Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ajax session to API authentication bridging #635

Closed
ian-ross opened this issue Sep 2, 2016 · 3 comments
Closed

Ajax session to API authentication bridging #635

ian-ross opened this issue Sep 2, 2016 · 3 comments
Assignees
@oliverroick @ian-ross @bjohare
Milestone
Sprint 9

Comments

@ian-ross
Copy link
Contributor

ian-ross commented Sep 2, 2016

We use two different forms of user authentication:

  • When a user logs in on the platform site, we store a session token as a cookie in their browser, and this is used to authenticate the user for access control;
  • For API requests, the user makes a request to the api/v1/account/login endpoint to get an authentication token. This token is then used for authentication in subsequent API requests, by including an HTTP header of the form Authorization: Token <token> where <token> is the authentication token returned from the login endpoint.

The only problem with this setup comes when it becomes necessary to make API requests from the platform Javascript code using Ajax. There needs to be some mechanism to "bridge" the session-based authentication to the token-based authentication used by the API endpoints. At the moment, I believe (based on some admittedly not very good experiments -- see below) that, even if the session cookie is being passed as part of Ajax requests (and I'm not even sure about that), it's not being interpreted as proof of authentication by the djoser API authentication backend.

We need to do something about this before we get into making Ajax API requests from the front-end Javascript (which is going to happen soon).

Experiment

Add the following to the bottom of cadasta/templates/core/base.html:

<script>
$.ajax('http://localhost:8000/api/v1/organizations/cadasta/projects/london-1/resources/', { complete: console.log, withCredentials: true });
</script>

Log in and add some resources to the "London 1" project in the "Cadasta" organization.

Observe that the console log shows an empty list of resources for the Ajax requests whenever a page load happens, even as you add resources to the project.

What's happening here is that you're getting the resource list than an unauthenticated user would see.
@ian-ross ian-ross mentioned this issue Sep 2, 2016
Closed
@ian-ross
Copy link
Contributor Author

ian-ross commented Sep 2, 2016

It seems that this can be fixed by adding rest_framework.authentication.SessionAuthentication to the DEFAULT_AUTHENTICATION_CLASSES in the REST_FRAMEWORK section of the Django settings. If you do this, Ajax calls from the platform Javascript work fine (you don't even seem to need to set the withCredentials flag in the $.ajax call).

@oliverroick
Copy link
Member

@ian-ross Yes that's it I think. I remember that we had the same problem at UCL, and it was a quick fix.

@wonderchook wonderchook added this to the Sprint 9 milestone Sep 6, 2016
@ian-ross
Copy link
Contributor Author

Fixed by @bjohare in #656

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oliverroick oliverroick

@ian-ross ian-ross

@bjohare bjohare

Labels
None yet
Projects
None yet
Milestone
Sprint 9
Development

No branches or pull requests
5 participants
@wonderchook @oliverroick @seav @ian-ross @bjohare