Django. Intermediate page after authentication - django

    I wrote middleware that process requests from admin log in page. How can I redirect user after authentication to some intermediate page with some 'Continue' button and this button will redirect me to page which should be showed in standard scenario.
    I set my middleware after AuthenticationMiddleware in settings list. Despite of this if I set some return statement in my middleware, user authentication process fails.
    I need this to show some additional info about authentication results on some Atlassian services. Don't want to do it via JavaScript so decided to implement intermediate page functionality.

Instead of using a middleware, create a template with that auth information and use the function render_to_response at the end of your login view to render that template. You can add variables to this function to give extra information.
Example:
return render_to_response('my_template.html',
my_data_dictionary,
context_instance=RequestContext(request))

Related

How to return a 404 for just Django allauth signup page?

I am rather new to Django and all of the work I have done so far has been with models/views/viewsets.. The site I am working on incorporates Django allauth for authentication. I have successfully edited/styled the login/logout templates, but the page will be accessed by people who are given credentials created in the admin section rather than signing up on their own- so the sign up page is unnecessary. I'd like to just show a 404 page anytime someone lands on the signup page. I have already removed all the links to the signup page from the other templates.
In short- how do I just redirect someone to the Django default page_not_found when they hit /accounts/signup/?
My attempts so far have revolved around editing the URLs.py file to include something like path('account_signup', page_not_found) (after importing it at the top), or some other manipulation of that line. I'm probably missing something really easy, as I have been getting a little frustrated... And I haven't found any stack overflows where someone was desiring a 404 when a user navigated to one of the allauth account pages.
In order to server 404 pages automatically for not found url, create a 404 view and then in main projects urls.py have below code
Read the Official docs
handler404 = 'mysite.views.my_custom_page_not_found_view'
For redirecting use Redirect View in django docs
from django.views.generic.base import RedirectView
url('/accounts/signup/', RedirectView.as_view(url='/', permanent=False),name='index')
Note their is 404 page for developers builts in django, but once you turn debug=False in settings for production apps,it is not visible,
You can simply not use the signup page in your urls.
On the other hand, it is bad practice to use createsuperuser to create users, since by default they will have enough privileges, even to log in to admin and edit things. The right thing to do is to create a user with some method you want, and with the permissions you give them.
This last one will allow you to use a decorator in your signup view that only allows access to that page in case you have an account with a particular privilege, and not any user. There is no point in returning a 404.

Is it needed to add reCaptcha to built in Django's login form?

Hello I'm new to Django and I'm using Django's built in forms to login my users, also I have a contact form where I'm using Google reCaptcha to avoid attacks.
I was wondering if it is needed to add reCaptcha to my login form. I have heard Django takes care most of security and I don't want to repeat code if default login form is already prepared for brute force attacks.
In case its better to add reCaptcha to default login form how can I process the validation? In my contact form I call Google's API to verify user click within my views, but I don't feel comfortable adding that code inside the auth_views.LoginView class.
Thanks!
Django does not take care of any rate-limiting with its forms, including login.
I think that it is a good idea to include some sort of rate-limiting security measure to your login form. re-Captcha might be overkill as a default, unless there are several incorrect attempts within a timeframe.
Take a look at the Django rate-limit project for an easy to implement alternative to captcha.
In order to add reCaptcha to the login view, rather than modifying the auth_views.LoginView class, just create a new view that extends that class. You can add your recaptcha form validation just like in your contact form.
Then you can update your url to point to your custom view and template:
url(r'^login/$', custom_auth_views.recaptcha_login, {'template_name': 'core/recaptcha_login.html'}, name='login'),
See this post on how to extend the login views / templates.

Google authentication and iframes

Background
I have an existing Python-based Google AppEngine app with a few pages for which login:required is set in app.yaml.
I'd like to be able to put this app in an iframe. However, whenever the user navigates to a page that requires login and the user is redirected to the Google login page, the iframe goes blank as the login page sets the x-frame-options:DENY header option.
Questions
Is there a way to make the Google authentication use a pop-up (like FaceBooks and Twitters authentication schemes does?)?
ALternatively, is it possible to catch the login required event, and redirect to another page that I supply, that does some iframe breakout and then redirects to the real login page?
auth_fail_action does not support a custom redirect URL, is there another way?
The only other solution I can think of is not to use login: required, but to reimplement the same logic in each view (or in a decorator). However, as this is rather clumsy and requires lots of rewriting I'd rather not go this route.
Thanks in advance,
Egil
Unfortunately No.
Depending on your specific needs, you could make a passthrough URL on your app that handles the login: required portion before loading the page that iframes your app.
Something akin to this:
app.yaml
handlers:
- url: /login-check
script: main.app
login: required
main.py
import webapp2
class LoginCheckHandler(webapp2.RequestHandler):
def get(self):
# If they get here, they have been authorized via google's login page
webapp2.redirect(self.request.get('redirect_url'), abort=True)
app = webapp2.WSGIApplication([
('/login-check', LoginCheckHandler),
], debug=True)
Now you can load your main page via $APPENGINE_HOST/login-check?redirect_url=$REAL_PAGE_URL and it will ensure the user is logged in first and then redirect them to $REAL_PAGE_URL which can now iframe your app engine page.

Customizing the default profile page of web2py

I have customized the auth using the above explained method by Anthony. It is available in the documentation also on the web2py website.
But this is only for the tables in the database. I wanted to edit the controllers also. Like the profile page, which has all the fields editable by default(except password,which I don't even want to be shown).
I want to use the same page but with little modification. I can't find the controllers to edit them.
If you are using the scaffolding application, all of the Auth functions are handled by the user() function in the default.py controller (the associated view is /views/default/user.html). The particular Auth action is determined by the first URL arg (i.e., request.args(0)), so if you need to run some custom controller or view code for a particular Auth action, you can do something like:
if request.args(0) == 'profile':
[custom code for profile action]
For example, to hide the password field, you can do:
db.auth_user.password.readable = db.auth_user.password.writable = False

Implementing Ajax requests / response with django-allauth

I am using django-allauth for one of my project. I would like to implement login/signup process via ajax. I would like to have customized signup form. I was going through their signupmixin and signup form. Sounds like I can write custom views for each action and map it to the url config. I am not sure what is the best way to do this.
Thank you so much for any help or advice on this.
It depends a bit on what you mean by ajax. If you just want to have a popup-style login/signup box on every page, then you can simply add the form to your base template and show it dynamically using Javascript in a popup box or so. If you keep the form action url to the original allauth urls then this will already give the feel of an ajax signin. You could also tweak things by using $.ajax or $.post to post to the original allauth views.
Something like the above is done on http://officecheese.com/ -- this is an allauth based site, though I am not affiliated with it.
If by ajax you mean that all authentication related views should be displayed via ajax, without causing a new document reload, then I am afraid you are a little bit out of luck. This simply is problematic for scenario's where e-mail verification, or OAuth handshakes are involed, as here you are typically navigating to a new URL from your mailbox, or redirecting to Twitter and so on.