I am testing a Rest server using Django Rest Framework. By following the tut from Django Rest website I successfully generated a proper API. But when I try to test with backbone.js to talk locally with that server, it seems fail to communicate together.
The server places at address: http://localhost:8080/users/
The client: http://localhost/client
This is the collection and the view in client
var Users = Backbone.Collection.extend({
url: 'http://localhost:8080/apis/',
});
The network after parsing shows status: canceled and type: pending
I suspect the port different caused the error. Could any point me out the correct way ? Thanks
The browser does not allow you to make POST/PUT ajax requests from localhost(:80) to localhost:8080, because of the Same Origin Policy requirement. In order for the browser to consider two addressed as having same origin, they must have the same protocol (http/https), domain name (localhost) and port number.
You can configure the web server at localhost:80 to proxy requests to localhost:8080. Most web servers support this functionality with a simple configuration change. If you are for instance using apache, see documentation.
Sample Apache proxy config:
ProxyPass /api http://localhost:8080/
ProxyPassReverse /api http://localhost:8080/
After this, you can access an address at localhost:8080/users with localhost/api/users:
var Users = Backbone.Collection.extend({
url: '/api/users',
});
Related
I am trying to deploy my application using below tech stack:
Angular - Frontend
Django - Backend
When I am trying to access over https my app the backend is giving following error
Not Found: /
[05/Jul/2021 00:57:08] "GET / HTTP/1.1" 404 2356
[05/Jul/2021 02:42:50] code 400, message Bad request version ('À\x14À')
[05/Jul/2021 02:42:50] You're accessing the development server over HTTPS, but it only supports HTTP.
You're using the development server to host the application, this is not suggested and does not work with https only http.
Use a production grade server like:
Apache
Nginx
Others
For more information visit the django-depolyment docs
You will also need to generate and sign a https certificate, for that I would suggest using Lets Encrpty
I'm currently working on a React project. The development server (Bottle/Python) for the project is hosted remotely, and my React dev-server is localhost. Part of the authentication process for the application involves setting a cookie on login, but because of same-site and secure rules that cookie is not being set, meaning that my dev frontend can't access any of the data that it needs.
Myself and the server engineer have added SameSite=None to the cookie as well as secure, but because my localhost is not https the cookie is still not being stored properly (I get the error message "this Set-Cookie" was blocked because it had the "Secure" attribute but was not received over a secure connection").
There are no issues when the app is deployed because everything is on the same domain, but for now we're stuck - we've been trying to solve the issue for several hours but can't seem to get it.
My question is - what is the best development practice if you need to access a non-local development server, but can't actually just have your own version of the server running on your local machine?
Do I:
Need to make my localhost https somehow?
Need to make the dev-server domain https?
Need to install the server locally because there's just no way to do this?
Apologies if this is a noob question, it would be great to have some advice.
Many thanks.
The short answer is:
No
Yes
No
You can run your app on http://localhost:port. Assuming response from your dev server has in response headers Set-Cookie of the cookie which has Secure flag, your dev server URL has to be https in order to have the cookie accepted by the browser.
I have this setup and it works just well.
Regarding CORS (as mentioned in the title of the question): you have to have you server configured to accept credentials and to have allowed origins configured. The client app when doing XHR request has to have withCredentials:true. Check the points 2 and 3 in my post for details.
Also note, that if you are using Chrome you can bypass for development purposes the requirement to have SameSite=None and Secure by disabling the flag "Cookies without SameSite must be secure", also detailed here
TO protect app from CSRF attack we set a cookie named XSRF-TOKEN from server side. So from client side code we are able to set-cookie and send across to server, But to validate CSRF in the server side we need to send header while firing 'POST' service call. As per angular document automatically $http sets header X-XSRF-TOKEN by reading the cookie ( Please refer link), but Javascript code is unable to read the cookie though we have deployed our application on same domain.
Server side cookie generation code and service deployment details are as below,
final Cookie newCookie = new Cookie(
"XSRF-TOKEN",
csrfValue);
newCookie.setPath("/");
httpResponse.addCookie(newCookie);
UI is deployed in 8080 port and service is deployed in port 8084 inside same VM
Port 8080 and 8084 are different origins, so you can't read cookies from one on the other, the same as you can't access the cookies of any other website in javascript running on yours.
How does the service authenticate the user? If it's token based, and the token is sent as a request header, you don't even need further protection from csrf.
I'am getting an error message from Angular whenever I try to make an AJAX call to an endpoint of my backend (on a separate domain, running Django 1.7):
Cross origin requests are only supported for protocol schemes: http,
data, chrome-extension, https, chrome-extension-resource
I do have django-corsheaders installed, CORS_ORIGIN_ALLOW_ALL = True and the middleware set up properly. So what's wrong?
I am not sure if this information is relevant, but I am still testing everything on a single host, meaning there is one XAMPP server running for the Angular frontend at localhost and one Gunicorn instance running at localhost:5000 for the backend.
I have followed this tutorial: http://www.stephendiehl.com/?p=309 describing how to run a gevent pywsgi server serving Django with socketio behind a nginx front-end.
As this tutorial says, Nginx doesn't support websocket unless using a tcp proxy module. This proxy module doesn't support the use of the same port for socketio and classic serving, from what I understood the configuration look like that:
nginx listen on port 80
nginx tcp proxy listen on port 7000
Everything is forwarded to port 8000
Problem: the resulting socketio request doesn't include the django cookie containing the session id so I have no information on the requesting user in my django view.
I guess it's caused by the fact that the request is made to another port (7000) causing the browser to identify the request as cross-domain ?
What would be the cleanest way to include the django cookie into the request ?
Most answers in this question seem to indicate that port doesn't matter.
Also checked and supposedly WebSockets is regarded as HTTP, so HTTPOnly cookies should still be sent.
SocketIO seems to be using a custom Session manager to track users. Maybe try and link that up?