Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to deal with a front-end that does not share the same domain in Django

I am facing a big problem with my sessions in a Django project.

The back-end is hosted at .my-domain.org and the front-end consumes the REST API of the back-end at .front-end.com. In the future, other front-ends on completely different domains might appear.

How do I deal with such a situation when I use the session framework provided by Django? It seems like SESSION_COOKIE_DOMAIN only allows session cookies to be set on one subdomain. The result is that if I want to be able to login at .my-domain.org (i.e., SESSION_COOKIE_DOMAIN = None) then I am not able to receive the session cookie back from .front-end.com when it calls API endpoints. On the other hand, setting SESSION_COOKIE_DOMAIN to .front-end.com would prevent me to connect to the site admin. The situation is also impacted by SESSION_COOKIE_PATH of course...

Any help is more than welcome. I am quite sure I'm not the first one who needs a REST API with session authentication to be accessible from external domains.

like image 628
Buddyshot Avatar asked Nov 30 '14 18:11

Buddyshot


People also ask

How does Django backend work?

Essentially, there’s a part of the backend which pretends to be a browser for a while! It makes requests to your backend code and builds a HTML site by executing the JS part of the frontend code. Once it’s done, the browser gets an HTML response, which was produced by JS code. The Django server is used to provide JSON data for that rendering step.

How to import an API to the frontend in Django?

First import a decorator called “api_view” and “Response” to return a response from API to frontend, Last but not least you need to import database references called models in Django (We will only use the User model). In the settings.py file, add the following lines:

How does Django work with JavaScript?

It makes requests to your backend code and builds a HTML site by executing the JS part of the frontend code. Once it’s done, the browser gets an HTML response, which was produced by JS code. The Django server is used to provide JSON data for that rendering step.

How does Django handle URLs requests?

In more detail: Your Django app reacts to the request. The requested URL is interpreted using your urls. py configurations. The correct view is selected to handle the request. The view code might use a model to get data from the database, and renders out a template, passing data in a context object to it. Phew.


1 Answers

Django uses cookies for session-based authentication, and those cannot typically be set across multiple domains. While you can work around this slightly with CORS and withCredentials, this may be blocked by default in some browsers.

You are generally better off working with another authentication method when working across domains. Even if you are able to get CORS to work with cookies, you will also have to battle CSRF across domains, which Django REST Framework points out in their documentation. I would recommend OAuth 2 because of the wide client support and the support within Django REST Framework for it, but others have used TokenAuthentication without issues.

When using OAuth, you will need to set up your front end as a client and use the web authentication flow for authentication, as otherwise you are leaving private keys out in the open, which doesn't end well. This will work in a similar way to "single sign-on", but without requiring your front end to sign requests and hold private keys. You also won't need to bother with CSRF, as Django REST Framework only requires it for SessionAuthentication.

like image 199
Kevin Brown-Silva Avatar answered Oct 09 '22 23:10

Kevin Brown-Silva