Search code examples
djangodjango-authentication

Handling of django authentication with multiple apps

Cant find a solution to a simple problem from current SO questions.

I have 2 apps in a django project.
App1 is from the graph tutorial found here
App2 will allow the users to list data from a DB in this case it will be branch names.

If I try and access a page with @login_required decorator then the url route has /accounts/login/ added and I get the usual cant find error.

Page not found (404)
Request Method: GET
Request URL:    http://localhost:8000/accounts/login/?next=/calendar

Using the URLconf defined in graph_project.urls, Django tried these URL patterns, in this order:

[name='home']
about [name='about']
signin [name='signin']
signout [name='signout']
calendar [name='calendar']
callback [name='callback']
branches/
admin/
branches/
The current path, accounts/login/, didn't match any of these.

If I am reading the django docs correctly then this is default and I can redirect the login path using the LOGIN_URL in the project settings. When I set that to the signin function created in the tutorial for App1

def sign_in(request):
  # Get the sign-in URL
  sign_in_url, state = get_sign_in_url()
  # Save the expected state so we can validate in the callback
  request.session['auth_state'] = state
  # Redirect to the Azure sign-in page
  return HttpResponseRedirect(sign_in_url)

It will forever cycle the MS OAuth login but never access the requested page once completed. If I leave out the LOGIN_URL from settings it adds the accounts/login/ to the url as that is the default.

What is it that I am not understanding as to have login/logout requests handled by the functions in App1 for any requests made in other Apps when the request is behind a Login_Required decorator? And why does it not check if I am already authenticated when I can see It holds my name/email/calendar calls if I do not have a @Login_Required decorator and move between pages.

Thanks

Solution

  • I reached out to the support team on Django-Project.
    One of the maintainers had a look over my source and all seemed fine on my end, he also checked the tutorial link I provided in the question.

        His exact words were
    >Personally, I’m a bit suspicious with how they’re doing this. I’ve read through the >tutorial and it looks to me like they’ve taken some shortcuts with managing the user in >the session.
    
    That is enough for me to drop that route and look somewhere else, he offered these as a suggestion should anyone care to look into what I moved on to using.  
        [Azure AD pypi][1]
        [Django Auth Docs][2]
        [MS Django Auth][3]
    
    
      [1]: https://pypi.org/project/django-azure-ad-auth/
      [2]: https://django-auth-adfs.readthedocs.io/en/latest/
      [3]: https://pypi.org/project/django-microsoft-auth/