AllAuth Installation - django

I'm attempting to install and configure Django AllAuth and I've run into a plethora of obstacles. I'm afraid I'm simply missing a few basic concepts which might clear some things up.
In order to get basic social authentication working what setup needs to be done inside the social provider (Facebook, Twitter, etc.)
If this is the case then how would one develop locally because at first glance of Twitter's API setup it asks for redirect URLs which would get hairy considering everything right now is hosted locally.
When I try and go to /accounts/login/ it redirects to /accounts/profile/ every time. Can't seem to figure out what's causing this redirect.
I was previously using Userena for my user authentication and was going to add Django-social-auth but when I got into it that was giving me difficulty. I then found AllAuth which seemed to fit my needs perfectly but again, having some issues. Can anyone weigh in on this decision, would you recommend one over the other and if so why?
Facebook Error:
"Given URL is not allowed by the Application configuration.: One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains."
When I click okay it redirects back to my site. My browser gives me a security error and when I proceed through that I end up back at my site displaying:
"Social Network Login Failure
An error occurred while attempting to login via your social network account."

1) Have a look here: https://speakerdeck.com/tedtieken/signing-up-and-signing-in-users-in-django-with-django-allauth
(specifically, slide 61 and above)
2) Simply use 127.0.0.1:8000 in your redirect URLs
3) By default allauth redirects to LOGIN_REDIRECT_URL, which is set out of the box to /accounts/profile/: https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url
4) As I am the author of allauth I will skip answering this question myself. Browse through the complete presentation referred to by 1) -- the initial slides provide a good comparison of the various options.

Related

is it possible to have google-auth within django template?

I have a django app that uses Google's allauth for signing up and logging in, but it first takes me to a google url and to sign in, i.e., my header and other parts of my site are not visible. Once I log in through my google account I'm redirected, so the logic works fine.
I'm just wondering if it's possible to have that process be done on my site.
For social auth I prefer to use Django Social Auth.
In regards to what OP is asking, I've never seen that before and as a user of a system I wouldn't want it like that. Who could grant me that OP wouldn't also be storing other relevant details of mine to perform that operation?
In fact, the idea of social auth is that one is passing the responsibility of authentication to Google or any other provider, hence going to their system to do that operation and then redirected back.

Facebook is considering our website URL as Invalid

When we are trying to add our website URLs
https://taiwan.kisan.app and https://taiwan.kisan.in
in the Facebook advertisement.
We are getting the following error.
Invalid link URL Provided: The link URL https://taiwan.kisan.app used
in the Ad is invalid. Please use a different URL and try again.
(#2490193)
We are not able to understand what is causing this error
as our site has SSL and it can be browsed from the browser
without error.
The site is hosted on Apache, AWS EC2 instance and there is a load balancer before EC2.
How can we fix this?
You can use an URL shortener service like bit.ly to quickly resolve this. You can also have custom URL tag if you want. See Bit.ly Sign Up
You might try running your website through the Facebook Debugger:
https://developers.facebook.com/tools/debug/
This tool was built to help to identify any errors that Facebook is reading from your website, and help provide information on what needs to be fixed to unblock your link.
From there, you can get help from your developers team or from the Facebook Developers team to make your website compliant and help our systems detect it as safe. Click the link below and select "Get Started" to open a support ticket with the Facebook Developers team (this option may not be available for all websites):
https://developers.facebook.com/tools-and-support/
The error may also occur because the URL is already being used by another Facebook page –possibly a forgotten page, previous page, or an unofficial, unverified page that was created by someone else

Facebook AllAuth Django Login

"Given URL is not allowed by the Application configuration: One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains."
First of all I'm fairly new...I've been programming in Django for about a year. I have followed about 6 or 7 Django AllAuth tutorials and think I have a good grasp on setting it up. Although, when I get to the Facebook login, it fails to work. I've set up my Facebook application via Admin, including api key's and app id.
Can I not sign in via Facebook through my localhost? Do I have to be on an external server? I've researched this for about two month and still haven't found any correct solutions to the problem. Very frustrating...Any help would be much appreciated. Thanks!

Twitter OAuth and WebApp (with Ember)

Currently I am working on an WebApp with Ember.JS. Now I want my customers to log in with their Twitter account using OAuth but I don't want my App to reload when they do.
So my idea was to have the login button open an popup to the Twitter authentication page which redirects to my page which has some JS based on the result e.g
window.opener.success(userdata);
and
window.opener.failure(error);
But since it first redirects to Twitter (the popup) browsers remove the window.opener properties to prevent cross site scripting even though it does redirect back to my own domain (where the JS code is).
Is there another way to go about this?
edit: I could user postMessage, but this doesn't work in IE8/IE9 in a popup. Only in an iFrame.
Yes, you have the same idea as some other programmers at Vestorly; they made a social authentication plugin called Torii I would recommend this as they have probably also taken care of all your obvious security concerns.

How can I secure a Django site

I have a working django site - up-and-live, working just fine. It uses Django's contrib.auth for authentication. It's hosted on Heroku. I would like to set up a clone of this site for demo purposes, but would like to add an extra layer of security around the site, which would be a very simple password-protection. Doesn't have to be bulletproof or unhackable - just enough to put 'muggles' off trying.
This authorisation layer should not in any way interfere with the site auth itself. It's just an outer ring (check once, store access rights in session). Because the site is hosted on Heroku this is not something I can do at the web server level - it has to be part of the app itself.
My nuclear option is to create a django app (working title 'perimeter') which would enforce this, but if anyone knows another way to do this, I would be really grateful.
Core features include:
Some mechanism for generating short tokens (< 8 chars)
Some mechanism for logging tokens against an email address
Prompt users for a token / email combination on first access of site
Unrestricted access to site thereafter (standard auth model kicks in at that point)
Typical user journey is:
Bob asks site owner (me) for access to demo site
I generate a token for Bob and send it him along with the site URL
Bob clicks on the link, gets redirected to page to input his email and the token
If the token is valid (expires after X hours / days), store in session, let Bob in.
If the token is not valid, 403 (/401).
(You may wonder why securing a copy of website that is already public makes any sense. It's because the site is a members-only site, and on the demo version it will be 'auto-enroll' so that people can see what it's like inside the site without having access to the real data. However, I would like to be able to track users on it.)
[UPDATE: alternative]
A blunt alternative is to add the token to the URL I send Bob, ignore his email, and simply validate the token itself. That would work so long as Bob always uses the URL in the email.
I have created my own solution to this - meet Django-Perimeter.
This app isn't packaged (yet) so you'll need to clone the source and add it in manually to your own django site, but it does work. It provides the ability to generate access tokens, and then secure access to the site (the entire site, not parts of it) using those tokens.
[UPDATE]
This is now available via PyPI - http://pypi.python.org/pypi/django-perimeter
You can install using pip install django-perimeter