SessionAuthentication vs OAuth2Authentication to work with Django and Angularjs - django

i'm currently learning about django-rest and i'd like to interact with an Angularjs application.
The main idea is to build an API with django-rest serving on localhost:8000 and call it with a nodejs/angularjs serving on localhost:9000
the main question is: how to authenticate an user through angularjs ?
The documentation says
Session authentication is appropriate for AJAX clients that are
running in the same session context as your website.
because django and angularjs are not in the same context, does it means i have to use oauth2 to play with authentication ?
Thanks for your lights :)

does it means i have to use oauth2 to play with authentication?
Of course not. You can use TokenAuthentication or even BasicAuthentication.
I myself most of the times use something similar to TokenAuthentication but handmade. The only concern here is passing token in requests.
EDIT:
If you perchance not satisfied with options provided by Django REST you can write your own middleware to handle authentication. The idea here is to authenticate user. Pass to him some token and then check for that token in your custom middleware.

Related

DRF + not DRF joint authentication

I'm new-ish to Django and Token based authentication and have both a multi page site from django (non-DRF) with standard allauth session-based authentication, and a react app using graphQL on DRF and JWT authentication. They are on different subdomains but use the same django/db instance.
I would like my users to be able to log in on either site and navigate to the other and still stay 'authenticated'. i.e. not have to log in again.
I was thinking about trying to get my non-DRF site to use JWT, but there doesnt seem to be much online content on this that isnt DRF. Also is it even possible to provide a token cross subdomain?
Is this all a pipe dream? Can someone please point me in the best direction to solve this problem?
Thanks in advance for your time.
Simply use SessionAuthentication on Rest API Default Authentication classes
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
.........
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
'rest_framework_simplejwt.authentication.JWTAuthentication',
..........
]
}
This will ensure you are using session Authentication which shares the session cookie along all sites for authentication with which you can use both JWT and Session authentication. But be careful because your api can also be accessed with Session Authentication.
This is not a backend issue, simply local storage or any type of Browser storage does not allow one site/domain to access the data of another. I would suggest using the DRF for all the functionality and dropping the non-DRF one, but you can append the user JWT token to the link when redirecting the user from the drf site to the non-drf site and then extract the token and set it as an auth header. please explain why you need two separate backend apps, ill recommend if their is a better way.

Are Django's auth backend and DRF's token authentication just two approaches to the same thing?

In my django web app, which is split into a front and and a back end project, I am currently using a custom AuthBackend class that extends django's BaseBackend, as well as DRF's UserTokenAuthentication.
Am I right to think that I only need one of these approaches? Or is there a reason to use django's login() function, even if i am using DRF's token auth? I know it stores the user in the session, so I guess that would make passing and authenticating a token pointless?
What's my best approach? Cheers :)
There are differences in both namespaces wise and purpose wise.
In Django, auth backends handle session-based authentication only whereas rest framework auth supports not only session-based auth but also token (JWT, OAuth ), and basic auth based authentication.
Besides, Django auth backends authenticate requests during passing through middle-ware and rest framework authenticate without middle-ware.
If you are planning to separate your backend and frontend then go for token-based auth. There is no reason to use the login function of Django if you only use token-based auth to authenticate.

How do I send csrftoken from Django Rest Framework backend to React Native front-end?

I am building an application after finishing up my website. Now, the backend for both of these should be common, but Django's csrf token is meant to be a security against this. Since I am not using a web browser, I am unable to get a csrf token cookie. At the same time, django will need it to access its APIs.
Is there any way I can get the cookie from Django and get it into React Native?
Not clear what you want to do. But if you are writing a native application, why don't you use a token identification mechanism?
There are lots of simple (and less simple solutions out there).
Assuming you are using django rest framework.
Simple built-in Token authentication
https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
Token, but with expiry and DB encryption
https://github.com/James1345/django-rest-knox
JWT
https://github.com/davesque/django-rest-framework-simplejwt
May I know your login URL? Use rest-auth login URL. Allauth URL gives Csrf issue.

Django and CSRF protection for mobile apps

I am using Django + Django REST Framework + Django OAuth Toolkit.
I understand that AJAX calls from a web session require CSRF protection, but it is my understanding that mobile apps don’t as the very thing CSRF check are protecting against can’t happen in a dedicated app. If a person has an OAuth token, they are not using our web app so it seems I don’t need to perform CSRF checks in that case.
Is there any way to disable CSRF checks on REST Framework endpoints when a request includes an OAuth token, and if so is this a safe thing to do? Or should all requests be protected by the CSRF mechanism regardless?
You should probably be using DRF's token authentication with a mobile app. Initially, the user logs in to your backend with a username and password and then the backend issues a token for that instance of the mobile app, which [securely] stores the token locally. With token authentication and the reality of sending your credentials (over SSL/HTTPS) to the server on every request, you obviate the need for a CSRF check and thus no CSRF check is done.

Overriding django authentication with Django rest framework authentication

I need to access a djangorestframework api but because the django server uses CSRF token and i cant get past it. How can i configure djangorestframework to override the djangorestframework and not be redirected to login?
Im new to this so i need help.
accessing the django rest framework would be a pure python program which runs in the background of a client pc collecting data so i need to use urllib2 or request for this. any ideas?
The API needs to expose an authentication method for your client to use.
The SessionAuthentication style requires CSRF validation and is suuitable for javascript based clients, running in the context of a logged-in application. If this describes the sort of client access you're making then read the Django documentation on CSRF and AJAX requests, which describes how to pass a CSRF token to a javascript based client.
Other schemes such as TokenAuthentication do not require CSRF validation, and will successfully authentication without passing any CSRF token.
Make sure that you know what schemes the API supports and choose the right one to use for your client access.
For more information see the authentication documentation.