I have this viewset
class OrderItemViewSet(viewsets.ModelViewSet):
serializer_class = OrderItemSerializer
def get_queryset(self):
print('Current User', self.request.user, self.action)
return OrderItem.objects.filter(order__owner=self.request.user.profile)
take note of the print('Current User', self.request.user) I have used that to identify the root of the problem.
urls.py
router.register('order_items', shopping_api.OrderItemViewSet, 'order_items')
So far so good... But when I make a PUT request;
const response = await fetch(api.authurl+'/order_items/'+order_item.id+'/', {
method: 'PUT',
headers: api.httpHeaders,
body: JSON.stringify(order_item)
});
This error shows up
AttributeError: 'AnonymousUser' object has no attribute 'profile'
The print statement identifies these for a GET then a POST request respectively:
[19/Jun/2020 21:03:02] "GET /sellers/3/ HTTP/1.1" 200 196
Current User AD list
[19/Jun/2020 21:03:03] "GET /order_items/ HTTP/1.1" 200 1046
Current User AnonymousUser update
So I have reason to believe that when I make a get request, the authenticated user is detected, but with a PUT it's suddenly Anonymous. I doubt I have to make frontend authentication right? e.g having Authorization with a token in my headers in the request. Since I have that GET request doing fine.
EDIT:
adding SellerViewSet:
class SellerViewSet(mixins.RetrieveModelMixin, viewsets.GenericViewSet):
queryset = Seller.objects.all()
serializer_class = SellerSerializer
DRF authentication scheme uses Django's default session backend for authentication, if you're using an AJAX style API with SessionAuthentication, you'll need to make sure you include a valid CSRF token for any "unsafe" HTTP method calls, such as PUT, PATCH, POST or DELETE requests(DRF docs)
IsAuthenticated requires the both the request.user object and the user logged in(is_authenticated).
class IsAuthenticated(BasePermission):
"""
Allows access only to authenticated users.
"""
def has_permission(self, request, view):
return bool(request.user and request.user.is_authenticated)
you need set header X-CSRFToken to request header for next request so that the server knows who you are
var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();
xhr.setRequestHeader("X-CSRFToken", csrftoken);
// fetch
headers:{
'X-CSRFToken': jQuery("input[name=csrfmiddlewaretoken]").val()
}
https://www.django-rest-framework.org/api-guide/authentication/#sessionauthentication
Related
Just started learning HTTP, trying to make a simple client-to-server request to work in tornado. Here is my javascript function trigged by a button click:
function funcOnClick(){
$.ajax({
url: "http://localhost:8889/madTest",
type: "GET",
success: function(result){alert('success')},
error: function(error){console.log(error)}
})
}
And here is my server:
import tornado.ioloop
import tornado.web
import json
class MainHandler(tornado.web.RequestHandler):
def get(self):
print('got the GET request')
self.write('abc')
def make_app():
return tornado.web.Application([
(r"/madTest", MainHandler),
])
if __name__ == "__main__":
app = make_app()
app.listen(8889)
print('server started, listening to 8889 ...')
tornado.ioloop.IOLoop.current().start()
On clicking the button, I see "got the GET request" printed, so the server must have gotten the request. However, I got this error on console:
Any suggestions? Thanks!
The error message occurs when your JS or HTML page is served from a different domain and you're trying to make an AJAX request to a different domain. This is called CORS. For security reasons, web browsers restrict cross-domain AJAX requests unless allowed by the server.
To be able to make cross origin AJAX requests, you'll need to set a header called Access-Control-Allow-Origin in your handler's response.
You can do this in the prepare method of your handler:
class MainHandler(...):
def prepare(self):
self.set_header('Access-Control-Allow-Origin', '*')
# the wildcard - '*' - allows CORS from any domain
# you should probably change it to your frontend
# domain name if you wan to restrict CORS to a single domain.
# see Mozilla docs for more info
When giving the following configuration its returns always WebHook responds with incorrect HTTP status. HTTP status is 405.
This is the webhook configuration:
var token= access_token;
var _eventFilters = [];
_eventFilters.push('/restapi/v1.0/account/~/extension/' + 232102004 + '/presence?detailedTelephonyState=true&aggregated=true')
rcsdk.platform().post('/subscription',
{
eventFilters: _eventFilters,
deliveryMode: {
"transportType": "WebHook",
"encryption": false,
"address": "https://demo.example.com/backend/country-list/web_hook/?auth_token="+token
}
})
.then(function(subscriptionResponse) {
console.log('Subscription Response: ', subscriptionResponse.json());
})
.catch(function(e) {
console.error(e);
});
This is my Django webhook url:
#list_route(methods=['get'], url_path='web_hook')
def create_web_hooks(self, request, **kwargs):
query_params = request.query_params.dict()
from django.http import HttpResponse
response = HttpResponse()
if 'auth_token' in query_params:
response['Validation-Token'] = query_params['auth_token']
response['status'] = 200
response.write('Hello World')
return response
Thanks in advance
In your webhook response, the content of response['Validation-Token'] needs to be the value present in the RingCentral create webhook HTTP request's Validation-Token header. The RingCentral OAuth 2.0 access token is not used in your webhook listener.
Your webhook example is in Python so here are some examples using both Django and Flask. You should check for the existence of the request header and, if present, set the value as the response header of the same name. The following shows how to set the header.
Django
In Django, request headers are available in HttpRequest.META which renames headers using it's specific algorithm. META is a dictionary so you can access the header in the following ways:
response['Validation-Token'] = request.META.get('HTTP_VALIDATION_TOKEN')
or
response['Validation-Token'] = request.META['HTTP_VALIDATION_TOKEN']
More information on Django handles this is available in the Request and response objects documentation for HttpRequest.META:
https://docs.djangoproject.com/en/1.11/ref/request-response/#django.http.HttpRequest.META
This is the specific text on header renaming:
With the exception of CONTENT_LENGTH and CONTENT_TYPE, as given above, any HTTP headers in the request are converted to META keys by converting all characters to uppercase, replacing any hyphens with underscores and adding an HTTP_ prefix to the name. So, for example, a header called X-Bender would be mapped to the META key HTTP_X_BENDER.
Flask
Using Flask, you can access HTTP request headers using the flask.Request dictionary-like object the following ways:
response['Validation-Token'] = request.headers.get('Validation-Token')
or
response['Validation-Token'] = request.headers['Validation-Token']
This is discussed in the Flask Incoming Request Data documentation:
http://flask.pocoo.org/docs/0.12/api/#incoming-request-data
I have an API that authenticates the request based on the header fields and then returns a HTML page.
The request to this API has to be made in a way, such that the domain will change from domain1.com to domain2.com (Just like clicking a hypertext).
I cannot use <a>Link</a> because I need to add header fields.
And ajax cannot be used because it does not change controls from domain1.com to domain2.com.
Something like this did not make sense at all...
$.ajax({
// Use ajax to authenticate
...
success : function(path){
// Load the path for domain change
location.assign(path);
// Even this request should have a header field
},
...
})
I need the functionalities of both(changing domains and header usage) in a single request - if possible or at the least with 2 requests.
Any ideas to do this?
In order to send HTTP request with credential in header, and "change domain" when it is successful, you can use JSON response with 302 code and Location -- just a convention, browser behaviour won't be triggered.
An example response:
HTTP response code: 200 OK
HTTP response body:
{
status: 302,
location: 'domain2.com/result'
}
The Ajax code would look like:
$.ajax({
// Use ajax to authenticate, with credential in HTTP header
...
success: function(result){
if (result.status === 302) {
window.location = result.location;
}
},
...
})
2 HTTP requests will be used. One for Ajax, and another for the redirection.
I have a web app using Python Django and Dojo framework.
I wanna send a PUT request from Dojo (using dojo/request) to server Django but when server receives a request, the data within are empty and validate Invalid.
BUT when I change method from PUT to POST, it's work correctly.
Here is my code:
_save: function(data){
var idForm = "editForm" + this.id;
var value = dijit.byId(idForm).get('value');
console.log(value);
request.put("/api/guestbook/"+this.bookName+"/greeting/"+this.id+"/", {
data: {
book_name: this.bookName,
message: value.message
},
headers: { "X-CSRFToken": _cookie('csrftoken') }
}).then(lang.hitch(this, function(text){
}));
},
And in Django:
def put(self, request, *args, **kwargs):
form = self.get_form(self.form_class)
logging.warning(form)
logging.warning(request.PUT)
if form.is_valid():
logging.warning("This form is VALID")
else:
logging.warning("This form is INVALID!!!")
Anyone can help me?
Thanks for help!
I found the way to receive PUT method below:
def put(self, request, *args, **kwargs):
request.PUT = QueryDict(request.body)
form = self.form_class(request.PUT)
if form.is_valid():
logging.warning("This form is VALID")
else:
logging.warning("This form is INVALID")
This is ok :)
Thanks all!
I'm guessing from your X-CSRFToken header that you are doing cross domain requests, i.e. CORS.
If you look in your browser's console, you'll probably see an OPTIONS request being sent to the server. This is called a "preflight request", and your server needs to respond with CORS headers telling the browser that it's okay to make the cross domain PUT request.
In your case, you want the server to respond with headers similar to:
Access-Control-Allow-Origin: http://your-site-hostname-and-port
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: X-CSRFToken
Simple POST requests do not need the preflight OPTIONS request, that's probably why it works. A pretty good tutorial on html5rocks here.
I am a newbie to Bottle and sort of to Python as well and I am trying create an app whenever I click a button, an AJAX is fired and POST a json to server and store it using SQLite.
However, at current stage, I am trying to figure out how do I successfully received the data in the server.
On the client side,
I have the following send_data function written in JavaScript.
function send_data(feedback) {
$.ajax({
url: "/feedback",
type: "POST",
data: JSON.stringify(feedback),
contentType: "application/json",
success: function() {
alert("Feedback successfully stored in the server!");
},
error: function() {
alert("Feedback failed to store back in the server!");
},
}
The passed in parameter feedback looks something like {"id1": 1, "id2": 2}.
On the server side, I have a feedback.py file and the code is
from bottle import request, route, run
#route('/feedback', method='POST')
def feedback():
comments = request.json
print comments
run(host='localhost', port=8080)
Right now, I just want to check if I have received the data successful. But everytime, when I click that botton, I receive the following error
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8080/feedback. This can be fixed by moving the resource to the same domain or enabling CORS.
OPTIONS http://localhost:8080/feedback [HTTP/1.0 405 Method Not Allowed 2ms]
I am not sure if it's because I am not using the element <form>. That botton is technically just an image. Every time I click that image, send_data() function is fired.
Anyone can help? I really appreciate it. Thank you!
Cross Origins Requests are restricted as a security measure by the browser. It is possible to overcome that by setting an Access-Control-Allow-Origin header. You can can use bottle-cors or create a decorator like the following on your server code (Python/bottle):
def enable_cors(fn):
def _enable_cors(*args, **kwargs):
response.headers['Access-Control-Allow-Origin'] = '*'
response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, OPTIONS'
response.headers['Access-Control-Allow-Headers'] = 'Origin, Accept, Content-Type, X-Requested-With, X-CSRF-Token'
if request.method != 'OPTIONS':
# actual request; reply with the actual response
return fn(*args, **kwargs)
return _enable_cors
and then with your example:
from bottle import request, route, run
#enable_cors
#route('/feedback', method='POST')
def feedback():
comments = request.json
print comments
run(host='localhost', port=8080)
Note that it's best to allow specific origins instead of using *.
You can read more about Cross-Origin Resource Sharing (CORS) here
You can make this work by disabling the Cross-origin restrictions.
On safari, open the Develop panel, and check disable cross-origin restrictions, or use a browser like Firefox.