I am using EmberJS along with ember-simple-auth and ember-data to authenticate and retrieve data from my API. One of my models contains properties that point to image URLs. I'd like to display these images in my app. I can do this using
<img class="thumbnail" src="{{user.thumbnail}}" />
The problem is that the images are protected and need an "Authorization" header to be set without which the API returns a 401. I thought about adding the token to the URL as a query parameter and modifying the API to accept it but it seems like a bad idea because the auth tokens will be present in the logs. Is there an EmberJS way of retrieving an image from a secured API?
EDIT based on your comment:
This is a server side solution so it would leave your ember code the way it is.
The approach is to never send the actual token with the images but use the token on the server to generate session specific image urls.
This way you never expose the absolute paths to your images but rather create relative urls that resolve to the absolute ones. You can use the session token as a key to an encryption algorithm like md5 and create the relative urls which would hide the sensitive information (such as the token) from the client, thus you would never send the token as the query parameter.
Note that this does mean that if the user is logged in and shares those image links, the images would be visible to anybody using the link until the user logs out (and his session is destroyed).
Previous suggestion
You could make a small component that does this for you where you pass in the url and either also pass the token or get it through an auth service. Then you use a computed property to combine the two. Here's a rough example:
// components/auth-img.js
export default Ember.Component.extend({
// passed in
class: '',
url: '',
token: '',
// local
tagName: 'img',
classNameBindings: ['class'],
attributeBindings: ['src'],
src: Ember.computed('url', 'token', function() {
let { url, token } = this.getProperties('url', 'token');
// combine your url and token and return
return // ...
})
});
And usage:
{{auth-img class="thumbnail" url=user.thumbnail}}
Related
I am using PayPal standard IPN payment solution in client side in my Django web app.
<body>
<!-- Set up a container element for the button -->
<div id="paypal-button-container"></div>
<!-- Include the PayPal JavaScript SDK -->
<script src="https://www.paypal.com/sdk/js?client-id=test¤cy=USD"></script>
<script>
// Render the PayPal button into #paypal-button-container
paypal.Buttons({
// Set up the transaction
createOrder: function(data, actions) {
return actions.order.create({
purchase_units: [{
amount: {
value: '88.44'
}
}]
});
},
// Finalize the transaction
onApprove: function(data, actions) {
return actions.order.capture().then(function(orderData) {
// Successful capture! For demo purposes:
console.log('Capture result', orderData, JSON.stringify(orderData, null, 2));
});
}
}).render('#paypal-button-container');
</script>
</body>
everything works fine and I can access all the data through the details variable in the js code.
Now, i need to insert the details into django db, no api, simple model.
Tried many things, none worked.
I prefer not to use django-paypal because it doesn't have smart buttons (as far as i saw) and there is only option for "buy now button" and no credit / debit card.
how can it be done? or is there smart buttons for django-paypal package?
Thanks for the help!
How to get PayPal client-side info to Django?
Don't.
An integration that creates and captures payments with client-side JS functions is for very simple use cases. It should never be used if you need to do anything automated with the result, such as writing transaction results to a database.
Instead, API-based integrations exist for precisely this use case. Use the v2/checkout/orders API and make two routes (url paths) on your server, one for 'Create Order' and one for 'Capture Order'. You could use the Checkout-PHP-SDK for the routes' API calls to PayPal, or your own HTTPS implementation of first getting an access token and then doing the call. Both of these routes should return/output only JSON data (no HTML or text). Inside the 2nd route, when the capture API is successful you should verify the amount was correct and store its resulting payment details in your database (particularly purchase_units[0].payments.captures[0].id, which is the PayPal transaction ID) and perform any necessary business logic (such as reserving product or sending an email) immediately before forwarding return JSON to the frontend caller. In the event of an error forward the JSON details of it as well, since the frontend must handle such cases.
Pair those 2 routes with this frontend approval flow: https://developer.paypal.com/demo/checkout/#/pattern/server . (If you need to send any additional data from the client to the server, such as an items array or selected options, add a body parameter to the fetch with a value that is a JSON string or object)
I regularly use Tabulator's setData() method. I usually set parameters in the URL args, and have no problems with it. But I now have a complex use case that will be easier to solve if I can put a JSON payload into the request.
I've followed the Tabulator documentation for an advanced configuration.
I've made a series of attempts (putting the JSON in various places, using quotes/double quotes in the JSON, etc) at trying to work out the problem. The Flask server always returns this error:
Failed to decode JSON object: Expecting value: line 1 column 1 (char 0)
What makes me suspect the problem is with Tabulator, not Flask, is because I printed request.__dict__ and couldn't find the JSON in the request. (I.e. that seems to the reason for the error.)
The below example, which triggers the same error, is taken from the Fetch documentation (Tabulator uses the Fetch API).
Is there anything wrong with the below or should I be looking harder at Flask?
const data = { username: 'example' };
var ajaxURL = "/data/results";
var ajaxConfig = {
method:"POST",
headers: {
'Content-Type': 'application/json',
'X-CSRFToken': csrf_token,
},
body: JSON.stringify(data)
};
ResultsTable.setData( ajaxURL, {}, ajaxConfig);
Notes:
I'm using the latest version of Tabulator (4.9).
ResultsTable is set elsewhere in the code and is successfully loading default data when the page loads. The use case kicks in when the user sets their own parameters for the data.
The CSRF token, which is set elsewhere in the code, is there because Flask requires it.
The reason that is failing is that Tabulator will build out its own request body when it builds a request and that will override your config.
In your usage case, you will need to override the build in ajax request promise and add your own function that makes the ajax request and then resolves the data.
You can do this using the ajaxRequestFunc.
Checkout the Ajax Request Documentation for full details
I want to pass info to React about the current authenticated user within an app that only uses social authentication on the backend (that is processed by social_django). All of my user and user token info is stored within django REST, and to access the tokens, I normally have to send POST requests to rest_framework.authtoken's obtain_auth_token view. My django root urls.py file looks like:
...
from rest_framework.authtoken.views import obtain_auth_token
urlpatterns = [
...
url(r'^obtain-auth-token/$', obtain_auth_token),
...
]
However, in order to actually get the auth tokens associated with the users in my database, I need to supply the username and password within my POST request. Social authentication automatically creates new users without assigning any passwords, so how do I get those tokens?
Have you got this working? If no, here is what I did. Hope it helps.
My Setup:
Django with Postgres
Django Rest Framework for REST API implementation
Python Social Auth (PSA) for Social Authentication (For now using Google+ libraries)
Reactjs frontend
While using Login for login, it translates to /login/google-plus/. This not only get's the acess_token but also creates a "social user" in your database. I used oauth 2.0 client side libraries in my case and roughly followed this approach to fetch the google user object with all the details on the client side. I replaced form in above link with ajax call which is more flexible and gives control to me to access tokens and other information necessary. The ajax call here ensures creation of social user in social auth table within the database.
<script type="text/javascript">
gapi.load('auth2', function () {
let auth2;
auth2 = gapi.auth2.init({
client_id: "YOUR CLIENT ID",
scope: "profile",
cookie_policy: 'single_host_origin'
});
auth2.then(function () {
let button = document.getElementById("google-plus-button");
auth2.attachClickHandler(button, {}, function (googleUser) {
// Send access-token to backend to finish the authenticate
// with your application
let authResponse = googleUser.getAuthResponse();
$.ajax({
"type": "POST",
"url": "/complete/google-plus/",
"data": {
"access_token": authResponse.access_token,
"CSRF": "{% csrf_token %}"
}
}).then(function(data){
console.log(data);
// Your success code
}).fail(function(error){
console.log(error);
});
});
});
});
</script>
Once you fetch the access_tokens you can store them in browser local storage till the user logs out. On log out you can delete them.
This method works well for me for the setup I mentioned. Also the problem of querying /obtain-auth-token with username and password is not there at all.
Would definitely be interested to know if there are other ways of accessing social auth tokens from PSA django. Cheers!
So I am working on a Grails/Flex toy project. I have a controller(LoginController) that I am using to perform backend authentication on my Flex app. However, I have been unable to "find" my controller. What I mean by that is I get a HTTP Status 404 error when trying to access
http://localhost:8080/OrlandoGrails/LoginController/login.json
Here is my sad, sad little controller as it is in its proof-of-concept state.
package orlandograils
class LoginController {
static allowedMethods = [login: "POST", login: "GET"]
def login(String username, String password )
{
return "Hello"
}
}
I've seen the documentation concerning RESTful services, but they always seem to concern a domain object which I don't have. In any case, I have also added this to my UrlMappings.groovy file
"/LoginController/login.json"(resource:"LoginController")
Any help on what I'm doing horribly wrong would be greatly appreciated. Also, is there a way to list Grails routes like one can with RoR or Symfony2?
Also, while the bulk of my services will be over the amf channels, my authentication is occurring over http.
It isn't entirely clear what you are trying to accomplish but one problem with your sample is that in your URL mapping you are specifying the name of a controller as your resource, which doesn't make sense. That could be a domain class, but not a controller.
If all you want to do is map a url to particular action in the controller you can do something like this in UrlMappings.groovy...
"/LoginController/login.json"(controller: 'login', action: 'login')
Normally you wouldn't have "Controller" in the url so something like this would be more common...
"/login/login.json"(controller: 'login', action: 'login')
From the little code snippet it also isn't clear what role you want JSON to play. Maybe you just want something like this...
"/login"(controller: 'login', action: 'login')
If you can further describe what you are trying to accomplish I can clarify.
In regards to getting a listing of routes (e.g. URL Mappings) you can run grails url-mappings-report
Also note to modify url-mapping to look like:
"/LoginController/login.json"(controller: "login", action: "login")
If resource is used then default action methods has to be show, create, update and delete
//Using resource: would look for a show() action method for a GET
//request which you don't have in your case. And, note name of controller used
//is login instead of LoginController
"/LoginController/login.json"(resource: "login")
As far as the 404 is concerned it's looking for a corresponding view called "hello.gsp" If you want to render text then use:
render text: 'hello'
The original post includes this:
package orlandograils
class LoginController {
static allowedMethods = [login: "POST", login: "GET"]
def login(String username, String password )
{
return "Hello"
}
}
The allowedMethods property there is bogus. Keys in a Map have to be unique. That code attempts to put the key login in the Map twice. If the intent is to say that the login method may be accessed via POST or GET then this makes sense...
static allowedMethods = [login: ['POST', 'GET']]
The code as written is valid, but it doesn't do what it was probably intended to do. That Map will evaluate to only have 1 value associated with the login key. That doesn't have anything to do with Grails, that is just standard Map behavior.
$ groovysh
Groovy Shell (2.1.9, JVM: 1.7.0_45)
Type 'help' or '\h' for help.
-------------------------------------------------------------------------------
groovy:000> [login: 'GET', login: 'POST']
===> {login=POST}
groovy:000>
Notice that the expression evaluates to a Map with the value "POST" associated with the login key.
I have both a Django app and a Angular JS app hosted at different end-points. Obviously in order for XHR requests to work I need to set the csrf token within Angular, which is easy enough to do when Angular is served by Django, but not so much when independent.
Here is my code so far:
angular.module('App', [
'ngCookies',
])
.run(['$rootScope', '$http', '$cookies',
function($rootScope, $http, $cookies){
// Set the CSRF header token to match Django
$http.defaults.headers.post['X-CSRFToken'] = $cookies['csrftoken'];
// Bootstrap
$http.get('http://127.0.0.1:8000/test/').success(function(resp){
console.log($cookies['csrftoken']);
});
}
])
It seems that $cookies['csrftoken'] is always undefined, and I assume I have to retrieve this somehow but can't find any resources as to how this process works.
Can anyone point me in the right direction?
Cookies are only accessible on the same origin, so accessing from another domain won't share the CSRF Token through cookies, you're going to have to find another way to introduce the cookie (such as with Django's template tag).
Second, your example looks likes its trying to read a Cookie from the $http.get() call. The $cookie service collects Cookies from when the document is loaded (stored document.cookie) and the resulting cookies are not accessible from Ajax/XHR calls cross-domain.
You can use this:
app = angular.module("App", []);
app.run(function($http) {
$http.defaults.headers.post['X-CSRFToken'] = $.cookie('csrftoken');
});
where $.cookie comes from jQuery Cookie plugin.