authentication

[Tony]

so, I was using django and tasty pie on the development server and the
authentication worked fine. Now I have put it on webfaction and
tastypie denies me on authentication even when I do enter the correct
username and password. As an add on to this question, I am new to
tastypie and perhaps I am a slow learner but I havent figured out the
best way to actually package and send posts to tastypie and how to
properly "unpackage" them. Any help on these matters would be awesome.

[Daniel Lindsley]

Tony,

Without seeing what ``Authentication`` class you're using & what
you're trying to send, it's hard to know what's going wrong. Seeing a
pastebin of the code would help greatly.

As far as sending data, Tastypie accepts any supported content-type
is can deserialize. At current, that's JSON/XML/YAML. To POST data,
you create a serialized version of what you want to send (say as
JSON), then post that JSON as the body of a request to the API. You
can find examples of this in the test suite (for example -
https://github.com/toastdriven/django-tastypie/blob/master/tests/basic/tests/views.py#L43).

If you need to post-process that data once it's been deserialized,
you'll need to hook into the ``hydrate`` portions of the ``Resource``
(you can think of this as being similar to ``Form.clean_FOO`` &
``Form.clean`` in Django). Again, there are examples in the test
suite.

The goal is to get these things documented, but my time has been
short lately.

Daniel

[Tony Lambropoulos]

I have put my API code here.  http://pastebin.com/pFhRgZP1.

[Daniel Lindsley]

Tony,

The code looks fine (though you're lacking
``authentication/authorization`` on ``UserResource``, dunno if that's
important or not). The next question is which resource are you trying
to access, what HTTP method are you using and have you provided your
HTTP Basic auth credentials for an authorized user when performing the
request?

Daniel

[Tony Lambropoulos]

well, the first issue is, even when I just go to look at the entire task resource (like /api/v1/tasks/?format=json), the authentication comes up and I enter a valid username and password but still get denied.  Again, this only started happening when I moved my project to an actual server from the dev server.  I will ideally be using all the HTTP methods given (post, put, delete, get), so any advice on that would be really helpful.  Another thing, Im assuming this is possible, but could I use a log in page in place of the django-tastypie pop up login for the authentication part?  Also, just out curiosity, how long does it take to become good enough to write such an app like you have and really understand the ins and outs?  Ive been working with django and some python for a few months now and I understand a lot more, but theres still so many things I don't get.  I looked at your code and I can only vaguely follow.  I appreciate the help

[Greg]

Tony -

Are you using Apache with mod_wsgi?  If so make sure you are passing authentication through to Django with the WSGIPassAuthorization directive.  See the mod_wsgi docs for more info.

Best,
Greg

[Tony Lambropoulos]

awesome, that did work.  Is there any way, now, that I could have a log in page at another location that could be used for authorization, rather than having the tasty pie auth pop up?

[Tony Lambropoulos]

I guess I would use oauth, how is that implemented with tastypie?

[Josh Bohde]

It's pretty easy to do. Here's a gist of the auth class needed: https://gist.github.com/754329. That being said, this is a bad idea. It makes CSRF attacks easy. 

Just saw your other message come in. Oauth isn't included, but there was a pull request for it https://github.com/toastdriven/django-tastypie/pull/71. There's a gist in the discussion there there that may work. 

[Tony Lambropoulos]

Yeah I had thought about CSRF attacks and wondered if that would be a problem.  I don't know exactly too in depth on how someone would manipulate my app but is there any other way to update, get, and view my server data remotely (not from the domain), without potential CSRF attacks? Or at least lower the chances to a reasonable level?

[Josh Bohde]

This is a complicated question, and depends on the security needs of your app. You could use the built in api key auth (http://toastdriven.github.com/django-tastypie/authentication_authorization.html#apikeyauthentication), and include it on the page. They could then use any client to manipulate the data using an HTTP library.

The issue with cookie based auth (besides making it difficult to use from anything but a browser), is that any site can use the built in JSONP support and GET data as if they were that user. This may actually be desirable, but is usually handled better by oauth or an api key, allowing the user to specifically grant permission to use this data.  

[Tony Lambropoulos]

well, this may sound ridiculous but my idea was to use an API setup to communicate with users' browser extensions and store some user data on the backend with django.  I want them to ideally have a username and password so if they wanted they could access their data from another computer that has the extension.  a.) is this possible? (because I feel like it must be) and b.) Is this a silly way to go about it?  Like in terms of security, speed, etc... Im wondering if I could do some sort of user initiated upload to the database, like they can use localstorage and then press a certain button to upload their data at the end of their session or something.  Anyway, Im sort of rambling, but again, I appreciate all the help.

[Daniel Lindsley]

Tony,

It's possible to do that and I don't think it's a silly use of an
API. You're storing user data from a not-necessarily-web-based program
& allowing fetching that same data elsewhere (if I understand
correctly), which seems perfectly reasonable.

Where this breaks down a bit is the "login" screen. What comes with
Tastypie is written largely for machine access & sending the
credentials upon each request. REST-style APIs ideally should be
state-less, which establishing a session via a login-form isn't. That
said, with a custom view to get them to do the usual Django login
dance (think django-registration) & a custom ``Authentication`` class
in Tastypie that checks ``request.user.is_authenticated``, you
shouldn't need much code to get there & make it work.

Daniel