I'm new to Django and JavaScript, so please forgive me if this is an obvious question.
What is the best way to authenticate users?
I can only find posts about using this which doesn't support django 2.
Thanks for your help.
django-rest-framework provides several solutions for authentication. I recommend to read carefully the docs : http://www.django-rest-framework.org/api-guide/authentication/
I've already used Token authentication on several projects and it works fine:
You need to install the rest_framework.authtoken app in your project. This app is provided with django-rest-framework
Then you need create a token for every user. There are several ways described in the docs.
On the client side, you need to implement a login form. Your backend will check user and password and gets back the user token.
Then you can pass this token in the header of every request:
Authorization: Token value-of-the-token
Make sure to use https if you use Token authentication.
Related
I'm new to react but i have previously worked on server side rendering websites
My objective is to make a website where at first only a sign-up, login page is shown and if the login was successful the user would be able to access other pages
I'm using and api which provide jwt tokens and jwt refresh tokens for authentication, the main token expires in 1hr and i need to auto generate new token by then in the background without the user knowing
So how should i go about implementing this any example code would be helpful
This site is about helping to solve specific programming issues, noone will write your app for you. The idea is to acquire the token via authentication, persist it in browser (local/session storage), then attach it as auth header to every api request. For refreshing the token implement some setInterval.
I am not familiar with user authentication in Node.js, now I am trying to create a website with a login system. I have managed to make it work using the code snippets from the website, but I don't really understand why we need the passport.js as a middleware to do the authentication.
Registration:
Let's take passport-local as an example, when we are using the passport middleware, we basically is trying to create a new document in the database, then can we do it without passport, such as using the MongoClient directly, with checkings of duplicates, and store the password after encryption.
Login:
We can simply check the user's email or username against our database, and then check the password after email or username is matched. This, as well, can be done without passport. After user identity has been confirmed we can use the express-session to store the session in the cookie for login persistence.
A video about the process that I described above can be found here.
I understand that there must be some very important functionality that I neglect, but after browsing many web resources, including stackoverflow, youtube, passport.js's docs and many others, I still didn't understand what does passport.js do and why we need it.
Apologies in advance if the question seems silly.
To me it's unnecessary.
It's not saving me any work. I have to write the configuration, the callback, and the user schema. To me, it's just easier for me to just write a middleware for that.
And I don't see there is any security enforcement I am getting cuz I am writing my own verify callback anyway.
So, I don't see any reason that I should use it.
Passport is a middleware for express.js. It supports various login types, Basic, Token, Local (username, password), OAuth, OAuth2, etc. We can combine these to allow users to authenticate by signing in with Google, FB, or whatever service with very minimal amount of code. We can also use this to combine external auth services so users can choose to login with one of the selected Strategies, e.g. Google, Twitter. It's much quicker to use passport for authentication than to build one yourself from scratch. This is why we use passport. You don't need passport, it just makes developing quicker. Read more from their website => https://www.passportjs.org/
Quick short background
I'm building a standalone web app using Angular JS 1.5. This web app makes usage of a API built with Laravel 5.2 (no sessions, just JWT Tokens and REST calls). Using Laravel-Socialite, I managed to make the following structure. It works nice and all, but we kind of have a overload of redirects.
The Button calls a /facebook route that invokes the Socialite magic box which leads to redirect to the Facebook Page for authorization.
After I achieved this, I noticed that a Facebook Login LOOKS a lot more of a front-end task than a back-end one. It's just about helping the user quickly sign up using Facebok available data or sign in without a password.
The Problem
Socialite makes usage of my Facebook App Secret, not to mention that it's a known environment server operation, while a Front-end we may never trust. Here is what I managed to achieve using JavaScript SDK (with AngularJS).
On a first-time access, I can get that information and sign up the user and automatically sign him in. But the problem lies on a existing user.
In this case, technically I can use the response.email information that Facebook gave me and make a request to my API to make a login without a password. But can I really do it? How do I make sure the request is being made because Facebook authorized it? After Facebook replies to my Web App, what is a secure way to tell my server that it can issue a JWT Token to that email?
Conclusion
Do I make the three-step redirection (Web App → Server API → Facebook) to sign in / authenticate a user using Facebook or is there something I'm missing here that could be the key to transferring this responsibility to the front-end (and avoiding a 3-step-redirection)?
I am trying to list the files and folders that are in the Dropbox by using JavaScript. Can anyone suggest me how to get access token programmatically.
I can generate access token manually but I need to get from code.
To programmatically get an access token for a user, your app needs to send them through the OAuth app authorization flow. When directly using JavaScript, ideally you'd use an SDK or library, e.g.,:
https://www.dropbox.com/developers/datastore/sdks/js
(Note that the Datastore API functionality is deprecated, but the rest isn't.)
The tutorial will guide you through linking an account:
https://www.dropbox.com/developers/datastore/tutorial/js
There's also more documentation and resources here:
https://www.dropbox.com/developers/datastore/docs/js
https://github.com/dropbox/dropbox-js
There's also an OAuth guide here that should serve as a good reference about the OAuth flow:
https://www.dropbox.com/developers/reference/oauthguide
Otherwise, if you want or need to implement this manually, the following blog posts may be helpful:
for OAuth 1: https://blogs.dropbox.com/developers/2012/07/using-oauth-1-0-with-the-plaintext-signature-method/
for OAuth 2: https://blogs.dropbox.com/developers/2013/07/using-oauth-2-0-with-the-core-api/
I have an app and i have created the required API for in php I could also create it using firebase.
The app is meant to be used by people who are new to technology. I don't want any login authentication.
As I have created API any one who goes through my code can see the API link and can get the data which i don't want.
What i want to achieve is the API to serve data when the request is from my app only
How can i achieve this without any user login?
create an access token and store it in your application, then on each ajax request you will compare the token, so if the token is valid you will deliver the contents otherwise you will show an error message.
As, raymond Camden said in his comment:
it is not secure. I can use Remote Debugging to sniff the access token
and then use it myself. At the end of the day, there is no way to do
what you want 100% securely.