I have a cakephp application that has a users database and currently has approximately 50 users.
I was wondering what would be the best way to migrate the application to django without affecting the users.
I am concerned because the passwords are all encrypted of course, and most probably the encryption will not be the same in django.
The simplest approach would be to create the users with random passwords in your new application, then when switching send them an invitation with a login link. Take a look at this app: https://github.com/fajran/django-loginurl
Then ask the users to choose a password when they login the first time.
Second way, not so nice - but if you don't want to ask for the password again and you don't have a way to decrypt the existing one:
Modify your existing application in a way that it sends the username and password (taken from the existing login form - so you have it in cleartext) to the new backend. Then pull the profile from the legacy-app to the new one and create/migrate the user-profile.
Related
We are rebuilding our old analytics website in Django. Our old website was built with LAMP stack. We have the usernames and passwords for all our accounts in un-hashed form.
Now I want to migrate all those usernames and passwords to our Django website. All our users should be able to login to the new Django website using the same username and password.
Can someone suggest some best practices to do this? How to achieve this objective efficiently?
all our accounts in un-hashed form
Please do not do that. Django is designed for security. By default, Django uses the PBKDF2 algorithm with a SHA256 hash.
So, during data migration, you must pass your plain texted password through hash function and save the hash-ed password to database.
By applying the above approach, you do not need to force users to reset their password.
The easiest solution would be to export all the user accounts from the old platform into the Django auth_users table. With either a python script or SQL tricker-y poker-y.
Whilst this method takes a little more work from the users point of view it is the safest option (especially because you stated passwords are not encrypted).
After all usernames/ emails are in the new table I (personally) would not set a password for those migrated user accounts. Instead, make sure you have set up django password reset screens (this is built into django). You can then get the users to reset their own passwords allowing them access into the new application.
I am using Django rest framework to build my application backend. I have used Django-rest-auth (https://github.com/Tivix/django-rest-auth) to enable login and registration for my app. It is already working.
However as per my new requirement, I have a list of usernames and only those usernames can register into my system. How can I achieve this?
I had few ideas (do not know if they make total sense):
1. A new model to store usernames, so that in future more usernames can be added via admin interface
2. Whenever a user makes a call from client: the entered username is checked against this new usernames table and if it exists in the table registration is allowed.
Or there can be a still easier way to do this? Any code snippets?
So I know it is really BAD PRACTICE to store a users password in cleartext (even encrypted)....But here is my problem.
I am developing an in-house automation web-app using django as my backend and users login using their LDAP credentials. My app interacts with several 3rd party applications (Jira, Jenkins, Gitlab) that also use ldap credentials for user authentication. I would also like the ability to write to the users (linux) file system from the server (saving generated scripts).
What are my options?
The only one i have though of is to encrypt the password when user logs in and store that in the django session. Encryption and decryption keys will be generated per session and saved using django's sessions. The password will be decrypted whenever a password is needed but it will never be saved as clear text
*Obviously the user will need to concent to this method
Any other ideas?
If we're saying about logging into user's account using SSH, you can use public/private keys to do that. When user logs in, use his password for connecting to his account and create here authorized_keys file (or edit existing one) inside ~/.ssh directory. That way you will have access to SSH later.
Additionally, you can create some scripts that will handle that filesystem changes on root level.
I know that Jira and Gitlab can use OAuth and I'm pretty sure Jenkins understands that also. So you might be able to generate an OAuth-Token for the user on login (when you have the password in cleartext) for those systems and then use that token without the need to store the password.
Regarding the SSH-Access #GwynBleidD already gave a good answer.
I'm thinking about migrating one of my django application to meteor. But there is one question I'm trying to answer before doing this: How does Meteor encrypt a password? (with the account-password package?)
In my case, I used the default django password encryption:
Django provides a flexible password storage system and uses PBKDF2 by default.
The password attribute of a User object is a string in this format:
<algorithm>$<iterations>$<salt>$<hash>
So my passwords are stored like this:
pbkdf2_sha256$12000$Z0rof3EQy1p2$wezcf334ytyBm12CPcdlNZLrkWYkaQklk4wHt5jxgWE=
Is it impossible to make Meteor adopt the same scheme so as my current users can continue to use my application without resetting their password?
accounts-password uses SRP to authenticate users. This was mentioned in the blog post for meteor 0.5:
Support for the Secure Remote Password protocol. Developed at Stanford, SRP lets a user securely log in to a server without ever sending that server their unencrypted password. The kind of high-profile security breaches at LinkedIn and Pandora earlier this year are impossible with SRP. Instead of asking every application developer to safely store passwords, we've baked the very best technology right into Meteor Accounts.
It's also discussed a little bit in this recent video. Side note - it's interesting that they are considering adding bcrypt in the future.
So for now, the good news is that meteor does not store password-equivalent information in the database. The bad news is that your users will need to reset their passwords if you choose to migrate your framework.
I would like when a user creates an account in Django, that the user information :
- Username
- Password
- Email
- First and Last Name
- Mobile
Gets also populated in my LDAP server. Also when the user get deactivated, this gets reflected in LDAP.
Authentication will still be done in Django.
I need the user information as i have another application which is getting the user info from LDAP. I need both to be have the same user universe.
Are there any snippet that does that already ?
I saw many code to authenticate thourgh LDAP, but what i really need is to populate the LDAP directory with my Django user on the fly
Thanks for your help
Check out this snippet, it should do exactly what you're after (a bit old though, so YMMV with newer django)