I am using django-allauth for one of my project. I would like to implement login/signup process via ajax. I would like to have customized signup form. I was going through their signupmixin and signup form. Sounds like I can write custom views for each action and map it to the url config. I am not sure what is the best way to do this.
Thank you so much for any help or advice on this.
It depends a bit on what you mean by ajax. If you just want to have a popup-style login/signup box on every page, then you can simply add the form to your base template and show it dynamically using Javascript in a popup box or so. If you keep the form action url to the original allauth urls then this will already give the feel of an ajax signin. You could also tweak things by using $.ajax or $.post to post to the original allauth views.
Something like the above is done on http://officecheese.com/ -- this is an allauth based site, though I am not affiliated with it.
If by ajax you mean that all authentication related views should be displayed via ajax, without causing a new document reload, then I am afraid you are a little bit out of luck. This simply is problematic for scenario's where e-mail verification, or OAuth handshakes are involed, as here you are typically navigating to a new URL from your mailbox, or redirecting to Twitter and so on.
Related
I'm currently using out-of-the-box django.contrib.auth to handle authentication in my Django app. This means that the user starts at a log in page and is redirected to the app on successful login. I would like to make my app single-page, including this login process, where a redirect doesn't happen, but maybe a "hot" template switch-out or some fancy client-side div magic (that still remains secure). My Google searching turned up pretty short, the closest solution dealing with putting a log in form on every page.
Any direction or ideas here would be much appreciated. I would obviously prefer to work within the existing confines of django.contrib.auth if possible, but I'm open to all solutions.
I'm not sure I understand your question completely. I think you want to have a single page. If so, put logic in your template that checks to see if the user is authenticated. If not, display a login form that POSTS to the appropriate django.contrib.auth view. You can supply an argument to this view to have it redirect back to your page. When you come back, the user will be authenticated, so you won't display the login form.
Have a look at Django-Easy-Pjax https://pypi.python.org/pypi/django-easy-pjax - it works like a charm and is well documented. Everything you like is being made with AJAX requests: links, forms using GET and forms using POST.
Essentially you only need to add a data-pjax="#id_of_the_container_where_the_result_goes" attribute in your a and form tags.
And the great thing about it: It updates the title and location bar of your browser.
One caveat: If you want to upload files in some form, this is not supported by Easy-Pjax, so you might want to use some workaround jQuery library for that.
Is there a good way to have both the login and register forms for django-registration on one page? I've had trouble finding a way to do it now that the backend system is enforced. Is there a view that can be overwritten that would allow you to add both forms to it? Anyone done this before or can point to an article about this?
Edit: Just to clarify I have the whole django-registration and login system set up and working properly, I'd just like to get both forms on the same page. I do not have access to their views.
Just hard-code your login-form in the registration-html-template. It should work like a charm.
You can always override the default login and registration views/templates. You can take a look at this link and see if this was what you were thinking to do. Then, you can read the Django documentation for further information about making custom login and registration views and templates as well.
My Django site is vulnerable to spam, so I would like to include captcha protection. The problem is that a lot of components are from third party sources, and don't include captcha verification. While i could modify their views, that would effect the code's portability/upgradability, so I would rather not. I can only modify their templates.
I have solution, but it is a bit messy, and before I start implementing, I want to see if anyone has a better one.
My solution is as follows:
1) Redirect all Post forms on the site to targert a "captcha bounce" app that will programatically reconstruct their post request, check if the captcha is correct, add a verification token to the post, then redirect back to the original post target.
2) Implement a new type of middleware that will check all post requests. If the post request is not targeting the "captcha bounce" url, the middleware will return an error unless the verification token is present.
As i said before, this seems needlessly messy. Does anyone have a better idea?
It depends on app message but:
you can usually wrap their views into your views and add extra processing
you can extend their forms to add your captcha fields
you can add template-tag that is extra javascript check and just add it to your templates.
Ok, I figured it out. This should be doable just by using middleware. Just give it a list of views that it should check for captcha correctness. In the case of a wrong response, it cuts the post out of the request and/or activates some sort of error variable. Much simpler.
I have an HTML form in my Django web application (NOT implemented using Django forms) that does POST request.
Now I want to implement a feature so that other web apps, not necessarily django, from different domains, can send some data to my application and get redirected to the web page with this form, partially filled with that data (the data can be JSON).
Besides redirecting, after the user clicks submit on my form, I would also want to send a message to the other server with some short text information.
I am not sure what is the best way to implement this. REST interface like Piston?
Could you give me some general directions I should follow?
You should create a view that handles the POST data from the form and the external web apps.
You should be able to check whether the data you are getting in the view is coming from your site or another by checking request.META['HTTP_REFERER'].
If it is from your site, you can just handle the form as you usually would.
However if it is from an external site, you would instead render the template with the form in it. You can put the information you got from the external site into the context, so you can pre-fill the form in the template.
You should also include a flag in the form to say that this was from an external site, something like:
<input type="hidden" name="external_site_url" value="{{ external_site_url }}">
After that form is submitted, you can check for the existence of external_site_url. If it exists you can then send the message to the other server.
Note, because you want other apps to use your view, you'll have to disable CSRF protection on the view (https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#csrf-protection-should-be-disabled-for-just-a-few-views).
Also, by allowing other apps to use your view, you are opening yourself up to a lot of possible attacks. Be very careful with input validation and only give the view the ability to do the things it really needs -- you don't want an external app to be able to delete entries in your database for example.
Maybe it's a stupid question, but I'm trying to login to my django app using a form that is outside django. My guess is that I could send a POST request to /login, but that would fail because of the csrf token.
Maybe I'm missing some kind of theoretical background, but I would like to know what's the correct way to achieve this.
Background info:
The django authentication is working fine IF you use the django login forms. What I'd like to do is to use an external static html form (on an apache outside django), to post to django directly so when I redirect to my django server, I don't have to login.
CSRF exists to prevent exactly this. Although you no doubt have good intentions, there's no technical difference between this and a hacker trying to steal access to your site via a real CSRF attack.
Sounds like you need a single-signon service like CAS: http://code.google.com/p/django-cas/
(but it's possible overkill)