Cookiecutter-django have endpoints /auth-token/ to get a token and /api/users/me/ for getting user info. But it does not seem to have a logout endpoint. Am I right?
And, if the serverside logout is needed, i will need to write it.
Can you confirm?
Thanks.
It looks like you are referring to the DRF part of the cookie cutter. There is no logout, what you want to do is write some endpoint that will delete/invalidate the instance of the respective Token model from your database.
If you are referring to the non-DRF part, there is a logout at /accounts/logout/.
Related
What I trying to do:
I have a post that users can comment on anything they want by sending to Backend content, userId, postId. Everything working fine BUT:
Someone, they know your userId they can use Postman or something same and send to my BE. That's not good!
I see some sites sending cookies and validating in the backend? How can I do that ?
By the way, I using Next-auth.
Thank you so much!
You need to use a backend (server) that stores the different users with their data and uses some sort of authentication to let particular users access to the services, based on their login credentials.
I have an angularjs controller where i call to many reports like this :
if(reporttype==21){
$scope.framesrc={src:"http://localhost/myapi/report21Service"+$scope.brandid}
}
if (reporttype=22_}
...
}
I can not create here a post request, am generating reports and a long huge story.
My question is, is there anyway to avoid users to call this request if they are outside the website? because now if you put the link in any tab, it will return all my data. Is there any way other than the post functinons and stuff ? like specify the origin of the request or something like this.
Well you have to implement a CSRF protection on your laravel server. its a simple concept, your server will generate a CSRF token on login or something and when you access the api you will attach the token with the request.
Refer this for more info. and this to implement CSRF on laravel.
If you have authentication, you can use a token to authenticate the user.
Another solution could be to block cross domain acess in your server.
ok solved,
first after the user login, I get the userid in session, then while accessing the api, if isset session userid return result, else return error. Now accessing the api outside the project without login is impossible.
PS: if the user login and tries another id, for other users, in the beginning of the function there's a condition that if he pass a parameter outside the result of the query that returns his brands, the report returns an error too.
Is there an out of the box way to do a client-side authentication check using the standard Loopback authentication/user model? I don't want to rely on the client side checks alone, but for something as simple as showing a "logout" button when a user is logged in it would be useful to check this on the client side.
I'm really looking to modify the DOM in Angular based on the response of an isAuthenticated function or something similar.
Thanks for any help.
There is actually an isAuthenticated function in the Loopback Angular SDK. Referenced here: https://github.com/strongloop/loopback-sdk-angular/blob/fb161b7eaa02df877fe894daa54e4bd0fa4e041e/CHANGES.md
Hmm... If the user has logged in, then you would have received an access token back in the response, which you use for all future API calls. If you have a token, then they are authenticated. If you aren't sure if it's a valid token you could just try to hit /User/[id]?access_token=[token] - if that fails, they are not authenticated any longer.
We started developing a RESTful app for registrations, signing in and posting some simple stuff. We're using AngularJS for the frontend which handles users registering, logging in, signing out etc.
The backend accepts the following paths:
POST /register (params: email, password)
POST /login (params: email, password)
POST /logout
After the user logs in, a JSON token is generated. This token is then used for each and every subsequent request - like GET /items or DELETE /items/5. Without that token every request is denied with a 401. This part works perfectly because I can use the API in a browser through AngularJS, in an iPhone/Android App and even for 3rd parties.
The only publicly exposed paths are /register and /login. While doing a POST on /login from the outside is natural and makes sense I'm worried that anyone can do a POST /register from the outside and just flood the server with registrations.
I found somebody doing a similar app, I just launched POSTMAN and did a POST query on /signup which worked.
http://www.mircozeiss.com/github-like-signup-form-with-angularjs-and-bootstrap-v3/
I can't help but think that this is not a best practice scenario when it comes to registering users. Registering users with Google+ or Facebook is not an optimal solution. Any ideas on how to prevent bogus/flood registrations from outside? Is there a way to secure this part of the API (/register)? Should I just rate limit the number of requests?
If it's free for all app, better X-Rate-Limit the register api endpoint like Github and all, otherwise just process register requests if it has a auth token with admin privileges (allowed to create credentials for other app-user).
The backend accepts the following paths:
POST /register (params: email, password)
POST /login (params: email,
password)
POST /logout
First of all, this is not a REST API, because it violates the stateless constraint of REST. Use encrypted connection and send the username and password in the HTTP basic auth header with every request. That is stateless.
Any ideas on how to prevent bogus/flood registrations from outside? Is
there a way to secure this part of the API (/register)? Should I just
rate limit the number of requests?
This does not depend on REST. You can do just the same with every web application which allows registration. Typical solutions to use a captcha or send a verification link in email. You can limit the rate, but that is not an effective solution.
Help me pick the right OAuth2 grant type for my Angular App and my REST API?
UX-wise I want just one login form on my front-end, that would ask for username/pass(no dialog asking for permissions). I think the "Resource Owner(Password) Grant" is the most appropriate for me(since I control front&backend), but I'm not sure how should I handle access token refresh.
Correct me if I wrong about the flow:
When user submits credentials through login form, access token is returned.
I can store this token in LocalStorage to make subsequent Ajax requests with it.
As I understand access tokens should be short-lived. And should be updated with Refresh token. Should the refresh token be returned with the access token after initial login and also stored on the client? If not what is the alternative?
Should there be any session maintained on the server to invoke access token refresh? or I should make calls from front-end to refresh the access token when it is about to expire. But then I need a refresh token on the front-end, right?
As you see there is a mess in my head about refresh token. Would be great to have some clarification or suggestion for another grant implementation.
Backend technology I guess is irrelevant here, but just in case it's Symfony2 with FOSOAuthServerBundle.
When you are calling the TOKEN endpoint (for every grant_type possible) on a OAuth Server, you get an access_token but other information as well (I think there are all here):
{
access_token: // your short-lived token
expires_in: // number of seconds before the access_token is invalid
token_type: // the type of the access_token
scope: // scopes of the access_token
refresh_token: // long-lived token to get a new access_token
}
You need, in my opinion, all these information (maybe the scope is unused, but all others will be used later). You have to store the access_token to ba able to make API calls. After seconds, your access_token will not work anymore. You will need to get a new one. You can either ask the user to log in AGAIN or use the refresh_token.
You will have to call the OAuth Server on the TOKEN endpoint but with a grant_type: refresh_token. You will have to provide the refresh_token from the first request (among other information) and in return you will have the same response as above. In fact, I think you will have to do that every time an access_token is expired. In my opinion, the server side does not know anything about sessions or connected users. It knows about valid and invalid access_token.
This is OAuth. If you don't want to have to refresh everytime, you can make a long-lived access_token (by setting the expires_in), I think this is the only solution that makes sens in an OAuth context.
Do you need some clarification about OAuth in general?