I have a project where I am creating a React frontend for users to sign SSL certificates. That frontend is used with a Django DRF backend to handle request. Currently, I have authentication specified in each of my views for token and session auth. I can authenticate a user through postman and through a python client using request. But I want to turn this around and be able to login from the front end using react and a login form and keep is secure and safe from XSRF. Ive also been reading about how token auth is insecure because of how tokens get stores in browser local storage.
So my questions are as follows;
Should I use token auth or session auth, and how do I decide which is best?
How to implement that authentication with a React login form?
And how I could protect this from XSRF?
Thanks in advance Stackoverflow Gods
Related
I built an app (Django backend, React frontend) that whenever a client login it will generate JWT authentication. React will store the access token and client can use it to access Django backend database.
Then I want to add in social login feature (Google) so I will get back access token from that as well. However, this access token is different from the JWT access token generated before, so I wonder how can I integrate both ways of logging in a user smoothly on both Django and React?
For JWT I use djangorestframework-simplejwt
For social login I use django-allauth
I can run each individual way perfectly on React, but I don't know how to keep both the installations of JWT and allauth in Django settings.
I had a problem. I had a react app that authenticate, using KeyCloak. From KeyCloak-server i recieve some credentials, like tokens, uuid of user and etc. Then, i am trying to access api on Django Backend, but request.user is Anonymous User. So, how can I can authenticate Django DRF? Should I send credentials from frontend to backend and create User model on backend or I don't need this?
You have to setup some authentication, for example using JWT. https://dev-yakuza.posstree.com/en/django/jwt/
I am using React JS in frontend and AWS Server less architecture as the backend of the react application.
So, for the user authentication and authorization I am using the AWS Cognito Service. and for making the requests I am using the axios.
Now, I want to integrate APIs which are created with the AWS API Gateway with cognito user pool. I am able to sign in to the user session and retrieving the id Token, access Token, and Refresh Token. and I am sending the ID Token in the all request which are created with AWS API Gateway. But How can I know that token is expired? because when token is expired it is sending the Network error instead of message("Token is Expired.").
In short I want to handle situation if token is expired or token is invalid. what I have to do?
Give the basic flow of handling the all requests(GET, POST, etc...) using axios.
I need to create basic app with a silhouette. What I need to do is:
login with Google
Generate JWT
Use JWT to communicate with backend
I don't really know how this flow should look like. My idea is:
use login with Google in react app
generate Google token
use this token to generate JWT in the backend (using silhouette)
retrieve JWT in frontend
Will that flow work? Is there any simpler/better way to do that?
I had similar problem, so that's my proposal:
Create a controller for social authentication on backend side.
In react app add button for authentication and simply redirect to the
backend endpoint.
Authenticate user on backend, use Silhouette JWTAuthenticator to create a JWT token
Redirect to the react app with JWT token in query params.
Save token and use it in consequtive requests
i'm trying to do a react app with a kotlin backend using auth0 as auth server.
I've the auth0-spa integrated in my react app so i can do a login, but the token i'm receiving ios an opaque token so when i'm sending to my app to authenticate my users, it's not a valid jwt (It's just a alphanumeric code without 3 jwt parts).
I'm reading that it's because auth0 spa framework does not allow to change response type to sokmething else than code so access token received it only works for /userinfo api os auth0.
My doubt is, how do i can use that token in my backend to validate it still using auth0-spa? Is there anyway or should i use auth0 non spa library?
You need to send the backend as an audience in the request for the token. The opaque token is only valid for auth0 apis.