Django CSRF Protection with user-based get request - django

I have the following "profile" view in my django app:
#login_required
def user_profile(request):
current_user = request.user
student_profile = get_object_or_404(Student, student_user = current_user)
reviews = StudentReview.objects.filter(target_student = student_profile).reverse()
for stu_review in reviews:
stu_review.review_seen = True
stu_review.save()
context = {
'user': current_user,
'profile': student_profile,
'reviews': reviews,
'is_logged_in': request.user.is_authenticated,
}
return render(request, 'polls/profile.html', context)
I was wondering whether or not this code is vulnerable to a CSRF attack. Since profile information is sensitive, and since profile information is displayed based on a user's identity, I wasn't sure whether someone could attempt a CSRF attack to display another user's profile information, or whether Django's middleware would take care of that. I have a number of views that behave similarly, so I want to make sure that this information is not at risk.

GET requests are not protected by Django's CSRF middleware. A CSRF attack is a possibility, but it would not disclose any information.
The way a CSRF attack works is that an attacker tricks a user (the victim) into visiting a specific page. Since the page is visited by the victim, any action on the page may be authorised using the victim's login session, rather than the attacker's login session. But, since the victim visits the page, the response is also send to the victim. The attacker has no way of reading the response (unless other vulnerabilities allow that, e.g. XSS).
In this specific example, a CSRF attack would only be able to mark reviews targeted at the victim as seen, without the victim actually seeing them. You need to decide whether that is harmless or an actual problem.

Related

How to implement admin login and logout using Django REST framework?

I have been given a task to authenticate admin login programmatically and logout as well.
I am able to to do login but on logged out when I check which user I am logging out it says AnonymousUser. How can I make sure I log out current user which is logged it.
I am using Django REST framework and testing it on Postman.
#api_view(["POST"])
def adminLogin(request):
if(request.method=="POST"):
username = request.data["username"]
password = request.data["password"]
authenticated_user = authenticate(request,username=username, password=password)
if authenticated_user != None:
if(authenticated_user.is_authenticated and authenticated_user.is_superuser):
login(request,authenticated_user)
return JsonResponse({"Message":"User is Authenticated. "})
else:
return JsonResponse({"message":"User is not authenticated. "})
else:
return JsonResponse({"Message":"Either User is not registered or password does not match"})
#api_view(["POST"])
def adminLogout(request):
print(request.user)
logout(request)
return JsonResponse({"message":"LoggedOut"})
Logging in/logging out with a REST API makes not much sense. The idea of logging in/logging out, at least how Django implements it, is by means of the session, so with a cookie that has the session id.
API clients like Postman usually do not work with cookies: each request is made more or less independent of the previous one. If you thus make the next request without a reference to the session, then the view will not link a user to that request. Clients like AJAX that runs on the browser of course can work with cookies, since these are embedded in the browser that manages cookies. You can work with cookies in postman as specified in this tutorial [learning postman], but this is usually not how an API is supposed to work.
This is why APIs usually work with a token, for example a JWT token. When authenticating, these are given a token that might be valid for a short amount of time, and subsequently it uses that token to make any other request that should be authorized.
As the Django REST framework documentation on TokenAuthentication [drf-doc] says, you can define views that create, and revoke tokens. The page also discusses session authentication that thus can be used for AJAX requests.
But likely you are thus using the wrong means to do proper authentication for your REST API, and you thus might want to work with a token like a JWT token instead.

Django caches user object

Our websites sometimes has around 600 authenticated users trying to register for an event in a timeframe of 5 min. We have a VPS with 1 CPU and 1GB ram. On these moments the site slows down and gives a 502 error.
For that reason I'm using per-site cache with FileBasedCache. This works excellent and stress tests work fine.
But, when people login, they're redirect to their profile. This is the code:
class UserRedirectView(LoginRequiredMixin, RedirectView):
permanent = False
def get_redirect_url(self):
return reverse("users:detail", kwargs={"membership_number": self.request.user.membership_number})
the user is redirect to an url with their membership_number
class UserDetailView(LoginRequiredMixin, DetailView):
model = User
slug_field = "membership_number"
slug_url_kwarg = "membership_number"
Some users are reporting that they are redirected to someone else his/her profile after logging in.
How does this work? How to prevent user specific parts of the website to be cached? e.g. users also see a list of events that are specific to the groups they are in. In other words, every user should see a different list.
Any ideas? Best practices?
you should be able to vary cache on cookie so that logged in users (assuming cookie based auth) get another cache key.
from django.views.decorators.vary import vary_on_cookie
#vary_on_cookie
def my_view(request):
pass
https://docs.djangoproject.com/en/dev/topics/cache/#controlling-cache-using-other-headers
and
https://docs.djangoproject.com/en/dev/topics/cache/#using-vary-headers

Force Django User To Pick A Username After Verifying Their Email And Logging In For The First Time

I'm looking for ideas on the most elegant way to force a user to define a username immediately after they verify their email and log in for the first time. Alternatively, they click the verification email, are not logged in, and must enter a username first to be able to log in for the first time.
My requirements are that the username not be in the registration form, but instead be on its own template page immediately after the user logs in for the first time. Once they define a username, they would not see this page again.
I'm using class-based views so I think that rules out decorators.
I've researched:
User-level Permissions (can't view any page until you provide a username)
Using the is_active boolean (user is not considered active until they provide a username)
PermissionRequiredMixin (add to every class that a logged-in user could potentially see)
UserPassesTestMixin (add to every class that a logged-in user could potentially see)
AccessMixin (add to every class that a logged-in user could potentially see)
Add my own boolean field to my custom User model
In every view, check if username is null, if it is, redirect to username form page (doesn't seem like an elegant approach)
user_logged_in signal (couldn't someone still bypass the username form page)
Middleware somehow?
My Concern
User verifies email, logs in for the first time, lands on the username page. I want them to create a username on this page before being allowed to go on to any other page. I don't want them logging in, and potentially pasting a different URL in the address bar and side-stepping this step.
I'd like to avoid...
Adding validation to every single view that an authenticated user would have access to.
What I'm trying to do is similar to forcing someone to agree to a "Terms of Service" before continuing to use a website. I need them to choose a username.
Just hoping that someone experienced with this would lend some advice. I'd like to avoid a discussion of "why don't you just add the username field to the registration form". The answer is, it's not what I want.
I fully realize this question is broad and asking for suggestions, not code-specific. I usually ask detailed code-specific questions but this one, I just don't know the best way to approach. Sorry in advance.
The answer was definitely middleware. It basically looked like this. I made a new Python file named middleware.py in my app, made this class, then modified my settings.py MIDDLEWARE area to include this class.
from django.shortcuts import redirect, reverse
class SimpleMiddleware:
def __init__(self, get_response):
self.get_response = get_response
# One-time configuration and initialization.
def __call__(self, request):
# Code to be executed for each request before
# the view (and later middleware) are called.
response = self.get_response(request)
if request.user.is_authenticated:
if request.user.username is None:
print(request.path)
if not request.path == reverse('choose_username'):
return redirect(reverse('choose_username'))
return response

Django: any way to avoid querying for request.user on every request?

For my website pretty much every page has a header bar displaying "Welcome, ABC" where "ABC" is the username. That means request.user will be called for every single request resulting in database hits over and over again.
But once a user is logged in, I should be able to store his user instance in his cookie and encrypt it. That way I can avoid hitting the database repeatedly and just retrieve request.user from the cookie instead.
How would you modify Django to do this? Is there any Django plugins that does what I need?
Thanks
You want to use the session middleware, and you'll want to read the documentation. The session middleware supports multiple session engines. Ideally you'd use memcached or redis, but you could write your own session engine to store all the data in the user's cookie. Once you enable the middleware, it's available as part of the request object. You interact with request.session, which acts like a dict, making it easy to use. Here are a couple of examples from the docs:
This simplistic view sets a has_commented variable to True after a user posts a comment. It doesn’t let a user post a comment more than once:
def post_comment(request, new_comment):
if request.session.get('has_commented', False):
return HttpResponse("You've already commented.")
c = comments.Comment(comment=new_comment)
c.save()
request.session['has_commented'] = True
return HttpResponse('Thanks for your comment!')
This simplistic view logs in a "member" of the site:
def login(request):
m = Member.objects.get(username=request.POST['username'])
if m.password == request.POST['password']:
request.session['member_id'] = m.id
return HttpResponse("You're logged in.")
else:
return HttpResponse("Your username and password didn't match.")
This smells of over-optimisation. Getting a user from the db is a single hit per request, or possibly two if you use a Profile model as well. If your site is such that an extra two queries makes a big difference to performance, you may have bigger problems.
The user is attached to the request object using the Authentication Middleware provided by django (django.contrib.auth.middleware). It users a function the get_user function in django.contrib.auth.init to get the user from the backend you are using. You can easily change this function to look for the user in another location (e.g. cookie).
When a user is logged in, django puts the userid in the session (request.session[SESSION_KEY]=user.id). When a user logs off, it erases the user's id from the session. You can override these login and logoff functions to also store a user object in the browsers cookie / erase user object from cookie in the browser. Both of these functions are also in django.contrib.auth.init
See here for settting cookies: Django Cookies, how can I set them?
Once you have proper caching the number of database hits should be reduced significantly - then again I'm not really and expert on caching. I think it would be a bad idea to modify request.user to solve your problem. I think a better solution would be to create some utility, method or custom template tag that attempts to load your require user data from the cookie, and return the result. If the user data is not found in the cookie, then a call to request.user should be made, save the data to the cookie, and then return the result. You could possibly use a post_save signal to check for changes to the user data, so that you can make update to the cookie as required.

Django, restrict access to registration success page

This is something I've wondered about in a couple of frameworks that I've messed around with. Assuming I don't want to automatically log a user in when they register (I want them to activate) how can I make it so a user can't just visit the "register-success" page? Right now, here's what I have:
def register(request):
if request.method == 'POST':
rf = forms.RegisterForm(request.POST)#register form
pf = forms.ProfileForm(request.POST)#profile form (additional info)
lf = forms.LoginForm()#login form is also on this page but is empty when registering
if rf.is_valid() and pf.is_valid():
newuser = User(username=rf.cleaned_data['username'],email=rf.cleaned_data['email'])
newuser.set_password(rf.cleaned_data['password'])
newuser.save()
#need to mark newuser as inactive still
profile = pf.save(commit=False)
profile.user = newuser
profile.save()
return HttpResponseRedirect("/register-success/")
return render_to_response("authentication/index.html", {'rform': rf, 'pform':pf,'lform':lf})
return main(request)
def register_success(request):
return render_to_response("authentication/register-success.html")
My url-conf:
(r'^register-success/$','register_success'),
The other way I thought to do it was to just render_to_response("authentication/register-success.html") and not do the redirect. The benefit is, no one can access the register-success.html page, the downside is if the user refreshes the page it will try and resubmit the POST. What's the best practice?
I would stick with the redirect, getting duplicate users is a fairly large risk. What is the risk of someone seeing your register success page who hasn't registered? If there is a risk, you could always generate a random token, put it in session and pass it to your register-success page and then in your view check that the token matches. But that seems like a lot of work for what typical success pages are.
My recommendation would be to not worry about people being able to get to that page without registering. If it is just static HTML, there can't be any risk with showing to to everybody, right?
You can set the cookie, a session key in register view that you can check for in the register_success view only on its presence render the page, else redirect to main register.