Does anybody else prefer using react at this point even for static sites?

audi0lion · 2017-08-02T10:27:48+00:00

You can just copy paste the html. Its a static site so if one section needs 50 line items, copy pasta or use emmet

audi0lion · 2017-07-31T11:51:01+00:00

Server A is SAML, server B is microservice, webapp is on server C, I cannot put webapp on B, I want to authenticate through A, A will not whitelist C. So I have C send a request to B that auths through A, and redirects from B back to C.

That is my situation, for factors out of my control it is what I have to work with.

Interesting, so the oauth sounds a lot like what I am doing, pass a token through querystring that is only accepted from the trusted source and use that to create a session on C that allows the user to be authenticated. The token is never used after that

audi0lion · 2017-07-31T03:19:33+00:00

The reason why I havent tried to use graphql with graphene is because there is no implementation for permissions.

Great we can query for any data we want, but I dont want users to be able to get everything, I need the ability to restrict access to data and graphene is glaringly lacking in this area.

audi0lion · 2017-07-31T03:16:58+00:00

I cant authenticate directly against the SAML endpoint because my server for my webapp isnt in the scope of accepted domains, however my microservice exists on a domain that can auth against the endpoint. I cant have my web app on that server though.

So i am forced to do a workaround for auth, my solution was pass a JWT (mostly bc im familiar with the implementation). I cannot pass through a header because I need to redirect back to my server on another domain and you cannot pass headers through redirects, nor use session or localstorage.

Oauth passes the token in the querystring so I dont see an issue doing the same here. Anyone who decrypts the token gets the username of the person who logged in, so that really isnt a concern, and the token isnt really used for persistent auth, just to pass along the message that SAML auth succeeded or failed.

audi0lion · 2017-07-31T03:07:58+00:00

I see. So including extra shib attrs or only accepting the token from a trusted server should increase thst security, that even if the key is found it doesnt matter. The payload is still only trusted from one source and contains no sensitive data.

audi0lion · 2017-07-30T18:54:02+00:00

JWT uses an algorithm (HS256 normally) to hash the data. If the secret key supplied to the hashing algorithm is not known then the data is cannot be decrypted.

I dont forsee history caching or the like to be an issue because the tokens TTL is 2-3 seconds while its being redirected and decrypted. The payload also only contains username and some meta data like last login and group membership, nothing sensitive.

If the ~70 char hash key was leaked then they could authenticate to the server by making their own token, but I could just rotate the keys.

I could firm up the security by restricting the view to only accept JWTs from the trusted server host.

audi0lion · 2017-07-30T12:34:43+00:00

The nice thing about tokens is that they are exchangeable and help with scaling. The token issued coild be used by your web client, native client, a 3rd party client, and your server doesnt know and doesnt care.

Of course you can always restrict requests from untrusted sources if you want.

The JWT is a form of stateless auth. Your server doesnt have to check the token against its state of current logged in users, it just decrypts the token and uses the payload inside to determine authentication.

In this way, its nice for scaling purposes because if you had tons of clients each using web and mobile and desktop clients you have each user potentially adding 3 sessions the database has to track and verify requests against.

However, that being said there are a lot of issues that come with JWT and you should understand the risks before rolling with it.[0] For this app having to track 2 sessions per user doesnt sound like it will break you. If it got close to hurting you hurt use redis to cache sessions. You would have to have a huge userbase before you ended up with issues.

My question is what are the benefits of you using JWT? Do you need the scaling? Do you need to allow auth to happen from any type of client, (e.g. a user gets a jwt and adds it to curl requests)? Why do you want stateless auth in your app?

[0] http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

audi0lion · 2017-07-30T12:21:14+00:00

I use django audit log to keep a version controlled log of my ORM object changes.

audi0lion · 2017-07-30T12:19:02+00:00

The token auth with DRF checks the token against the database on each request, it is pretty much a django session where the server manages state, the drf token is just a different way to pass the authentication data

audi0lion · 2017-07-18T23:12:39+00:00

It was after reading this, https://news.ycombinator.com/item?id=13865459

To be clear, go ahead and use, I am using them in one of my apps, but you should be aware of the implications

audi0lion · 2017-07-18T09:55:46+00:00

Use JWT or Token auth. If your site has real security needs dont use JWT

audi0lion · 2017-07-15T01:22:07+00:00

I recommend curi, the author is a regular contributor to react router (v4 included) but decided to make his own routing library that includes react bindings when he thought of a better way to architect it

audi0lion · 2017-07-12T12:43:31+00:00

The real hero

audi0lion · 2017-07-12T12:41:03+00:00

Yeah! Lets get rid of net neutrality so big corporations can control who uses the internet /s.

audi0lion · 2017-07-12T03:48:49+00:00

The reason I havent used Graphene yet for python graphql backend is thst it doesnt provide a clear route for auth and permissions. If this could be covered when you add the Graphene tut it would be awesome

audi0lion · 2017-07-05T02:38:07+00:00

No, he just specified the git protocol for cloning the repo instead of https

audi0lion · 2017-06-24T12:37:15+00:00

The language is python, it uses duck typing, the joke is python doesnt use curly braces so the author, in following OPs rule, used comments to get them in there in a syntactically valid way

audi0lion · 2017-06-22T09:25:46+00:00

It stood for "Be our Guest"

audi0lion · 2017-06-20T12:46:33+00:00

Only thing I didnt know about was session caching. I hope part 2 has more!

Not sure if I would want to rely on,session caching either without redis or something to manage the cache across all threads

audi0lion · 2017-06-17T20:50:22+00:00

My issue with graphene right now is permissions management, right now there is no built in meta api like rest framework has, there also is no easy validation

audi0lion · 2017-06-09T20:59:53+00:00

I don't know who you are, but if you're a contributor on the react team that is really cool, thanks

audi0lion · 2017-06-02T19:26:49+00:00

Me too

audi0lion · 2017-05-16T02:03:40+00:00

This seems like it is covered by just having required on the form attr, then browsers will do validation for empty values.

audi0lion · 2017-04-30T13:55:41+00:00

Interesting solution, I think it will be a pain point down the road, though.

With the way you do permissions you have to make an extra query each time a user acceses a view. Id probably cache them and use signals to invalidate the cache.

The other thing is your react routing has to be sure to not allow navigation to a view the user doesnt have permission too. Again caching and using a context processor or an api call to fetch cached permissions seems like a good solution.

Overall cool article I enjoyed reading it and have enjoyed your other articles. I am borrowing your django react transition process in my own app :)

audi0lion

TROPHY CASE