Search code examples
djangoangularjstastypie

Correct method to create a login using angularjs resource and RESTApi

I used Django Tastypie to build my api and i'm thinking in the correct way to create a login form so the user can login in the application, right now what I do is send a GET request with username/password he submited in the form as filtering options, but i'm pretty sure thats not secure at all. How can i do the same using POST request?

When i open the console with firebug:

GET URL/app/api/v1/user/?email=USER&password=PASS

Api-Auth and Content-Type are on the header.

Solution

  • @leosilvano

    Don't handle user authentication and authorization using angular js not that its impossible but just that its not too secure and implementing also take some effort when Django's provides something which far easy than this.

    I happen to be using django + angularjs + tastypie (REST API ). If you like take a look at my way of implementation.

    Include your index.html of the angularJs in your templates ( Django Templates ) and place your directives, controllers, js, css and etc in the static folder ( Django Static ). Make your API calls after the auth processes. This will work seamlessly and you will run into less issues as well.

    Reasons:

    1. user_auth models becomes so handy while registering and logging in using templates and you don't need to sweat trying to write your own authentication which i'm sure you have to do when you go with Angular Js login auth implementation.
    2. Use of decorators like for a view lets say "profile" if you need to check if the user is logged in all you need to do it something like the following 
    

    @login_required(login_url='/login/')
    def profile(request):
        return render_to_response('profile.html')

    1. Passing password through "GET" is bad .. and passing auth values through "POST" and getting it via JSON .. is also not a good idea. Because you will be susceptible to middle-man attacks ..

    2. Remember you have to take measures for CORS requests when using Angularjs for login since anyone can view the json response and they will be able to reproduce the same structure. Implementing Perm-Mixins and Groups is way more easier when using Django templates.

    3. Handling exceptions like 404 or if you want to handle only post requests and thereby take user to a custom page ( actions like redirect ) becomes difficult. I am aware of SPA's but still if there happens to be redirection .. in my case i needed to redirect to another site. Following shows how simple it can be achieved including http statuses.

    

    if request.method != 'POST':
            return HttpResponseNotFound(render_to_response('404.html', { 'message' : 'Only POST Requests are allowed for authentication process.', 'baseurl' :request.build_absolute_uri('/').rstrip('/')}))

    Solution:

    1. Use Angular Js and REST (Tastypie) interaction to happen after you login. Use Django template for login authorization. Make use of the django modules .. it saves a lot of time.

    2. If you still want to login using REST API .. by send post to django .. please take a look at the following post How can I login to django using tastypie