Is my Django middleware order is correct? - django

MIDDLEWARE_CLASSES = (
'django.middleware.gzip.GZipMiddleware',
'htmlmin.middleware.HtmlMinifyMiddleware',
'django.middleware.http.ConditionalGetMiddleware',
'johnny.middleware.LocalStoreClearMiddleware',
'johnny.middleware.QueryCacheMiddleware',
'announce.middleware.AnnounceCookieMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.transaction.TransactionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'giaola.middleware.ForceDefaultLanguageMiddleware',
'django.middleware.locale.LocaleMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'mediagenerator.middleware.MediaMiddleware',
'django.contrib.redirects.middleware.RedirectFallbackMiddleware',
'minidetector.Middleware',
# Uncomment the next line for simple clickjacking protection:
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'breadcrumbs.middleware.BreadcrumbsMiddleware',
'achievements.middleware.AutoAchievementChecker',
)
These are all my middleware and I'm not entirely sure they're in the correct order.
I have my doubts about GZip and HTMLmin being at the top with caching following after them but middleware has always been my weakpoint in Django.
"ForceDefaultLanguageMiddleware" is just to enforce the language, like so:
def process_request(self, request):
if request.META.has_key('HTTP_ACCEPT_LANGUAGE'):
del request.META['HTTP_ACCEPT_LANGUAGE']
Any input would be more than appreciated.

Related

Django middleware when using msal for authentication

I Have implemented oauth2 login for users in a django app using the msal library following this guide https://medium.com/#madhok.simran8/how-to-setup-azure-oauth-2-0-sso-in-django-with-microsoft-graph-api-d2639b8f7e36.
However Im not able to set the request.user variable right, which in turn means i cant check if request.user.is_authenticated.
I believe this should be solved using the proper middleware, but Im not sure how to set it up.
This is my current middleware:
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

What's the proper order in which Django cache middleware should be added?

I'm trying to add caching to my Django project and I'm failing to understand documentation on middleware ordering. Consider the following MIDDLEWARE list, which is mostly default:
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'simple_history.middleware.HistoryRequestMiddleware'
]
If I'm understanding this piece of documentation correctly, I'm supposed to add three new entries to MIDDLEWARE list. Is there more than one proper ordering for my case?

The default startproject middleware are:
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
The three per-site cache middleware are given as:
MIDDLEWARE = [
'django.middleware.cache.UpdateCacheMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',
]
And when we're discussing caching there's also ConditionalGetMiddleware which is related to conditional view processing:
MIDDLEWARE = [
'django.middleware.http.ConditionalGetMiddleware'
]
The question is then, what is the proper order to combine all these into one single MIDDLEWARE list? The Django documentation gives two rules specific to caching:
UpdateCacheMiddleware must come before "any other middleware that might add something to the Vary header" (and SessionMiddleware, GZipMiddleware, LocaleMiddleware do)
FetchFromCacheMiddleware needs to run after middleware that varies Vary
While it could be more subtle if you have additional custom stuff, the most natural way based on the defaults is to just bracket all the other middleware inside the cache ones. But we'll leave SecurityMiddleware up top since afaict it just checks/redirects some stuff that would be better done by something [e.g. nginx] wrapping Django itself anyway.
The CommonMiddleware was included at presumedly the right place in the startproject list already, so that one's easy.
The ConditionalGetMiddleware is tricker; a separate section of Middleware ordering hints say it goes "after GZipMiddleware […]" but overall "before any middleware that may change the response" which is a bit odd but whatever…. (Apparently the GZip middleware is discouraged/problematic anyway.)
At the end here's what I get:
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.middleware.cache.UpdateCacheMiddleware',
'django.middleware.gzip.GZipMiddleware', # Caution: BREACH attack?
'django.middleware.http.ConditionalGetMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',
]
Note that there's at least one odd interaction between ConditionalGetMiddleware and UpdateCacheMiddleware in that the former may prevent the latter from actually caching the render if/when that render gets replaced with a 304 response.
So perhaps even better would be:
MIDDLEWARE = [
'django.middleware.http.ConditionalGetMiddleware',
'django.middleware.cache.UpdateCacheMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',
]
…avoiding Gzip and handling HTTPS/HSTS stuff in the HTTP server layer instead.

#csrf_protect in django services

I'm trying to use #csrf_protect in my services by following Cross Site Request Forgery protection article but it is not working for me.
This is my settings file
MIDDLEWARE_CLASSES = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'corsheaders.middleware.CorsMiddleware',
]
and this is how I'm Acquiring the token
var csrftoken = Cookies.get('csrftoken');
And this is how I'm configuring the $http provider with the cookie and header names:
$httpProvider.defaults.xsrfCookieName = 'csrftoken';
$httpProvider.defaults.xsrfHeaderName = 'X-CSRFToken';
But when I call any service, it returns 403 forbidden error. Any Idea what I'm missing or doing wrong?
Any kind of help will be appreciated.

django-cms: wrong current page language

I have a multilanguage site (it, en, ru) that use django-cms with some apps hooked on various page. my problem is that the content is always served in italian, even if i visit pages with '/en/' or '/ru/' as prefix.
On my base template (base.html) i have a {{ lang }} template variable that allow me to retrieve current page languages, and it worked fine...till today. Now if i visit wwww.myhomepage/en (or /ru), the value of 'lang' is always 'it'.
These are mine languages settings (cms and not cms) and also other settings related with languages:
LANGUAGE_CODE = 'it'
DEFAULT_LANGUAGE = 0
LANGUAGES = (
('it', gettext(u'Italiano')),
('en', gettext(u'English')),
('ru', gettext(u'Russian')), )
CMS_LANGUAGES = (
('it', ugettext('Italian')),
('en', ugettext('English')),
('ru', ugettext('Russian')),
)
LOCALE_PATHS = (os.path.join(PROJECT_PATH, 'locale'))
CMS_LANGUAGE_CONF = {
'it': ['en'],
'ru': ['en'],
}
CMS_HIDE_UNTRANSLATED = False
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'cms.middleware.multilingual.MultilingualURLMiddleware',
'cms.middleware.page.CurrentPageMiddleware',
'cms.middleware.user.CurrentUserMiddleware',
'cms.middleware.toolbar.ToolbarMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'cms.middleware.multilingual.MultilingualURLMiddleware',
'cms.middleware.page.CurrentPageMiddleware',
'cms.middleware.user.CurrentUserMiddleware',
'debug_toolbar.middleware.DebugToolbarMiddleware',
'cms.middleware.multilingual.MultilingualURLMiddleware',
'cms.middleware.page.CurrentPageMiddleware',
'cms.middleware.user.CurrentUserMiddleware',
'cms.middleware.toolbar.ToolbarMiddleware'
)
ANY help?
Thanx

You have several middleware that repeated inside your settings. They should look something like this:
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'cms.middleware.multilingual.MultilingualURLMiddleware',
'cms.middleware.page.CurrentPageMiddleware',
'cms.middleware.user.CurrentUserMiddleware',
'cms.middleware.toolbar.ToolbarMiddleware',
)
Plus, can you give your CONTEXT_PROCESSOR settings as well?
Then, I assumed you are using Django-cms <= 2.3.5. Is this right? There is a 2.4 beta that is getting rid of MultilingualMiddleware, if you can try if it fits to you (even though it is a beta still).

what should I do to make admin service work in Django 1.2

It worked great before.
And now when I'm trying to go to /admin/ I have a mistake:
Module "django.contrib.auth.context_processors" does not define a "csrf" callable request processor
I read this: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/
Now in my settings are:
MIDDLEWARE_CLASSES = (
'django.middleware.csrf.CsrfMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.middleware.csrf.CsrfResponseMiddleware',
)
What I have to do to make it work?

To make it work I had to write it in different order:
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
)