I am trying to use Siege to do stress testing on my django application. For static pages (e.g. landing page) it works just fine. However, 99% of the pages I want to test require that I be logged in.
How can I get Siege to login and test django views? The login page uses the Django Login form and view.
If it possible to test as one user logined in you can pass session cookie as Cookie header -H "Cookie: cookieValue". For more complicated scenario better to Apache Jmeter.
For basic HTTP authentication form, adding login=SomeUsername:somepassword to siege.conf directives worked for me. May be possible to use for other login schemes.
Related
I am developing a simple app using Django REST framework for the backend and with a Vue multi-page app as a front end. I use axios to make requests to Django from the javascript.
Locally, everything works well. All the pages work and login functionality works fine. For authentication, I am using Django's built in authentication and a store in Vuex.
However, once I started to deploy, it seems to break. To deploy, I initially decided to use ngrok to create an https tunnel to the backend. My frontend is still on localhost, but as soon as I change the url to use the new API, the login functionality stops working. The rest of the site (which does not require login) works fine, but the bits that do just don't work. When I click the login button, Vue tries to redirect me to the logged in 'dashboard' page, but then it identifies that I am not logged in and kicks me out.
The actual login process works and the server responds that I am logged in, but when the site checks again it responds that I am not logged in. There are no errors at any point.
I am happy to share any code that may help identify my issues, but I am not sure what to share at this point since I am not getting any errors!
Background
I have an existing Python-based Google AppEngine app with a few pages for which login:required is set in app.yaml.
I'd like to be able to put this app in an iframe. However, whenever the user navigates to a page that requires login and the user is redirected to the Google login page, the iframe goes blank as the login page sets the x-frame-options:DENY header option.
Questions
Is there a way to make the Google authentication use a pop-up (like FaceBooks and Twitters authentication schemes does?)?
ALternatively, is it possible to catch the login required event, and redirect to another page that I supply, that does some iframe breakout and then redirects to the real login page?
auth_fail_action does not support a custom redirect URL, is there another way?
The only other solution I can think of is not to use login: required, but to reimplement the same logic in each view (or in a decorator). However, as this is rather clumsy and requires lots of rewriting I'd rather not go this route.
Thanks in advance,
Egil
Unfortunately No.
Depending on your specific needs, you could make a passthrough URL on your app that handles the login: required portion before loading the page that iframes your app.
Something akin to this:
app.yaml
handlers:
- url: /login-check
script: main.app
login: required
main.py
import webapp2
class LoginCheckHandler(webapp2.RequestHandler):
def get(self):
# If they get here, they have been authorized via google's login page
webapp2.redirect(self.request.get('redirect_url'), abort=True)
app = webapp2.WSGIApplication([
('/login-check', LoginCheckHandler),
], debug=True)
Now you can load your main page via $APPENGINE_HOST/login-check?redirect_url=$REAL_PAGE_URL and it will ensure the user is logged in first and then redirect them to $REAL_PAGE_URL which can now iframe your app engine page.
I'm working on a Django web app and want to restrict signup to my site. For thatI want to use invite only app..I could find a couple of app built on the top of Django registration but I'm using Django Auth . Is there any app which I can use with Django app to get the same functionality.
General idea:
First, you can check out the code I have written which works fine for me.
Take a look at the example include in the application, you will learn
how to write your own pipeline. this pipeline can be redirected to any
view you would like.
from there you can save a invitation_key in your sessions and if that
key is valid, you can continue with create_user built in pipeline.
I have used this application for invitations that produces and validates invitation keys.
Implementation
It took me quite a day to figure it out.
This is a invite app built on allauth which restricts signup to invite only:
https://pypi.python.org/pypi/django-invitations/0.12
Maybe it's a stupid question, but I'm trying to login to my django app using a form that is outside django. My guess is that I could send a POST request to /login, but that would fail because of the csrf token.
Maybe I'm missing some kind of theoretical background, but I would like to know what's the correct way to achieve this.
Background info:
The django authentication is working fine IF you use the django login forms. What I'd like to do is to use an external static html form (on an apache outside django), to post to django directly so when I redirect to my django server, I don't have to login.
CSRF exists to prevent exactly this. Although you no doubt have good intentions, there's no technical difference between this and a hacker trying to steal access to your site via a real CSRF attack.
Sounds like you need a single-signon service like CAS: http://code.google.com/p/django-cas/
(but it's possible overkill)
I'm in a bit of a dilemma at the moment regarding Django's admin backend. The default authentication system allows already logged-in users that have staff privileges to access the admin site, however it just lets them straight in.
This doesn't feel “right” to me, and I'm wondering if it would be difficult to at least require a re-authentication of that same session in order to get into the backend.
Preferably though, it'd be good if the frontend sessions could be separated from the backend ones (though still using the same user objects), this would allow a clean separation of both parts of the site. Would this perhaps require two separate authentication backends? Would something like this be difficult to achieve?
Here's an idea: run the admin app on a different domain to the frontend. The cookies won't be valid in the other domain, so the user will have to log in again. All you'd need would be a separate Apache vhost and a basic settings.py that just has contrib.admin in INSTALLED_APPS.
You could probably implement a middleware that asks for authentication when accessing the admin site from a referer not in the admin site. It could log the person out and make them log back in, but even that wouldn't be necessary. Just require another password entry, and redirect them if it fails. It might involve setting a session variable, is_admin_authenticated or something.