Resend SMS code with Django Two-factor Authentication - django

I'm using Django with django-two-factor-auth for my web application. I can now send SMS via Twilio and verify it, but I haven't figured out how to resend the SMS code when I need i.e. click on "Didn't received your code? Resend!".
I have read through django-two-factor-auth docs but couldn't find any info about implementing this.
Do I need to configure django-two-factor-auth somehow, or customize the lib (which is what I don't really prefer to do) ?
Could you please help me? Thank you for your time :)

Currently this is not possible with this package. However feel free to request this issue on the GitHub repository.
Another possibility is to implement this yourself. The token is sent when the wizard page named token is rendered. Your template would need to submit a POST to the login view, requesting the same page. The button should look similar to the request backup token, so (untested) something like this:
<button name="challenge_device" value="{{ device.persistent_id }}"
class="btn btn-default btn-block" type="submit">Resend token</button>

Related

Does postman allow building form like this?

Say I have api that returns form data. Data is not important here but will postman allow the following:
<form action="{{result.FormAction}}">
<input type="text" name="name" value="{{result.Name}}">
</form>
So the api will return data to be put into the form?
I can't find any articles or maybe searching for wrong thing.
Would I need to do this by JavaScript from Postman?
Problem
There is an API that requires a form post. This API is 3rd party so in the UI (this all works). The part of the form is generated by the API and fields are added to the form before it is posted from the client side. Our API returns the form action along with the fields that are generated on the server side.
So for my example above I am wondering if this could be tested by Postman. It's not critical as it all works well on the client side but would be nice to be able to run a few tests using Postman.

Calling Zapier trigger from Django Code

Is there any way I can call the "Zapier trigger" from my Django Code,
Basically, I am having a Django form where the user will enter several email-id and when the user clicks on send button then I want to send this form data to Zapier in order to do the next action like writing in google spreadsheet or sending email to everyone.
David here, from the Zapier Platform team. The easiest way to do this is to have the form submit against your server and use a library like requests to POST to Zapier. This way, you don't have to worry about CORS or revealing the hook url to your users.
Hope that makes sense. ​Let me know if you've got any other questions!
I am not sure from your question if this is related to how to make the call from Python (which #xavdid answered) or how to trigger a zap. If this is about triggering a Zap, here's the answer.
Setup a Zap by choosing the Webhooks by Zapier app as the trigger. Choose catch a raw hook, if you need more control. In the next step, you will receive a URL where you can POST your form-data.
Everytime you POST data the Zap will be triggered. You can use the data available from your request in the action step for Google Sheets or Emails.
Here are a few Zap Templates that you could start from.
Add info to Google Sheets from a Webhook POST
Send emails from a Webhook POST (Using Zapier's email app)
Send emails from a Webhook POST (using Gmail)

Facebook does not logout when using django-social-auth social_auth disconnect

I am using Django 1.5 and django-social-auth. I am able to login with facebook using the template:
<img src="{% static "assets/img/login-with-facebook.png" %}"></img>
Later I use the disconnect template which I thought would disconnect me from facebook, as in if I later go to facebook.com I should be asked to log in again. I believe this is the usual behavior for most apps that use social authentication.
<a id="logout-option" href={% url "socialauth_disconnect" 'facebook'%}>[logout]</a>
Can someone explain what the expected behavior should be for the socialauth_disconnect and whether it should also log me out of facebook? If not, what is the recommended way of doing so? What about other providers?
socialauth_disconnect will remove the association between the Facebook account and the User account in your application, as if the user never hit the socialauth_begin link. There's no way from django-social-auth to logout your Facebook account, to make that possible the Facebook SDK might be needed (never did that so I'm not 100% sure), since to make that possible I guess some cookies will be removed, and to do that the script must come from the same domain.

Cross Site Request Forgery protection in Django - a better explanation?

I've just completed part 4 of the Django 1.4 tutorial and I'm sure they just chucked CSRF and generic views in to confuse the hell out of me.
Okay, so generic views I get now, but I don't understand what is happening with CSRF protection.
This is what I think is happening: the CSRF token is a hash/key generated by modules used in the app and a logged in user if logged in. The token is somehow sent with a POST method form to the receiving view which again generates the hash and compares it with the one sent with the form to make sure nobody has snooped in? Have I got this completely wrong?
Having used the rest of the Django manual during the tutorial this is by far the most confusing manual page I have read.
It's confusing because it addresses a subtle vulnerability with web browsers.
Let's say we have two sites: site.com and evil.com. Then the owner of evil.com can, if he knows the structure of the site.com website (which is easy if he can use it), set up a form targeting it.
<form action="http://target.com/my_account/_delete" method="POST">
<input type="submit" value="Click Here for candy"></input>
</form>
Anyone clicking it and logged into site.com will instantly trigger the action linked to (in this case, destroying their own account).
The idea of a csrf token is that the legitimate form looks like this:
<form action="http://target.com/my_account/_delete" method="POST">
<input type="hidden" name="csrf_token" value="AEyaF8af8AIHJFA0L"></input>
<input type="submit" value="Don't click this unless absolutely sure!"></input>
</form>
and because this value is user specific, and only known by and shown on the website, the users are now safe, and can't delete their account without going through the proper page first, as any page from the attacker would not know this value.
Hopefully this is clearer.

Django - SocialAuth login without leaving the page

I'm using the nice django-social-auth in one of my projects.
Basically I would like to be able to login without leaving the current page (whithout even refreshing it).
I thought about simply using target="_blank" in my provider links
<a href="{% url socialauth_begin service %}"
rel="nofollow" target="_blank">{{ service|title }}</a>
But of course it is redirecting to the default location after the successful login.
Is there a way to automatically close this new window on success so the user gets the previous page ?
With some JS and some parameters for the backend, you could open a popup window where the user can do the auth (some backends accept parameters that generate a different auth dialog layout). In that popup the user will proceed with the auth process and the popup could be closed with some JS too when the user is redirected back to the final URL.
Some of the services support javascript based login, which might be what your are looking for, however it depends on which services you want to use and whether they do support this. For example there is Client-side JavaScript SDK on Facebook.