks.
In case its better to add reCaptcha to default login form how can I process the validation? In my contact form I call Google's API to verify user click within my views, but I don't feel comfortable adding that code inside the auth_views.LoginView class.
Thanks!
Django does not take care of any rate-limiting with its forms, including login.
I think that it is a good idea to include some sort of rate-limiting security measure to your login form. re-Captcha might be overkill as a default, unless there are several incorrect attempts within a timeframe.
Take a look at the Django rate-limit project for an easy to implement alternative to captcha.
In order to add reCaptcha to the login view, rather than modifying the auth_views.LoginView class, just create a new view that extends that class. You can add your recaptcha form validation just like in your contact form.
Then you can update your url to point to your custom view and template:
url(r'^login/$', custom_auth_views.recaptcha_login, {'template_name': 'core/recaptcha_login.html'}, name='login'),
See this post on how to extend the login views / templates.
Related
I'm building a global login page for Wagtail. The setting for PASSWORD_REQUIRED_TEMPLATE isn't working. In fact, i can't find n example where it actually does work which makes me think that I don't understand what it's supposed to do.
When I add; PASSWORD_REQUIRED_TEMPLATE = 'utils/auth/password-required.html' to the settings file it does not catch the login form and use my custom form.
Is this a know issue?
I think you've misunderstood what this is for. The PASSWORD_REQUIRED_TEMPLATE is used when someone tries to access a page that has been marked as private, and requires a password to view.
This is independent of whether or not the user is logged in, and is a different form entirely from the regular login form, which appears to be what you're trying to override.
If you want to change the frontend login form, then you need to set WAGTAIL_FRONTEND_LOGIN_TEMPLATE.
If you want to change the admin login form you need to override the wagtailadmin/login.html template.
I am using django-allauth for one of my project. I would like to implement login/signup process via ajax. I would like to have customized signup form. I was going through their signupmixin and signup form. Sounds like I can write custom views for each action and map it to the url config. I am not sure what is the best way to do this.
Thank you so much for any help or advice on this.
It depends a bit on what you mean by ajax. If you just want to have a popup-style login/signup box on every page, then you can simply add the form to your base template and show it dynamically using Javascript in a popup box or so. If you keep the form action url to the original allauth urls then this will already give the feel of an ajax signin. You could also tweak things by using $.ajax or $.post to post to the original allauth views.
Something like the above is done on http://officecheese.com/ -- this is an allauth based site, though I am not affiliated with it.
If by ajax you mean that all authentication related views should be displayed via ajax, without causing a new document reload, then I am afraid you are a little bit out of luck. This simply is problematic for scenario's where e-mail verification, or OAuth handshakes are involed, as here you are typically navigating to a new URL from your mailbox, or redirecting to Twitter and so on.
Is there a good way to have both the login and register forms for django-registration on one page? I've had trouble finding a way to do it now that the backend system is enforced. Is there a view that can be overwritten that would allow you to add both forms to it? Anyone done this before or can point to an article about this?
Edit: Just to clarify I have the whole django-registration and login system set up and working properly, I'd just like to get both forms on the same page. I do not have access to their views.
Just hard-code your login-form in the registration-html-template. It should work like a charm.
You can always override the default login and registration views/templates. You can take a look at this link and see if this was what you were thinking to do. Then, you can read the Django documentation for further information about making custom login and registration views and templates as well.
I wnat to confirm registration without email verification
How can it config?
And, Where is the django-registration views?
Can I change the registration views?
Thank you.
You could use django-social-auth to make users register with their social account (which has been verified already). This would have the added bonus of being much quicker to sign up via.
You can see the registration views here. If you want to change them, copy the urls from django-registration's urls.py and put them into your own urls.py, then link them to a new views.py file and wrap the registration views with your own custom code.
Django-registration comes with a default backend as well as a simple backend.
The default backend takes care of the email verification / activation.
If you want to disable the email verification in django-registration, then you'd need to use the simple backend instead.
Add something like the following to your urls.py:
(r'^registration/', include('registration.backends.simple.urls')),
i would use janrain or gigya, i think janrain is better, it's just my opinion.
anyway what that would do is let people login using facebook, gmail, twitter etc.. like the django social auth...i'm just giving you other options :)
I'm using django-registration (see: https://bitbucket.org/ubernostrum/django-registration ) on one of my projects. The standard setup for the django-registration is to add a the code below in the urls.py file
(r'^accounts/', include('registration.urls'))
and also customize the templates in a folder called registration.
The code above is creating links to the registration, login and password recovery which is fine. But in my project there are some other functions I usually add to my views so if I just add the include('registration.urls') it appears that I have no way of customizing the views containing those django-registration forms.
Is there a way to call the forms used by the django-registrationin a view so I can add a few more things on those views ?
The registration form is provided by the registration backend. Check out registration.backends.default.DefaultBackend.
There's a method get_form_class(request) that returns the registration.forms.RegistrationForm class. All you have to do is create a new backend, inherit from DefaultBackend and override the get_form_class() method to return a new form class.
You can pretty much do anything by providing a custom backend, except changing the base behavior of the registration app. If you need to radically customize the views in a manner that providing a custm backend doesn't make the cut, then just create a authn or users app and import any bits from django-registration you find useful. You can, say, keep the default models and managers within the registration app namespace, but hook up a custom backend to your own internals in a new app.