I'm currently working on securing my Django website with SSL. I'd like certain URL patterns to be accessible only via HTTPS. The single most important thing to do is to secure the login site. There is this form where user inputs their login/password into a form and the form is POSTed to the server. In the login page template I have something like
<form method="POST" action="{% url login %}">
and in my urls.py one of the patterns is something like
url(r'^login/$', 'mySiteLogin', name='login'),
Now I've found some resources suggesting that I should use a middleware that will rewrite http to https, for example this: Django relative urls and https. But logging in cannot be done this way - it's no use to rewrite the protocol when the user has already POSTed their password in plaintext!
So I'm thinking, can I somehow tell {% url %} to use https? I'm thinking of a solution that will use a decorator to mark views that require encryption and then some tag similar to {% url %} will use this info and create a link with https when required.
Or is there some other way?
Thanks,
Mike
But logging in cannot be done this way
- it's no use to rewrite the protocol when the user has already POSTed their
password in plaintext!
Just serve the login page itself over HTTPS. This seems to be a good idea in general.
“By January 5, it was clear that an
entire country’s worth of passwords
were in the process of being stolen
right in the midst of the greatest
political upheaval in two
decades.”—which is why you shouldn’t
serve your login form over HTTP even
though it POSTs over HTTPS.
http://simonwillison.net/2011/Jan/24/
In a nutshell, ISPs from Tunisia injected malicious JavaScript code into the login pages of Facebook to steal user logins.
Maybe you should instead look at middleware solutions that does redirection between HTTP and HTTPS. One example: http://djangosnippets.org/snippets/85/
Related
Cant find a solution to a simple problem from current SO questions.
I have 2 apps in a django project.
App1 is from the graph tutorial found here
App2 will allow the users to list data from a DB in this case it will be branch names.
If I try and access a page with #login_required decorator then the url route has /accounts/login/ added and I get the usual cant find error.
Page not found (404)
Request Method: GET
Request URL: http://localhost:8000/accounts/login/?next=/calendar
Using the URLconf defined in graph_project.urls, Django tried these URL patterns, in this order:
[name='home']
about [name='about']
signin [name='signin']
signout [name='signout']
calendar [name='calendar']
callback [name='callback']
branches/
admin/
branches/
The current path, accounts/login/, didn't match any of these.
If I am reading the django docs correctly then this is default and I can redirect the login path using the LOGIN_URL in the project settings. When I set that to the signin function created in the tutorial for App1
def sign_in(request):
# Get the sign-in URL
sign_in_url, state = get_sign_in_url()
# Save the expected state so we can validate in the callback
request.session['auth_state'] = state
# Redirect to the Azure sign-in page
return HttpResponseRedirect(sign_in_url)
It will forever cycle the MS OAuth login but never access the requested page once completed. If I leave out the LOGIN_URL from settings it adds the accounts/login/ to the url as that is the default.
What is it that I am not understanding as to have login/logout requests handled by the functions in App1 for any requests made in other Apps when the request is behind a Login_Required decorator? And why does it not check if I am already authenticated when I can see It holds my name/email/calendar calls if I do not have a #Login_Required decorator and move between pages.
Thanks
I reached out to the support team on Django-Project.
One of the maintainers had a look over my source and all seemed fine on my end, he also checked the tutorial link I provided in the question.
His exact words were
>Personally, I’m a bit suspicious with how they’re doing this. I’ve read through the >tutorial and it looks to me like they’ve taken some shortcuts with managing the user in >the session.
That is enough for me to drop that route and look somewhere else, he offered these as a suggestion should anyone care to look into what I moved on to using.
[Azure AD pypi][1]
[Django Auth Docs][2]
[MS Django Auth][3]
[1]: https://pypi.org/project/django-azure-ad-auth/
[2]: https://django-auth-adfs.readthedocs.io/en/latest/
[3]: https://pypi.org/project/django-microsoft-auth/
And to add to the question, how do I make it secure.
So the situation is, is that I have a website that I have deployed and I have a sign up form. Whenever I click on sign up and start typing in my information and i get to writing my password, safari warns me that my website is insecure. Why is this? And how do I fix it?
EDIT: By the way, I am including {% csrf_token %} in all my POST forms
It appears that you are not using HTTPS.
When you serve your website over HTTP, the data is sent in plain text over the internet.
This means that, when the user submits the password to your website, it could be read in transit. This is not secure.
You are now able to get free certificates for your website using https://letsencrypt.org/.
Perhaps your certificate is self-signed? Maybe you then need to specify in the settings to allow certificates from localhost.
I am developing a web application using Django and python-social-auth. I want users to login with Facebook.
I have this in my python settings:
SOCIAL_AUTH_FACEBOOK_KEY = '...'
SOCIAL_AUTH_FACEBOOK_SECRET = '...'
SOCIAL_AUTH_FACEBOOK_SCOPE = ['email']
When my users enter the facebook page where they should provide credentials they see an error like this:
Can't Load URL: The domain of this URL isn't included in the app's domains.
To be able to load this URL, add all domains and subdomains of your
app to the App Domains field in your app settings.
In Facebook for Developers dashboard I have added "Facebook Login" product and added redirect url:
http://localhost:8000/complete/facebook/
In settings, Website Site URL is set to: http://localhost:8000/ and App Domains is set to localhost.
What am I doing wrong?
BTW this is the url that my users see when the facebook page opens:
https://www.facebook.com/v2.9/dialog/oauth?scope=email&state=HSfkstGUR5028DMhUzfWOSgo6fpPx29E&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcomplete%2Ffacebook%2F%3Fredirect_state%3DHSfkstGUR5028DMhUzfWOSgo6fpPx29E&client_id=...&return_scopes=true
Disable the 'Use Strict Mode for Redirect URIs' setting in your Facebook login app.
OR
Note the redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcomplete%2Ffacebook%2F%3Fredirect_state%3DHSfkstGUR5028DMhUzfWOSgo6fpPx29E parameter of generated url.
For some inexplicable reason Facebook requires Valid OAuth redirect URIs setting to be exactly the same as the redirect url.
So use a tool like https://meyerweb.com/eric/tools/dencoder/, decode the url and set Valid OAuth redirect URIs to the full url. I.E:
http://localhost:8000/complete/facebook/redirect_state=HSfkstGUR5028DMhUzfWOSgo6fpPA59E
Upgrading social-auth-core to at least version 1.6.0 should help to resolve this. Among other changes it includes this one:
Default REDIRECT_STATE to False in FacebookOAuth2 backend.
This was changed as a result of issue 141, and it causes redirect URLs to be generated without the redirect_state argument, whose dynamic value makes whitelisting impossible.
Once you've done this, add https://<your-domain>/complete/facebook/ to your OAuth redirect whitelist in the Facebook developer portal.
Facebook doesn't like localhost in the Redirect URI field in the app setup or in the redirect_uri parameter. To workaround it just set something in the field (I use http://myapp.com:8000, then add the entry 127.0.0.1 myapp.com in your /etc/hosts and access the app through the new URL (http://myapp.com:8000).
As of the 4th April 2018, day i face the same issue, the only solution i found is:
Valid OAuth redirect URIs must be set to be exactly the same as the redirect url
More info here: https://developers.facebook.com/blog/post/2017/12/18/strict-uri-matching/
In our Java EE app we are invoking the fb oauth flow to get accessToken.
For this purpose we make a call with the callback url to the fb server with app key and secret.
At this moment the same url is provided in the fb app url section.
However, is it possible if we can some how change the redirect url to go to a different server ? I have seen just changing the callback url in the code does not work. Looks like it has to be same in the code as well as in the fb application.
This make very difficult to test or use the same app to try things from two different web servers.
Any advise on this?
This is unfortunately not possible. Just redirect user to your redirect_uri which will redirect you to the correct location
The URL to redirect to after the user clicks a button in the dialog.
The URL you specify must be a URL of with the same Base Domain as
specified in your app's settings, a Canvas URL of the form
https://apps.facebook.com/YOUR_APP_NAMESPACE or a Page Tab URL of the
form https://www.facebook.com/PAGE_USERNAME/app_YOUR_APP_ID
https://developers.facebook.com/docs/reference/dialogs/oauth/
For security reasons you can't change the redirect url. Facebook check that you provide the same redirect url as you gave when you registered the application. The way I solved this was to register one application on facebook for each server.
Here is Solution from Promo Group
One of the options - to add a 2nd domain (address mirror the primary site) in
Settings » Basic tab at the top» Mobile Site URL
I am using Twitter OAuth to login users. The login takes users to Twitter and upon successful OAuth returns them to a specified url. From this url I would like to redirect users back to the page they were on before logging in.
What is a good way to do this?
Two ways:
Craft your OAuth URL so it sends them back to the right page, or at least says next=url in the querystring. This is most reliable but can break (and does look ugly but who's copying and pasting OAuth URLs anyway?)
Store a session containing the last requested "real" page. I say "real" like that because I don't count any auth/registration pages as real. So every hit, check to see what URL they're on, if it's not auth-related, store it in session. When they hit your OAuth-auccess page, redirect them to the session value. You can do this in a context processor or some middleware. Requires cookies and logout will nuke it.
i am using redirect url in twitter auth url and its working for me ..