I need to create an application with Laravel authentication system that matches password from a Django database, Django uses PBKDF2 to hash a password. (Django encryption info here)
You will need to write it. Blowfish is considered more secure though, just for your understanding.
Related
I'm trying to accept payments on Django using Heroku.
I've had a ton of issues using Stripe because I don't know much about client-side/server-side and every time I get something that works, I have to expose my private key. I feel like there's no resource out there for this. Does anyone have something that can help?
Typically any secrets you don't want to expose to users (like secret API keys) can be kept on your Django server backend and is not exposed to your application's users.
What's important to understand with Stripe is that there are two kinds of API keys: publishable API keys and secret API keys.
Per the stripe documentation:
Key type
example
When to use
Publishable
pk_test_TYooMQauvdEDq54NiTphI7jx
On the client-side. Can be publicly-accessible in your web or mobile app’s client-side code (such as checkout.js) to tokenize payment information such as with Stripe Elements. By default, Stripe Checkout tokenizes payment information.
Secret
sk_test_4eC39HqLyjWDarjtT1zdp7dc
On the server-side. Must be secret and stored securely in your web or mobile app’s server-side code (such as in an environment variable or credential management system) to call Stripe APIs.
So, you would keep your secret key in your Django app only. Your frontend would either only call your backend or would only use the publishable key.
There are a few products that stripe offers for integrating payments into your app. You can look at the Stripe Checkout quickstart for code samples on how to properly use these keys in your app.
I'm trying to setup OpenWisp Django-IPAM with WebUI authentication via LDAP. We have an OpenLDAP server within our network and I am looking to use a simple LDAP lookup to check for a valid user object for login.
I see that the API's generics.py file has an authentication_classes section, which then contains SessionAuthentication and BasicAuthentication.
Is this the same mechanism that handles the authentication for the Web UI? Is there a way to configure OpenWisp Django-IPAM to use something like Django-Auth-LDAP for authentication when logging into the web interface?
the authentication of the web UI of OpenWISP Django-IPAM works like default authentication of other django projects. So to use LDAP authentication at the web UI, you simply need to edit your settings.py file to contain the setups as shown here.
Something like django-auth-ldap will help, but users will have to start a session by authenticating against the django authentication backends before being able to use the API (eg: login via the admin or provide another login view).
After a successful LDAP authentication using the method mentioned above, a new local user will be created, which maps the LDAP user.
I'm not sure if LDAP authentication requires a redirect to another application (like oauth2 or SAML) or if username and password are just redirected behind the scenes, in the latter case, BasicAuthentication should work, I just look at its code and it looks like it respect the standard django authentication framework, which supports multiple authentication backends (the LDAP backend is provided by the third party app suggested above).
A sidenote: we're moving the development of django-ipam to openwisp-ipam, It's mostly the same. I suggest you to upgrade.
I've been suggested to use token-based authentication, in order to secure my webservices, and to create another filter that verifies tokens, apart from auth. The idea is to use the auth filter for log-in, which I have already done in the backend, and to create a new filter for webservices. Could someone recommend a good tutorial on how to do this, or give me an example?
This is what i use, specifically for mobile app web services:
https://github.com/lucadegasperi/oauth2-server-laravel
Which is an OAuth2 server package for Laravel. It includes all you need to authenticate, generate / validate tokens, throttle, and protect your endpoints.
The OAuth2 spec has a bit of a learning curve, but is definitely worth it.
I'm trying to migrate for Spree Commerce to Magento 1.8 and I have a problem with user passwords. Can I get any NFO from you guys how I can achieve this goal. How passwords are encrypted (bCrypt, MD5 etc.)? Is it possible to decrypt it with PHP and save it while migrating Spree user data to Magento.
Regards,
The most popular user management extension for Spree is spree_auth_devise, which is build on the popular Devise project. By default, Devise uses bcrypt to digest passwords. It is not possibly to decrypt a digested password.
If you with to maintain user accounts during your migration, you will have to modify Magento to use the same algorithm that devise uses to verify passwords.
For more information you should look at the Devise source:
https://github.com/plataformatec/devise/blob/master/lib/devise/models/database_authenticatable.rb
I am porting my website from raw php to Django. I have used inspectdb to create models for the existing database. The problem that has come is that earlier I was registering the users and saving their passwords as a md5 hash md5($pass) and Django does not support this md5 version.
Is there a way I can support my legacy database of user and for new users make use of the powerful Django user model that supports user profile?
See the documentation on authentication backends and writing an authentication backend.