I would like to create a centralized user access check (token authentication for iOS / android devices) for all the APIs and return the response as JSON, if the user failed in access check. I tried _custom_access method in routing.yml and created a function in a controller to check the user permission and returned the response as "AccessResult::allowedIf(false)", when the user fails in access check. But, the "AccessResult::allowedIf(false)" returns the HTML page instead of JSON response.
Please advice if there is any best way to implement this feature in Drupal 8 code.
Thanks,
try by adding format=json to the query string of the url
Related
I have a social media-type web app and want to have some read-only access even when a user isn't logged in. For example, if the user votes on a poll, I want nothing to happen but the user should still be able to see it. I am using token authorization. I'm wondering, should I do a check on the front-end somehow to see if a user is logged in (perhaps checking for the existence of a token in local storage) and not perform a fetch if they're not? Or should I somehow, in the frontend, handle receiving a 401 response from the backend for trying to access a protected resource? Or should I handle it on the back end and send back a 200 response and let the front end handle receiving a different version of a 200 response?
I'm using Django and React
Question has tag django-rest-framework so I suppose you are using it.
Take a look at DRF permissions documentation. There is IsAuthenticatedOrReadOnly permission which allows read-only access for unauthenticated users (list, retrieve actions), but only allows create, update, delete to authenticated users.
I'm wondering if it's possible to set up secure login authentication in a Chrome extension without OAuth2. I'm considering setting it up as follows:
On opening the extension, send a POST to server which returns the CSRF token
JavaScript inserts the token into the usual login form (as in Django template)
[steps 1 and 2 replace the usual Django template rendering]
User provides username and password and submits the form
Success/Fail JSON response is returned and handled appropriately
CSRF token is stored as a cookie (or in browser storage that Chrome extensions use) to enable automated login until it expires
Would be great to hear possible problems/corrections to this approach as well as pointers to relevant resources!
== UPDATE ==
It seems like chrome.identity.launchWebAuthFlow is the way to go. I found resources that explain how to implement it client-side but they all say nothing about how to authenticate server-side for non-Google accounts:
"The provider will perform authentication" - how?
"Validation of the returned access token isn't shown here"
It seems that the last missing ingredient is to write code that validates a URL such as:
https://www.my-app.com/dialog/oauth?client_id=123456789012345&
redirect_uri=https://abcdefghijklmnopqrstuvwxyzabcdef.chromiumapp.org/provider_cb&response_type=token&scope=user_photos
That will surely be done by another Chrome Identity API call from my application's server. I looked through a large number of resources (and related stack overflow questions) and they provide no clear answer. Thanks!
I understand that Flask JWT gives us the /auth endpoint. Once a user successfully logs in, an access token is assigned and the logged in user can be stored in Flask JWT's current_identity. What I'm wondering is can I also return the User Json back to my client in the same /auth endpoint? Or does it have to be a separate request?
This is for a mobile rest-api, using Flask-Restful. Right now, I have a user log in. The login route (/auth) returns the access token to the client, and then I use the token to get the User Json in a separate request, but I feel like I should be able to condense this into the same request.
Any tips are appreciated :)
IDEA:
Can I create an auth resource via flask-restful and specify exactly what I want it to return? (the token for the server and the user json to the client?)
Flask-JWT has been abandoned for quiet a while now. I would suggest checking out Flask-JWT-Extended instead as an alternative that is still actively maintained (full disclosure, I'm the author of that extension).
In Flask-JWT-Extended you create your own endpoint instead of having the extension create one for you, so you can return whatever data you want there. Here is an example of this in action: http://flask-jwt-extended.readthedocs.io/en/latest/basic_usage.html
We are having a facebook App we have detected some abusive users so we want to stop them from logging into our app, Any thoughts? There are examples given but Fb docs say those api's are deprecated now
You could just detect them on your own and set a flag in your database. They will still be able to use Facebook Login, but they will not be able to do anything in your App if they are flagged.
Either way, i did some Google research and found out that it may be possible with a simple POST (or DELETE) request to the /app-id/banned endpoint:
BAN
https://graph.facebook.com/{app-id}/banned
POST parameters:
access_token (A simple App Access Token)
uid (comma separated list of user IDs)
UNBAN
https://graph.facebook.com/{app-id}/banned/{user-id}
DELETE request, only access_token as parameter
It is not really documented though, but easy to test.
I am starting to write the Asana API using Embarcadero EX6 that is using the built in REST Client. I have my RESTClient, SimpleAuthenticator, RESTRequest and RESTResponse controls in place so there isn't any code to show since it’s all done within those controls. I am not getting a “Not Authorized” return error so I think the API key and authorization is setup correctly. However I am getting the following response back when I run a query for users. The RESTRequest is using POST.
{"errors":[{"message":"Empty field name"}]}
Any ideas?
POST is (generally) for creating, so you need to specify the fields of the resource you want to create. In this case to retrieve users you want to use a GET.