CSRF handling with Adobe Flash Application using Django backend - django

I'm building a flash game that uses Django as a backend.
I currently have an api endpoint set up using django-tastypie, which the flash app can call to receive JSON data for populating the application.
I understand using simple django views, and templating system, one is able to simply include a csrf_token in a webpage with the aid of the middleware.
My problem now is trying to post data back to the server without using csrf_exempt, and the flash application ideally, can be run without inserting params tags. Hopefully, a standalone swf file that'll work as it is.
How would one get a csrf_token into the flash app so it can post data back to the server without security concerns?
If the csrf_token way is not possible, are there any other ways to post data securely?
I have searched many avenues leading to similar questions, but many are unanswered.
Maybe I'm missing something here as I'm engrossed in my perspective. I hope someone can enlighten me on better ways to do it.
Thanks in advance.

It sounds like you may have two problems:
How do I actually send the CSRF token with my POST requests from Flash?
Django also accepts CSRF tokens via the header X-CRSFToken. See the docs here.
You can append headers to your request like so:
var req:URLRequest=new URLRequest();
req.url="http://somesite.com";
var header:URLRequestHeader=new URLRequestHeader("X-CSRFToken","foobar");
req.requestHeaders.push(header);
URLRequests docs are here.
How do I get the CSRF token into my Flash file in the first place?!
(Option A) Because CSRF tokens are generated on a per request basis (e.g., with templating a traditional HTML form, on a GET request) the simplest thing to do is to pass the CSRF token to the Flash file via a templated parameter. Something like: <param name="csrf_token" value="{{ my_csrf_token }}" />
(Option B) It sounds like you don't want to do the parameter thing, so your final option is to build a custom Django view which has the sole functionality of delivering a CSRFToken to your Flash file. So the Flow would be your Flash file loads, your Flash makes a GET request to http://mysite.com/csrf_token/ which simply returns a valid CSRF token, and then you can use that token to do your POST. (Note you will need to do a GET request for each POST request).

Related

My Flutter frontend on FlutLab does not see my Django backend on Repl.it

I am trying (unsuccessfully) to get data from my django backend, developed on repl.it, to my flutter frontend, developed on FlutLab. On Flutter side, I get data successfully from, for example, https://jsonplaceholder.typicode.com/users. On Django side, I render my data normally and get data by Postman, also without problem.
But if my frontend send get() request directly to backend, I see just my circular indicator.
My URL on Flutter/Dio looks like
Response response = await Dio().get("https://djangobackend.myaccountname.repl.co/");
My ALLOWED_HOSTS on Django looks like
ALLOWED_HOSTS = ['djangobackend.myaccountname.repl.co', '0.0.0.0:3000', 'localhost', '127.0.0.1']
My browser is Chrome. My backend and frontend run on the same device (PC).
Actually I have no idea which host I need to use in this case, so, I just added all I could think of.
Is it possible to get data from my backend to frontend in this case and how to do it if yes?
If I need another IDE, please let me know. The limitation is: I can use online IDE only.
I also can provide more details if necessary.
All ideas are highly appreciated!
UPD: This is because of CORS policy, as you can see on attached screenshot.
Your problem is probably related to CORS policy. To check it, please, open Dev Tools => Console on your browser. Probably you need to add 'api.flutlab.io' and 'flutlab.io' to the "Access-Control-Allow-Origin" header on the server-side. If you need some more help, please attach screen or text of errors from the console mentioned above.

ckan.toolkit.redirect_to does not redirect

I'm currently developing an ckan extension, where i need to redirect to a url on a different domain.
In my plugin i defined a custom action function:
#side_effect_free
def download_json(context, data_dict):
toolkit.redirect_to('http://my.json-builder.com?id=1234')
But when i call this endpoint i just get following response:
response screenshot
So i assume that the action function is called, but the redirect_to call does not redirect to the url i defined.
Thanks for your help!
Florian
It's a bit hard to figure out what you're trying to accomplish but here's a few things I hope will help.
Short Answer:
No, you can't redirect from an API endpoint in CKAN. The endpoint response in CKAN is built up and expects certain things from your action. Your action should return some kind of result. In your case it's returning nothing but trying to redirect. A logic action function with IActions is not the same as a Blueprint or pylons controller action.
See Making an API request docs, specifically the breakdown of an API response in CKAN. Also, you can review the pylons implementation that builds up the API response or the flask blueprints implementation.
More Info to help with your approach:
You say you are trying to call an endpoint that redirects a user to a different domain url. Based on this consider the following:
The first thing I thought you wanted was to have a url that someone goes to through the web interface of your site and are redirected to another site. In this case your example code of toolkit.redirect_to('http://my.json-builder.com?id=1234') makes sense and works for a custom controller action using/implemented with IRoutes or if you're using flask then IBlueprint. A User would go to a URL on your site such as http://localhost.com/download_json and be redirected to the new URL/site in their browser.
If you are intending this to be an API call for other users this starts to feel a little bit odd. If a user is using your API, they would expect to get results from your site in JSON CKAN's API is designed to return JSON. Someone consuming your API endpoint would not expect to be redirected to another site e.g. if I called http://localhost.com/api/3/action/download_json I would expect to get a JSON object like
{
help: "http://localhost/api/3/action/help_show?name=download_json",
success: true,
result: {
...
}
}
They would look for success to make sure the call worked and then they would use the result to keep moving forward with their desired processes. If you do want someone via an API to get redirect info I'd likely return the redirect url as the result e.g. result: {'redirect_url': 'http://my.json-builder.com?id=1234'} and document this well in your extension's API docs (e.g. why you're returning this endpoint, what you expect someone to do with it, etc).
If this is an API call for your own extension I'm guessing what you are trying to do is use my.json-builder.com to build a json of something (a dataset maybe?) and return that json as the result at your endpoint or maybe even consume the result to make something else? If that's the case, then in your function you could make the call to my.json-builder.com, process the results and return the results to the user. In this case, you're not actually wanting to redirect a user to a new site but instead make a call to the new site to get some results. If you actually want the results for your extension you don't need an additional endpoint. You could make the call from your extension, consume the results and return the desired object you're trying to create.
Hope this helps and sorry if I've miss-understood completely.

How to send POST variable in POSTMAN

I can't get POSTMAN to send any post variables to my Django app. Suppose I have a post variable called 'report_request' and it has a value that is a JSON string. On the Django side I want to get request.POST['report_request'] and parse the JSON into a dictionary. But POSTMAN never seems to send the POST data. How exactly do I do this? Is there some magical header I need to send?
Doh! My bad. The URL I need to connect to is really HTTPS rather than HTTP, but I was specifying the URL as http://. Apparently if Postman is asked to connect to an HTTPS site using HTTP, it silently just drops all POST variables. How lovely. Anyway it was an easy fix, just change the http:// url to https:// and all is well.
Be sure to provide the POST data in the body (body tab) of the request and not in the parameters (params tab).
Otherwise, POSTMAN will interpret your POST request as being without data and on a url with GET parameters.
See these specifications about csrf if needed
Check if you're sending the csrf token, it's a security feature.
https://docs.djangoproject.com/en/1.8/ref/csrf/

POST 403 Forbidden for Chrome extension with Django on the backend

I've never developed Chrome extensions before and currently working on the Chrome extension (with link submission functionality) for my Django-powered app. When I try to submit a link using the extension I get the following error:
'POST http://127.0.0.1:8000/add_link_from_extension 403 (FORBIDDEN)'
This can be solved by passing csrfmiddlewaretoken in the postdata JSON, however, obviously I can't do
<script>var csrfmiddlewaretoken = "{{ csrf_token }}"</script>
in the html file from Chrome extension. How would you pass csrf_token from Django to Chrome extension's JavaScript? Alternatively, is there any other way around this issue? Here's the relevant portion of the JS code from the Chrome extension:
postdata = {
"url":url.value
//"csrfmiddlewaretoken": csrfmiddlewaretoken
};
$.post('http://' + "127.0.0.1:8000" + '/add_link_from_extension', postdata, success);
You can try to set a cookie with the CSRF token (see: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax). Or, simply decorate your view with csrf_exempt.
Personally, I find both methods sub-optimal. Really, if you're going to allow external access to your site through something like a browser extention, you should set up and use an API, and in particular, if you're going to allow any sort of write access, you should add an authentication layer with something like OAuth. django-tastypie is a good drop-in API solution you can try, and it supports OAuth out of the box.

api request returns json files and not html/xml browser content

I am sending get httpwebrequests to the facebook graph api and all was working fine till I deployed to production server and now module that expects html/xml response is not working and when tested url in internet explorer, the save file dialog pops up and the file needs to be saved.
Other modules also send requests to the facebook graph but just differ in the form of requests so not sure what is going on here.
Any ideas appreciated
Edit:
Let me try and rephrase this. On my production server the httpwebrequest was not returning the correct result. So to Test it I copied the url http://graph.facebook.com/pepsi which is an example, should return the profile info viewable in the browser. The server has internet explorer v8 and I am not sure why it tries to download the file instead of displaying it in the browser. this is what is happening in my code and when I make a request to a different part of the api, then it works in my app but not in the browser
Your question is not very clear. From what I gather, you want the display the JSON response in a browser. Instead, you are being asked to download a file by the browser.
Well, this is normal behaviour. The response you get from Facebook would most likely have a MIME type of application/json. Most newer web browsers display the text in the browser itself. Some browsers, however don't know how to handle this content type and just ask you to download the file.
You mentioned that your module expects an html/xml response. Try changing this to application/json.
You also said that it works in your app but not in your browser. I don't know what you're making, but generally you wouldn't show raw json to the user in a browser, right?