Issues with Django authentication - django

I have a website that is being used by various corporate employees. Just today I have a user saying that everytime they login (even with correct username and password), they get an error saying they have to login to view the page. Basically, they type the right username/password and get forwarded to the home page, but that controller has a login required decorator which rejects them and they get sent back to the login screen. The user tried in IE10 and Google Chrome web browsers.
I have not been able to replicate this issue anywhere and unfortunately, i'm in no position to really ask this user for more information for debugging purposes :(. Has anybody seen this before??
I tried googling this, and i'm seeing issues with Django for IE but nothing with Chrome. Is there anything else that could be happening?
I'm using nginx+uwsgi on the server if that makes any difference.

Without more information this is pretty much impossible to solve.
Because no one else is having the problem and you can't reproduce it, I'm inclined to believe it's user error.
Have them clear their cache/cookies (The fact that it's multi-browser is troubling though), see if that helps.

Best guess so far without more information: The user has cookies disabled. I think Django auth relies on cookies.

Related

Need help tracking down a specific website (to identify Spotify account)

I stumbled across a website a while back where it showed the privacy repercussions of logging in to Spotify using the web version. I believe it used JavaScript but I can't be too sure. Anyway, this unrelated website was able to display my Spotify username despite me not authorizing anything. If I remember correctly, it also had slots for other services that I didn't use so it couldn't show my username there.
But what I'm interested in learning about is how it managed to get my Spotify username. Not because I plan to use the method but out of curiosity with how the whole thing works. When I found out about that page/site awhile back, it spooked me enough that I started using a different browser profile specifically for Spotify going forward because of it but I never got around to digging deeper into how it actually did what it did.
Cookies save your an access token for Spotify account after to success login of Spotify.
Next time, if open your browser go to
https://open.spotify.com/
It's java-script to access from your PC's cookies,
call this API with cookies an access token, get your information.
Then display your user name in the web page.
https://api.spotify.com/v1/me
If I copy from my Chrome browser the access-token and API URL,
Then access by Postman.
I can get the my user name.
Each browser has own location to save a cookies,
if you never login before other browser, will not pick up your information.
I did not login before by Firefox.
This is screen of login.

Starting using Instagram oEmbed feature

What is the correct way to start using Instagram oEmbed feature? Documentation (https://developers.facebook.com/docs/instagram/oembed/) claims that I have to pass App Review to start using the feature. And application form says Please provide a URL where we can test Oembed Read. Which I don't have because I have no access to the feature.
What I have tried with no success:
I requested instagram_oembed resource with:
app token of application in live mode
app token of application in
development mode
passed URL to a post by official Instagram account
(e.g. https://www.instagram.com/p/CQG4gZxMzzO/)
passed URL to a post
of a user who is Admin of the app
In all cases I receive (#10) To use 'Oembed Read', your use of this endpoint must be reviewed and approved by Facebook. To submit this 'Oembed Read' feature for review please read our documentation on reviewable features: https://developers.facebook.com/docs/apps/review.
Example of the request I do https://graph.facebook.com/v11.0/instagram_oembed?url=https%3A%2F%2Fwww.instagram.com%2Fp%2FCQG4gZxMzzO%2F&access_token=appAccessToken
We're also suffering from this issue, but so far, we thought we already figured out how to do that.
Big picture
Facebook had not sorted this thing out correctly. Or at least, we don't know why they put such a restriction to this API.
The official document is not correct. (or at least not accurate for now, for some part)
Which part was not correct?
The access token part is not right. Or at least, it's the most confusion part.
How can we resolve this?
Use the Graph API Explorer
Adjust your token(App token, Client access token, user token) with the official URLs(see below) to see if you can get the result
most of us should be able to get the result with user access token, which means you have to access this API after login!
Integrate into your app for review
The review page is also confusing:
Please provide a URL where we can test Oembed Read. Include the URL of a page, post or video from our official Facebook or Instagram pages, or the pages themselves., it means you can only use links like https://www.facebook.com/instagram or https://www.facebook.com/facebook
With that in mind, so far, the only way to get approved is integrate your oembed usage into your normal UI with facebook user access token ready
Question to the big picture
So, we have to ask user to login with our facebook app, then we can provide this oembed read API returned embed HTML? I'm afraid that's what we have now.
big companies might be able to apply for App Token, I guess in that scenario, facebook login is not necessary
for small companies, indie developers, hmmm, I don't know any better solutions so far.
I have run into this too. I do not have an answer at this time, I just want to report on the frustrations of their 'app review' process. Which makes it feel like you are unlikely to get it to work any time soon.
We have a custom embed code for our weblog authors to use (a shortcode kind of thing) which does the oEmbed call. We just take the HTML from the resulting JSON, and insert it into the weblog article page, and that is it. It stopped working, presenting this same error - in live mode, and in development mode.
The kicker is, I then tried submitting it for app review. Filled out everything I could to the best of my knowledge. Provided them a test account and post on our weblog to show the shortcode editing and expected placement. We got rejected. Why? Your embedding resulted in an error, we can't see it in action to approve you.
Yes. The error I am getting is that I need my 'app' to be reviewed and approved.
This is an infuriating process. This is the only Facebook / Instagram API feature we use at this point. No user data. No attempt to make an Instagram clone app or anything like that. Just an embed.
And they are making this simple use case as impossible to use as they can. And the documentation also feels like an infinite loop. They say users of the old Instagram embed call have until September 7 2021 to get approved. But the call does not work at all because we are not approved. So we cannot get approved.
Same loop here. I've managed to report it to Facebook team and get answer "Just submit your Instagram post URL"! I can't believe it, its can't be so simple. I've confirmed it few times with Facebook team person and.... get rejected!
Also, second form in App Review process will LOWERCASE all of your links and I've spent few days just to explain it to reviewers and support person. Still rejected after submitting proper url. This is insane.
My another attempt was about to build a test page where I can auth via Facebook account, parse connected Instagram accounts and GET embed endpoint with user access key in hope that reviewer HAS access to oembed feature - REJECTED. I can't even find what permission I need to add to auth URL to obtain oembed thing.
Will update my answer with new information later.
UPDATE: After reporting about the issue with lowercase URL in submission form they just APPROVED my app without APP REVIEW. Well... Facebook style...
I had exactly the same problem recently. Updated the packages with compose, changed the API version from 10 to 11... without any change.
The error was also occurring in development mode, it didn't make sense that Facebook was asking to approve in dev mode.
For me, the problem came from the management of scopes in my application, depending on the version of the Facebook API used.
My advice: check the scopes defined with API version in your code first.
I had the same issue and the solution is very simple. The only thing you need to do is copy paste an instagram url in the input field saying: Please provide a URL where we can test Oembed Read.
I did the this link: https://www.instagram.com/p/G/
Which is actually the first instagram post :) Got approved. Hope this helps everybody!

django-saml2-auth: Infinite Redirects on Login

I'm completely new to django-saml2-auth (and SAML2 with Django in general) and am trying to get it working with Microsoft ADFS.
When I hit my Django app it successfully redirects me to the federated login page, but after providing valid credentials, the app then goes into a loop where it's just flipping back and forth between my ENTITY_ID URL (which is https://myapp/saml2_auth/acs/) and a URL on the ADFS server with continually changing SAMLRequest values as a URL parameter.
The only clue I have to go on at this point is when I check my browser history, eventually one of the page titles for all this activity in the history is "SigVer Error" but after some cursory googling I'm not sure what that might mean. I saw some references to disabling signed responses at the pysaml2 level but didn't want to go too far with that without first trying to figure out if that's even the issue given the behavior I'm seeing.
Any ideas? I can share my settings if that'd be helpful but the only optional setting I'm adding is the ENTITY_ID value since that's required by ADFS.
Debugging is also a bit of a challenge since at this point even with the Django debug level set to DEBUG it isn't revealing much, so if there's debugging tips with django-saml2-auth people can share that would be much appreciated.
Since I'm new to getting Django working with SAML2 at all I'm also not married to django-saml2-auth if there's easier/better ways to do this. Thanks for any advice anyone can provide!
In case people come across this in the future, turned out to be my bad with my django-stronghold configuration.

Incorrect behaviour for some browsers with django-registration sign up flow

I'm receiving reports of several users running into issues with a django-registration sign up flow. I'm not able to reproduce it, and I believe it's just happening for certain browsers.
The problem happens when they follow the email activation link. Although the database shows they have successfully activated their email, they see the page that says that the link has expired. It's as if they visited the activation page already and then are seeing it for the second time. Initially I thought this was user error, but several users have reported it, which makes me think there is something else up.
One user has reported it working in Firefox, but not Safari, on a desktop - and not working on iPad or iPhone.
I have used django-registration a lot so I'm surprised by this bug and am drawing blanks about what it might be down to. Anyone have any ideas?
PS This is also happening with the same site, perhaps related: Django messages faulty, but only on one particular network

Facebook log out not working

Our app uses Facebook app API and as of this morning, our log out just stopped working. When you click logout on our app, it will log you out of Facebook, but our app still detects a Facebook session and allows the user to stay logged in.
We also noticed that the fbsr_* cookie isn't being deleted. Although I'm not sure if it's suppose to be.
Any help would be greatly appreciated! Thanks!
I am having the same issue. I went ahead in php and did $facebook->destroySession(); which helped however as of this morning it is still returning the same things. I am thinking its a bug on the facebook side.
I made a post here: https://developers.facebook.com/bugs/245362365535898