Google authentication and iframes - python-2.7

Background
I have an existing Python-based Google AppEngine app with a few pages for which login:required is set in app.yaml.
I'd like to be able to put this app in an iframe. However, whenever the user navigates to a page that requires login and the user is redirected to the Google login page, the iframe goes blank as the login page sets the x-frame-options:DENY header option.
Questions
Is there a way to make the Google authentication use a pop-up (like FaceBooks and Twitters authentication schemes does?)?
ALternatively, is it possible to catch the login required event, and redirect to another page that I supply, that does some iframe breakout and then redirects to the real login page?
auth_fail_action does not support a custom redirect URL, is there another way?
The only other solution I can think of is not to use login: required, but to reimplement the same logic in each view (or in a decorator). However, as this is rather clumsy and requires lots of rewriting I'd rather not go this route.
Thanks in advance,
Egil

Unfortunately No.
Depending on your specific needs, you could make a passthrough URL on your app that handles the login: required portion before loading the page that iframes your app.
Something akin to this:
app.yaml
handlers:
- url: /login-check
script: main.app
login: required
main.py
import webapp2
class LoginCheckHandler(webapp2.RequestHandler):
def get(self):
# If they get here, they have been authorized via google's login page
webapp2.redirect(self.request.get('redirect_url'), abort=True)
app = webapp2.WSGIApplication([
('/login-check', LoginCheckHandler),
], debug=True)
Now you can load your main page via $APPENGINE_HOST/login-check?redirect_url=$REAL_PAGE_URL and it will ensure the user is logged in first and then redirect them to $REAL_PAGE_URL which can now iframe your app engine page.

Related

How to return a 404 for just Django allauth signup page?

I am rather new to Django and all of the work I have done so far has been with models/views/viewsets.. The site I am working on incorporates Django allauth for authentication. I have successfully edited/styled the login/logout templates, but the page will be accessed by people who are given credentials created in the admin section rather than signing up on their own- so the sign up page is unnecessary. I'd like to just show a 404 page anytime someone lands on the signup page. I have already removed all the links to the signup page from the other templates.
In short- how do I just redirect someone to the Django default page_not_found when they hit /accounts/signup/?
My attempts so far have revolved around editing the URLs.py file to include something like path('account_signup', page_not_found) (after importing it at the top), or some other manipulation of that line. I'm probably missing something really easy, as I have been getting a little frustrated... And I haven't found any stack overflows where someone was desiring a 404 when a user navigated to one of the allauth account pages.
In order to server 404 pages automatically for not found url, create a 404 view and then in main projects urls.py have below code
Read the Official docs
handler404 = 'mysite.views.my_custom_page_not_found_view'
For redirecting use Redirect View in django docs
from django.views.generic.base import RedirectView
url('/accounts/signup/', RedirectView.as_view(url='/', permanent=False),name='index')
Note their is 404 page for developers builts in django, but once you turn debug=False in settings for production apps,it is not visible,
You can simply not use the signup page in your urls.
On the other hand, it is bad practice to use createsuperuser to create users, since by default they will have enough privileges, even to log in to admin and edit things. The right thing to do is to create a user with some method you want, and with the permissions you give them.
This last one will allow you to use a decorator in your signup view that only allows access to that page in case you have an account with a particular privilege, and not any user. There is no point in returning a 404.

Django inserts wrong domain to activation email, facebook auth and filebrowser

I've set up a Django project on a nginx server. But..
Django detects request.get_host() in signup and activation views as localhost and sends email (for activation and password reset) with links like http://localhost/....
I've set up Facebook authorization via social-auth-app-django. But Facebook tries to open redirect_uri in localhost
(...redirect_uri=http:localhost/oauth/complete/facebook...)
Inside django admin TinyMCE editor Filebrowser also refers to localhost..
How to fix these problems? Or it seems one solution can fix all of them.
Thank you for your time and help.
Did you tried changing your Site.domain and Site.name in admin panel or via shell? from django.contrib.sites.models import Site
https://docs.djangoproject.com/en/2.1/ref/contrib/sites/
It's used in many cases such as emails by default.

How to redirect from the Django login page to a single page application?

I am building a SPA React application that is served by a single Django view at /. I am using Django's admin page for login.
If an unlogged in user navigates to /#/accounts/ the Django admin page will correctly them redirect to http://localhost:8000/admin/login/?next=/#/accounts/pp01/ for login. Once they log in, they get redirected to my Django view that is configured at the / url path.
The #/account/pp01 part of the redirect gets lost and the user gets redirected to the wrong part of my single page application (http://localhost:8000/#/). Does anyone know how to get this to work?
I don't understand why Django is cutting off the # part of the URL. Any insight would be appreciated. Thanks!
You need to encode the redirect path. As it is, your browser is thinking that it should go to '#/accounts/pp01/' on the path '/admin/login?next=/', rather than the hash being part of the redirect path itself.
You can use urllib.request.quote to quote the path.

Siege - How to test views that require login?

I am trying to use Siege to do stress testing on my django application. For static pages (e.g. landing page) it works just fine. However, 99% of the pages I want to test require that I be logged in.
How can I get Siege to login and test django views? The login page uses the Django Login form and view.
If it possible to test as one user logined in you can pass session cookie as Cookie header -H "Cookie: cookieValue". For more complicated scenario better to Apache Jmeter.
For basic HTTP authentication form, adding login=SomeUsername:somepassword to siege.conf directives worked for me. May be possible to use for other login schemes.

Django. Intermediate page after authentication

    I wrote middleware that process requests from admin log in page. How can I redirect user after authentication to some intermediate page with some 'Continue' button and this button will redirect me to page which should be showed in standard scenario.
    I set my middleware after AuthenticationMiddleware in settings list. Despite of this if I set some return statement in my middleware, user authentication process fails.
    I need this to show some additional info about authentication results on some Atlassian services. Don't want to do it via JavaScript so decided to implement intermediate page functionality.
Instead of using a middleware, create a template with that auth information and use the function render_to_response at the end of your login view to render that template. You can add variables to this function to give extra information.
Example:
return render_to_response('my_template.html',
my_data_dictionary,
context_instance=RequestContext(request))