I'm using DotNetOpenAuth to authenticate Facebook user and been able to get the return url of the user's profile image (in url).
Saved the url to database by the same url show up as in-accessible after 24 hrs. Is the photo expired? or how to overcome this?
Here's the sample url
https://fbcdn-profile-a.akamaihd.net/hprofile-ak-xap1/v/t1.0-1/p200x200/1560479_777973942267247_7573717326473478230_n.jpg?oh=963eb54ff09ef9a21fa0338db807f539&oe=552C077E&gda=1430702271_14d8653cc751102ea79d58b6ec11ccbb
Related
Using:
Django 1.11
Python 3.6
DRF with JWT in FE
I understand that the Django admin uses a session, and basic authentication.
What I did so far: Replaced the Django Admin authentication signin page with AWS-Cognito:
The user goes to domain/admin/*, redirected to signin in AWS
On successful signin the user is redirected to the redirect_uri, leads to a Django View
In the view I replace the code with tokens
I can't navigate to any Admin page - I am trying to redirect, but that doesn't work since I didn't login() the User
Stuck - I would like to associate the User with the fetched tokens and authenticate with every Admin page request, and when the user logs out delete the tokens
What to do next?
When I use JWT with the Front End application, every request.META has HTTP_AUTHORIZATION, and uses a suitable backend.
I know how to add backends, and potentially leverage the user.backend (I also use Cognito-JWT for other FE portions, so already wrote BE for that)
I need to find a way to replace the Django Admin sessions authentication with the fetched token
Thank you!
EDIT:
If I login() the user, and set it to a model backend that I have already I can navigate to any admin page - but using the session that I created when I logged the user in.
I would like to have the user be set to a new model backend, with authentication that uses a token (from Django backend docs):
class MyBackend:
def authenticate(self, request, token=None):
# Check the token and return a user.
...
How do I make the different Admin pages requests pass the token to the authentication?
Where do I store the token? (I could make a NewUserModel that is 1-1 with the Django User model, and place a token field there)
I am thinking of writing a middleware to capture all requests, and looking into the target URL - if Admin url, add the token to the HTTP_AUTHORIZATION once I fetch the user mentioned in #2 (the user is in every request due to DRF)
EDIT 2
My solution is getting more and more like this stack solution, I would have liked to know if there are any other options, but here is what I did so far:
I made a model that has a 1-1 user field, and a tokens field
As I am fetching/creating the user, I am also saving the tokens on the user's related model from #1 above
I created a middleware that is capturing any request in process_request, and has access to the user. I can see the tokens there as I access the user's related model from #1 above.
I am trying to set the HTTP_AUTHORIZATION header on the request, but cannot do that yet (currently stuck here)
In my backend, I am looking at the incoming request, and trying to fetch the HTTP_AUTHORIZATION - not there yet.
EDIT 3
I ended up just using the Django session as is - once the user authenticates with AWS-Cognito once, it is safe to assume that it is a legitimate User.
Then I just dump the Cognito-JWT, and login() the User.
Note: I am still interested in a solution that would drop the Django session for using the Cognito-JWT, and would love to hear suggestions.
Code that I have used to handle user login and admin login:
# if not logged in, divert to login page
if users.get_current_user() is None:
return redirect('whoami')
# if logged in, Check if user is an admin
elif not users.is_current_user_admin():
return render(request, 'template.html', {'heading': 'Bad Request (400)',
'message': ['You are not logged in as administrator'],
'user_email': users.get_current_user().email()})
Everything works fine when I use the Djangae appengine with Datastore (Django with datastore support) back-end but when I enable the Google Identity Aware Protocol (Google IAP) everything starts failing. When I checked the logs, It says that there was an IntegrityError in djangae_gaedatastoreuser on the field email_lower
IntegrityError: Unique constraint violation for kind djangae_gaedatastoreuser on fields: email_lower
The datastore kind has two empty entries in the email_lower field.
Even the google.appengine.api.users module starts misbehaving. On first attempt to login, I can login to the AppEngine normally but I cannot logout of the appengine as a google account user, I see that I have logged out of my Google account(that's great but). When I try logging in, I see that no authentication was required to login (Google Sign In).
When I login from another browser instance, It shows
DatabaseError: save with update_fields did not affect any rows.
Can someone please explain why this is happening and what I must do to avoid this.
The issue was with the IAP login cookie, I did some research and found out that google provides us a url to clear that cookie.
You just have to hit the URL once you logout from your google account:
The URL: your_appenine_url/_gcp_iap/clear_login_cookie
To sum it all up,
#Get current user
user = users.get_current_user()
# If user has logged in, send him to google logout URL
# redirect to clear IAP login cookie after google account logout
if user:
logout_url = users.create_logout_url('/_gcp_iap/clear_login_cookie')
request.session.clear()
return redirect(logout_url)
So I have just completed my site, it is a basic social network. Each user has a profile and can edit their profile. However if a logged in user switches the user id in the edit url they can edit another users profile.
So if I am logged in as user 1 I can edit my profile here:
/user/1/edit
However, if logged in as user 1 and I go to user 2's edit profile url here:
/user/2/edit
I can also edit their profile... How do I stop that??
You should compare request.user.id with id in URL args if they are not same return 403 FORBIDDEN ( HttpResponseForbidden() )
You don't even need to have URL formed like following for edit, it could be just /user/edit as you can always retrieve current logged in user in your view by using request.user. I would recommend you going with the following solution and not consuming user id through URL where scope is limited to current user
allauth django
I would like to redirect a user to a "dynamic" login page.
I am currently being redirected to accounts/login
but I would like it to be
accounts/login/?name=Bob for user Bob
accounts/login/?name=Carl for user Carl
accounts/login/?name=Alice for user Alice
etc ...
Note that I could change the LOGIN_URL in settings.py to be e.g. accounts/login/?name=Bob but that would remain fixed and I would not get accounts/login/?name=Carl or accounts/login/?name=Alice.
Once the user has successfully login, I would need to retrieve the name from the request e.g. If user Bob has successfully login, get the name=Bob, etc.
Usually, I would do request.GET.get('name','')
but I would need to change allauth views
Is there a way to achieve the above without changing the source code of allauth.
I'm trying to get the user profile picture from Facebook with django-social-auth.
I saw in an other post, that I should get the user uid from Facebook to have access to the profile picture.
How can I get the uid?
From django-social-auth I just installed it and configured the basic stuff to login/logout with django-registrations.
This is my html to login:
Login with FB
How can I do a request to a 'home' view to the user in facebook and get the uid?
I found this in the django-socail-auth docs:
def social_associate_and_load_data(backend, details, response, uid, user,
social_user=None, *args, **kwargs):
"""
The combination of associate_user and load_extra_data functions
of django-social-auth. The reason for combining these two pipeline
functions is decreasing the number of database visits.
"""
extra_data = backend.extra_data(user, uid, response, details)
created = False
if not social_user and user:
social_user, created = UserSocialAuth.objects.get_or_create(
user_id=user.id,
provider=backend.name,
uid=uid,
defaults={'extra_data': extra_data})
if not created and extra_data and social_user.extra_data != extra_data:
social_user.extra_data.update(extra_data)
social_user.save()
return {'social_user': social_user}
Where should I put it in my django app? In views.py? If it yes, how can I activated the view, if I'm just logging in with commom social-auth urls.
Facebook uid is stored in UserSocialAuth instance, you can get it by doing
user.social_auth.get(provider='facebook').uid