DEV Community: Ahmed Atalla The latest articles on DEV Community by Ahmed Atalla (@a_atalla). https://dev.to/a_atalla https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F333224%2F7c64710f-2ff5-420f-92b6-c2fb0b1984b9.jpg DEV Community: Ahmed Atalla https://dev.to/a_atalla en Dokku the heroku alternative for solo developers Ahmed Atalla Sun, 04 Sep 2022 07:28:01 +0000 https://dev.to/a_atalla/dokku-the-heroku-alternative-for-solo-developers-3ela https://dev.to/a_atalla/dokku-the-heroku-alternative-for-solo-developers-3ela <h2> Heroku and free plan </h2> <p>In a blog post published at August 25, 2022 , Heroku general manager stated that they will stop offering free dynos <code>dyno is heroku computing unit</code> starting November, 28 2022, check the <a href="https://blog.heroku.com/next-chapter">blog post</a> and <a href="https://help.heroku.com/RSBRUH58/removal-of-heroku-free-product-plans-faq">Remove free products plan</a></p> <p>This decision will affect solo developers who use heroku to te st their ideas or host projects at early stage, and regarding to how easy it is to use heroku now we need an alternative</p> <h2> Dokku </h2> <p>what is <a href="https://dokku.com/">dokku</a> ?</p> <blockquote> <blockquote> <p>An open source PAAS alternative to Heroku.<br> Dokku helps you build and manage the lifecycle of applications from building to scaling.</p> </blockquote> </blockquote> <p>Dokku is an extensible, open source Platform as a Service that runs on a single server of your choice. Dokku supports building apps on the fly from a git push via either Dockerfile or by auto-detecting the language with Buildpacks, and then starts containers based on your built image. Using technologies such as nginx and cron, Web processes are automatically routed to, while background processes and automated cron tasks are also managed by Dokku.</p> <h2> Getting started </h2> <h3> Minimum requirement to run dokku are: </h3> <ul> <li>A fresh installation of <code>Ubuntu 18.04/20.04/22.04</code> or <code>Debian 10+ x64</code>.</li> <li>At least 1 GB of system memory.</li> <li>Attaching at least one domain name to your server ip, say <code>example.com</code>.</li> </ul> <h3> Installation </h3> <ul> <li>First ssh into your remote server.</li> <li>Download the <code>bootstrap.sh</code> installation script </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> wget https://raw.githubusercontent.com/dokku/dokku/v0.28.1/bootstrap.sh </code></pre> </div> <ul> <li>Run the installer script by prefixing with <code>DOKKU_TaG=xxx</code> env variable to specify which version you want, latest is better offcourse </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> sudo DOKKU_TAG=v0.28.1 bash bootstrap.sh </code></pre> </div> <ul> <li><p>This command will automatically use <code>apt</code> to update and install dependecies such as docker, then it will created the required containers, also a new user <code>dokku</code> will be created</p></li> <li><p>Next step is to add your public ssh key to be able to run dokku commands remotly, because dokku doesn't have a cli to install on your local machine like <code>heroku toolbel</code></p></li> </ul> <p>To add your key, get the content from your local machine, the key filename usually called <code>id_rsa.pub</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cat ~/.ssh/id_rsa.pub </code></pre> </div> <p>copy the file content and then on the remote server run this last command<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>echo "your-public-key-contents-here" | dokku ssh-keys:add admin </code></pre> </div> <p>once this is done, you can execute <code>dokku</code> commands remotly from your locall machine like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ssh dokku@example.com apps:List ssh dokku@example.com domains:report --global </code></pre> </div> <ul> <li>Now we need set the domain as a dokku global domain. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ssh dokku@example.com domains:add-global example.com # check your setup ssh dokku@example.com domains:report --global =====&gt; Global domains information Domains global enabled: true Domains global vhosts: example.com </code></pre> </div> <p>with this done, any app you deploy will be available at <code>app-name.example.com</code> by default unless you add another domain specific to the app</p> <p>now you can create a new empty app like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># From remote server shell dokku apps:create my-first-application # From your local machine ssh dokku@&lt;domain&gt; apps:create my-second-app </code></pre> </div> <p>In the next article i will show you how to deploy a NextJS application to your server</p> dokku heroku docker Build saleor dashboard docker image that accept environment variables Ahmed Atalla Mon, 25 Apr 2022 23:22:00 +0000 https://dev.to/a_atalla/build-saleor-dashboard-docker-image-that-accept-environment-variables-584i https://dev.to/a_atalla/build-saleor-dashboard-docker-image-that-accept-environment-variables-584i <blockquote> <p>This hack is no longer needed as it is implemented in the official docker images, in this <a href="https://github.com/saleor/saleor-dashboard/pull/2473">PR</a></p> </blockquote> <p>Saleor as mentioned in its <a href="https://saleor.io/">landing page</a> is </p> <blockquote> <p>An open-source, GraphQL-first e-commerce platform delivering ultra-fast, dynamic and personalized shopping experiences.</p> </blockquote> <p>Saleor is built as separate components</p> <ul> <li> <code>saleor-core</code> which is the graphql api</li> <li> <code>saleor-dashboard</code> which is the amdin area for the app</li> <li> <code>saleor-storefront</code> which is the user facing part of the ecommerce platform</li> </ul> <p>Usually, we as developers use the first 2 components as provided by the saleor team and build a custom storefront on top of it </p> <h3> The problem </h3> <p>The <code>saleor-dashboard</code> is a react app that is build as a static site in a docker container but to do that we have to provide the API_URI at the build time <br> so for example if you have 4 environment <code>development</code>, <code>stagging</code>, <code>test</code> and <code>production</code> then you will need to build 4 different versions of the dashboard </p> <p>i looked a round to see if someone else asked the same question and i found this <a href="https://github.com/saleor/saleor-dashboard/issues/1592">issue #1592</a></p> <h3> My solution </h3> <p>The only answer on the above mentioned issue suggested that modifying the <code>config.ts</code> and <code>index.html</code> file would do the trick, so i will explain how you can do it manually, then feel free to automate the process </p> <h4> Get the dashboard code </h4> <p>clone the repo and checkout the version you need to build<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone <span class="nt">--depth</span> 1 <span class="nt">--branch</span> &lt;ref&gt; https://github.com/saleor/saleor.git </code></pre> </div> <h4> Config file </h4> <p>we will create a bash script <code>env.sh</code> that read the <code>$API_URI</code> env variable and generate a config javascript file, this script will run every time before the docker container started</p> <p>notice that the docker container will serve the dashboard from a folder called <code>dashboard</code> that is why the script will generate the env file in the same folder<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="cp">#!/bin/bash </span><span class="nx">target_file</span><span class="o">=</span><span class="p">.</span><span class="o">/</span><span class="nx">dashboard</span><span class="o">/</span><span class="nx">env</span><span class="o">-</span><span class="nx">config</span><span class="p">.</span><span class="nx">js</span> <span class="nx">touch</span> <span class="nx">$target_file</span> <span class="nx">rm</span> <span class="o">-</span><span class="nx">rf</span> <span class="nx">$target_file</span> <span class="nx">echo</span> <span class="dl">"</span><span class="s2">window._env_ = {</span><span class="dl">"</span> <span class="o">&gt;&gt;</span> <span class="nx">$target_file</span> <span class="nx">echo</span> <span class="dl">"</span><span class="s2"> API_URI: </span><span class="se">\"</span><span class="s2">$API_URI</span><span class="se">\"</span><span class="s2">,</span><span class="dl">"</span> <span class="o">&gt;&gt;</span> <span class="nx">$target_file</span> <span class="nx">echo</span> <span class="dl">"</span><span class="s2">}</span><span class="dl">"</span> <span class="o">&gt;&gt;</span> <span class="nx">$target_file</span> </code></pre> </div> <p>The generated file should look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">window</span><span class="p">.</span><span class="nx">_env_</span> <span class="o">=</span> <span class="p">{</span> <span class="na">API_URI</span><span class="p">:</span> <span class="dl">"</span><span class="s2">&lt;api-url-from-env&gt;</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <h4> Modify <code>src/index.html</code> </h4> <p>Edit the main html file of the dashboard and add this script tag on the head<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"viewport"</span> <span class="na">content=</span><span class="s">"width=device-width, initial-scale=1.0, user-scalable=no"</span><span class="nt">&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"robots"</span> <span class="na">content=</span><span class="s">"noindex"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>Saleor e-commerce<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"/dashboard/env-config.js"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="c">&lt;!-- add this line--&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"dashboard-app"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h4> Modify <code>src/config.ts</code> </h4> <p>now we will read the <code>API_URI</code> from the <code>window</code> object at the runtime instead of reading it from environment at build time<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">packageInfo</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../package.json</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SearchVariables</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./hooks/makeSearch</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ListSettings</span><span class="p">,</span> <span class="nx">ListViews</span><span class="p">,</span> <span class="nx">Pagination</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./types</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">APP_MOUNT_URI</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_MOUNT_URI</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">APP_DEFAULT_URI</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// remove this line</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">API_URI</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_URI</span><span class="p">;</span> <span class="c1">// add these 2 lines, typescript build would fail without the @ts-ignore</span> <span class="c1">// @ts-ignore</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">API_URI</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">_env_</span><span class="p">.</span><span class="nx">API_URI</span><span class="p">;</span> <span class="p">....</span> <span class="p">....</span> </code></pre> </div> <h4> Modify <code>Dockerfile</code> </h4> <p>for the docker file we need to do 2 things </p> <ol> <li><p>copy the <code>env.sh</code> script into the docker image root</p></li> <li><p>change the command to run the <code>env.sh</code> before starting the container<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">node:14</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">ARG</span><span class="s"> APP_MOUNT_URI</span> <span class="k">ARG</span><span class="s"> API_URI</span> <span class="k">ARG</span><span class="s"> STATIC_URL</span> <span class="k">ENV</span><span class="s"> API_URI ${API_URI:-http://localhost:8000/graphql/}</span> <span class="k">ENV</span><span class="s"> APP_MOUNT_URI ${APP_MOUNT_URI:-/dashboard/}</span> <span class="k">ENV</span><span class="s"> STATIC_URL ${STATIC_URL:-/dashboard/}</span> <span class="k">RUN </span><span class="nv">STATIC_URL</span><span class="o">=</span><span class="k">${</span><span class="nv">STATIC_URL</span><span class="k">}</span> <span class="nv">API_URI</span><span class="o">=</span><span class="k">${</span><span class="nv">API_URI</span><span class="k">}</span> <span class="nv">APP_MOUNT_URI</span><span class="o">=</span><span class="k">${</span><span class="nv">APP_MOUNT_URI</span><span class="k">}</span> npm run build <span class="k">FROM</span><span class="s"> nginx:stable</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> ./nginx/default.conf /etc/nginx/conf.d/default.conf</span> <span class="k">COPY</span><span class="s"> --from=builder /app/build/ /app/</span> <span class="c"># Add the following lines</span> <span class="k">COPY</span><span class="s"> ./env.sh .</span> <span class="k">RUN </span><span class="nb">chmod</span> +x env.sh <span class="k">CMD</span><span class="s"> ["/bin/bash", "-c", "/app/env.sh &amp;&amp; nginx -g \"daemon off;\""]</span> </code></pre> </div> <p>No you can build <code>saleor-dashboard</code> image that take the <code>API_URI</code> from your deployment environment </p> <h4> Note </h4> <p>For me to not repeat the above steps with every new version of the dashboard, i created a gitlab CI/CD pipeline to do this automatically for whatever version/tag/ref i specify but unfortunately this is something i can't share </p> saleor saleordashboard react docker Getting started with ReScript and parcel Ahmed Atalla Fri, 30 Apr 2021 22:14:40 +0000 https://dev.to/a_atalla/getting-started-with-rescript-and-parcel-2e8p https://dev.to/a_atalla/getting-started-with-rescript-and-parcel-2e8p <h2> What is <a href="https://rescript-lang.org/">ReScript</a> ? </h2> <p>as mentioned on the website, </p> <blockquote> <p>The JavaScript-like language you have been waiting for,<br> Previously known as BuckleScript and Reason</p> <h3> History &amp; Summary </h3> <ul> <li> <code>OCaml</code> is a typed FP language compiling to bytecode and native code.</li> <li> <code>Js_of_ocaml</code> is based on OCaml and compiles to JavaScript for OCaml users.</li> <li> <code>BuckleScript</code> is a fork of OCaml that also outputs JavaScript, optimized (features, JS interoperability, output, build tools) for JS developers rather than OCaml developers.</li> <li> <code>Reason</code> is an alternative, JS-looking syntax layer over OCaml, plus extra tools. Reason used 1. BuckleScript to produce JavaScript output and 2. OCaml to produce native output. Most of the community focused on the former usage. Reason and BuckleScript shared most teammates, who wanted to double down on the JS use-case.</li> <li> <code>ReScript</code>, thus born, is the new branding for BuckleScript that reimplements or cleans up Reason's syntax, tools, ecosystem &amp; docs into a vertically integrated experience. Reason project will continue serving its purpose of a syntax layer for native OCaml. Some folks might use Reason with Js_of_ocaml to output JS code.</li> </ul> </blockquote> <p>There is only one official template to create a new ReScript app <a href="https://rescript-lang.org/docs/react/latest/installation">ReScript docs</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/rescript-lang/rescript-project-template my-app <span class="nb">cd </span>my-app npm <span class="nb">install </span>npm start node src/Demo.bs.js </code></pre> </div> <p><code>npm start</code> script will run <code>bsb -make-world -w</code> to compile the <code>.res</code> code into <code>.bs.js</code> code</p> <p>as you can see the source code has only a console log statement so we need to add <code>@rescript/react</code> and convert that to a single-page web app, cd into <code>my-app</code> directory and install the other dependencies<br> also will use <code>parcel</code> bundler to transpile and bundle our front-end code and run the development server<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>react react-dom @rescript/react <span class="nt">--save</span> npm <span class="nb">install </span>parcel concurrently <span class="nt">--save-dev</span> </code></pre> </div> <ul> <li> <code>concurrently</code> will be used to run 2 commands in parallel from npm scripts</li> </ul> <p>The next step is to edit the bucklescript config file <code>bsconfig.json</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"reason"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"react-jsx"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"bs-dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"@rescript/react"</span><span class="p">],</span><span class="w"> </span><span class="nl">"package-specs"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"in-source"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li> <code>in-source</code> config is optional, I like to keep the compiled <code>.bs.js</code> files outside the <code>src</code> especially in a new project that is started as ReScript projects, if you set this to <code>false</code> the compiled files will be at <code>./lib/js/src</code>, if it is <code>true</code> the compiled file will be in the same place as its <code>.res</code> source</li> </ul> <p>next, create a <code>public/index.html</code> and <code>public/global.css</code> directory with the content<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"viewport"</span> <span class="na">content=</span><span class="s">"width=device-width, initial-scale=1.0"</span><span class="nt">&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"./global.css"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>Hello ReScript<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"app-root"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"../lib/js/src/App.bs.js"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>then will add an npm script to start the bucklescript compiler command and the parcel dev server<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"dev"</span><span class="p">:</span><span class="w"> </span><span class="s2">"concurrently </span><span class="se">\"</span><span class="s2">parcel ./public/index.html</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">bsb -make-world -w</span><span class="se">\"</span><span class="s2"> "</span><span class="err">,</span><span class="w"> </span></code></pre> </div> <p>finally rename <code>src/Demo.res</code> to <code>src/App.res</code> with this basic ReScript code<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">module</span> <span class="nx">App</span> <span class="o">=</span> <span class="p">{</span> <span class="p">@</span><span class="nd">react</span><span class="p">.</span><span class="nx">component</span> <span class="kd">let</span> <span class="nx">make</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">React</span><span class="p">.</span><span class="nx">string</span><span class="p">(</span><span class="dl">"</span><span class="s2">Hello World 123</span><span class="dl">"</span><span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">/</span><span class="na">div</span><span class="p">&gt;</span> } } switch ReactDOM.querySelector("#app-root") <span class="si">{</span> <span class="o">|</span> <span class="nx">Some</span><span class="p">(</span><span class="nx">root</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">ReactDOM</span><span class="p">.</span><span class="nx">render</span><span class="p">(&lt;</span><span class="nc">App</span> <span class="p">/&gt;,</span> <span class="nx">root</span><span class="p">)</span> <span class="o">|</span> <span class="nx">None</span> <span class="o">=&gt;</span> <span class="p">()</span> <span class="si">}</span> </code></pre> </div> <p>this will create a React component <code>App</code> and render it at the div with id <code>app-root</code></p> <p>now let us start the dev server and check the result at <a href="http://127.0.0.1:1234">http://127.0.0.1:1234</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run dev </code></pre> </div> reason rescript react Django Rest Framework custom JWT authentication Ahmed Atalla Tue, 12 May 2020 15:27:00 +0000 https://dev.to/a_atalla/django-rest-framework-custom-jwt-authentication-5n5 https://dev.to/a_atalla/django-rest-framework-custom-jwt-authentication-5n5 <blockquote> <p>This article is not a tutorial or a guide, it is more like a request for code review and validate the implementation from more experienced Django developers, so please don't use this code unless you are able to review and validate yourself </p> </blockquote> <h2> Introduction </h2> <p>Web application security is critical and doing it on your own in production is a huge responsibility, that is why I love Django because it takes care of most of the security vulnerabilities out there, but my problem shows up when I wanted to build my back-end as a restful API so I can connect all type of clients (SPA, mobile, desktop, ... etc) <br> Django Rest Framework (DRF) comes with different builtin <a href="https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/">authentication classes</a>, token authentication or <a href="https://github.com/SimpleJWT/django-rest-framework-simplejwt">JWT</a> are the way to go for my use case but I still have that worry of how to save the tokens in client-side<br> everybody says don't save the token in localstorage because of <a href="https://en.wikipedia.org/wiki/Cross-site_scripting">XSS attacks</a> and better to save your token in httponly cookie, but cookies are open to <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF attack</a> too and DRF disable CSRF protection for all the APIView so what is the best practice to do this.<br> for a while I kept using it as everybody especially in mobile (i do react-native) we have secure storages and also if the device is not (rooted android or jailbroken ios) then each app is sandboxed and the tokens are safe in most cases<br> The problem still exists in web clients (SPAs), so I came into an implementation that might be useful and I wanted to document it here so I get feedback from more experienced developers, I can summarize my implementation into the following steps:</p> <ul> <li> <p>the user sends a POST request with username and password to log in, then the server will do 3 things</p> <ul> <li>generate an <code>access_token</code> which is a short life jwt (maybe 5 mins) and send it in the response body</li> <li>generate a <code>refresh_token</code> which is a long life jwt (days) and send it in an httponly cookie, so it won't be accessible from the client javascript</li> <li>send a normal cookie that contains a CSRF token</li> </ul> </li> <li><p>The developer needs to be sure that all unsafe views (POST, UPDATE, PUT, Delete) are protected by the builtin Django CSRF protection because as I mentioned above DRF disables them by default.</p></li> <li> <p>in the client-side the developer should take care of:</p> <ul> <li>In the client-side, every request will contain refresh token in the cookies automatically (be sure that your client domain is whitelisted in the server cors headers settings)</li> <li>Send the <code>access_token</code> in the <code>Authorization</code> header.</li> <li>Send the CSRF token in the <code>X-CSRFTOKEN</code> header if he is doing POST request</li> <li>when he needs a new <code>access_token</code>, he need to send a POST request to refresh token endpoint</li> </ul> </li> </ul> <p>enough talking, let us see some code</p> <h2> Project Setup </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 <span class="nt">-m</span> venv .venv <span class="nb">source</span> .venv/bin/activate pip <span class="nb">install </span>django django-cors-headers djangorestframework PyJWT <span class="c"># create Django project with the venv activates</span> django-admin startproject project <span class="c"># create an app </span> ./manage.py start app accounts </code></pre> </div> <p>in the project settings enable the apps and add some settings<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="p">[</span> <span class="p">...</span> <span class="c1"># 3rd party apps </span> <span class="s">'corsheaders'</span><span class="p">,</span> <span class="s">'rest_framework'</span><span class="p">,</span> <span class="c1"># project apps </span> <span class="s">'accounts'</span><span class="p">,</span> <span class="p">]</span> <span class="n">CORS_ALLOW_CREDENTIALS</span> <span class="o">=</span> <span class="bp">True</span> <span class="c1"># to accept cookies via ajax request </span><span class="n">CORS_ORIGIN_WHITELIST</span> <span class="o">=</span> <span class="p">[</span> <span class="s">'http://localhost:3000'</span> <span class="c1"># the domain for front-end app(you can add more than 1) </span><span class="p">]</span> <span class="n">REST_FRAMEWORK</span> <span class="o">=</span> <span class="p">{</span> <span class="s">'DEFAULT_PERMISSION_CLASSES'</span><span class="p">:</span> <span class="p">(</span> <span class="s">'rest_framework.permissions.IsAuthenticated'</span><span class="p">,</span> <span class="c1"># make all endpoints private </span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>before applying the first migration and as recommended in the <a href="https://docs.djangoproject.com/en/3.0/topics/auth/customizing/#using-a-custom-user-model-when-starting-a-project">official Django docs</a> I like to start my project with a custom user model even if I won't use it now<br> in <code>accounts.models</code> define the user model<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">AbstractUser</span> <span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="n">AbstractUser</span><span class="p">):</span> <span class="k">pass</span> </code></pre> </div> <p>in the <code>project.settings.py</code> define the user model<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="p">...</span> <span class="n">AUTH_USER_MODEL</span> <span class="o">=</span> <span class="s">'accounts.User'</span> <span class="p">...</span> </code></pre> </div> <p>later you can refer to the user model by one of the following<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">django.conf</span> <span class="kn">import</span> <span class="n">settings</span> <span class="n">User</span> <span class="o">=</span> <span class="n">settings</span><span class="p">.</span><span class="n">AUTH_USER_MODEL</span> <span class="c1"># OR </span> <span class="kn">from</span> <span class="nn">django.contrib.auth</span> <span class="kn">import</span> <span class="n">get_user_model</span> <span class="n">User</span> <span class="o">=</span> <span class="n">get_user_model</span><span class="p">()</span> </code></pre> </div> <p>and in <code>accounts.admin</code> register the new user model to the admin site<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">django.contrib</span> <span class="kn">import</span> <span class="n">admin</span> <span class="kn">from</span> <span class="nn">django.contrib.auth.admin</span> <span class="kn">import</span> <span class="n">UserAdmin</span> <span class="kn">from</span> <span class="nn">accounts.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="n">admin</span><span class="p">.</span><span class="n">site</span><span class="p">.</span><span class="n">register</span><span class="p">(</span><span class="n">User</span><span class="p">,</span> <span class="n">UserAdmin</span><span class="p">)</span> </code></pre> </div> <p>create a super user<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>./manage.py createsuperuser </code></pre> </div> <p>and finally, an endpoint to test, as we declare in the above settings all the endpoint will require authentication by default, we can override this in certain views as we will going to do in the login later</p> <p>we will create the user profile endpoint that will return current authenticated user object as JSON, for that we will need to create a user serializer<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># accounts.serializers </span><span class="kn">from</span> <span class="nn">rest_framework</span> <span class="kn">import</span> <span class="n">serializers</span> <span class="kn">from</span> <span class="nn">accounts.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="k">class</span> <span class="nc">UserSerializer</span><span class="p">(</span><span class="n">serializers</span><span class="p">.</span><span class="n">ModelSerializer</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="n">User</span> <span class="n">fields</span> <span class="o">=</span> <span class="p">[</span><span class="s">'id'</span><span class="p">,</span> <span class="s">'username'</span><span class="p">,</span> <span class="s">'email'</span><span class="p">,</span> <span class="s">'first_name'</span><span class="p">,</span> <span class="s">'last_name'</span><span class="p">,</span> <span class="s">'is_active'</span><span class="p">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># project.urls </span><span class="kn">from</span> <span class="nn">accounts</span> <span class="kn">import</span> <span class="n">urls</span> <span class="k">as</span> <span class="n">accounts_urls</span> <span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="n">path</span><span class="p">(</span><span class="s">'accounts/'</span><span class="p">,</span> <span class="n">include</span><span class="p">(</span><span class="n">accounts_urls</span><span class="p">)),</span> <span class="p">]</span> <span class="c1"># accounts.urls </span><span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="n">path</span><span class="p">(</span><span class="s">'profile'</span><span class="p">,</span> <span class="n">profile</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="s">'profile'</span><span class="p">),</span> <span class="p">]</span> <span class="c1"># accounts.views </span><span class="kn">from</span> <span class="nn">rest_framework.decorators</span> <span class="kn">import</span> <span class="n">api_view</span> <span class="kn">from</span> <span class="nn">rest_framework.response</span> <span class="kn">import</span> <span class="n">Response</span> <span class="kn">from</span> <span class="nn">.serializers</span> <span class="kn">import</span> <span class="n">UserSerializer</span> <span class="o">@</span><span class="n">api_view</span><span class="p">([</span><span class="s">'GET'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">profile</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">user</span> <span class="n">serialized_user</span> <span class="o">=</span> <span class="n">UserSerializer</span><span class="p">(</span><span class="n">user</span><span class="p">).</span><span class="n">data</span> <span class="k">return</span> <span class="n">Response</span><span class="p">({</span><span class="s">'user'</span><span class="p">:</span> <span class="n">serialized_user</span> <span class="p">})</span> </code></pre> </div> <p>now if you tried to acceess this endpoint you will get 403 error, as described in the introduction we need to login then send the access_token in the request header</p> <h2> Login View </h2> <p>The login endpoint will be a post request with <code>username</code> and <code>password</code> in the request body.<br> we will make the login view public using the permission class decorator <code>AllowAny</code>, also we will decorate the view with <code>@ensure_csrf_cookie</code> forcing Django to send the CSRF cookie in the response if the login success</p> <p>if the login success, we will have:</p> <ul> <li>an <code>access_token</code> in the response body.</li> <li>a <code>refreshtoken</code> in an httponly cookie.</li> <li>a <code>csrftoken</code> in a normal cookie so we can read it from javascript and resend it when needed </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># accounts.views </span><span class="kn">from</span> <span class="nn">django.contrib.auth</span> <span class="kn">import</span> <span class="n">get_user_model</span> <span class="kn">from</span> <span class="nn">rest_framework.response</span> <span class="kn">import</span> <span class="n">Response</span> <span class="kn">from</span> <span class="nn">rest_framework</span> <span class="kn">import</span> <span class="n">exceptions</span> <span class="kn">from</span> <span class="nn">rest_framework.permissions</span> <span class="kn">import</span> <span class="n">AllowAny</span> <span class="kn">from</span> <span class="nn">rest_framework.decorators</span> <span class="kn">import</span> <span class="n">api_view</span><span class="p">,</span> <span class="n">permission_classes</span> <span class="kn">from</span> <span class="nn">django.views.decorators.csrf</span> <span class="kn">import</span> <span class="n">ensure_csrf_cookie</span> <span class="kn">from</span> <span class="nn">accounts.serializers</span> <span class="kn">import</span> <span class="n">UserSerializer</span> <span class="kn">from</span> <span class="nn">accounts.utils</span> <span class="kn">import</span> <span class="n">generate_access_token</span><span class="p">,</span> <span class="n">generate_refresh_token</span> <span class="o">@</span><span class="n">api_view</span><span class="p">([</span><span class="s">'POST'</span><span class="p">])</span> <span class="o">@</span><span class="n">permission_classes</span><span class="p">([</span><span class="n">AllowAny</span><span class="p">])</span> <span class="o">@</span><span class="n">ensure_csrf_cookie</span> <span class="k">def</span> <span class="nf">login_view</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">User</span> <span class="o">=</span> <span class="n">get_user_model</span><span class="p">()</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">data</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'username'</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">data</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'password'</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">Response</span><span class="p">()</span> <span class="k">if</span> <span class="p">(</span><span class="n">username</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">)</span> <span class="ow">or</span> <span class="p">(</span><span class="n">password</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">):</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">AuthenticationFailed</span><span class="p">(</span> <span class="s">'username and password required'</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nb">filter</span><span class="p">(</span><span class="n">username</span><span class="o">=</span><span class="n">username</span><span class="p">).</span><span class="n">first</span><span class="p">()</span> <span class="k">if</span><span class="p">(</span><span class="n">user</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">):</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">AuthenticationFailed</span><span class="p">(</span><span class="s">'user not found'</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="ow">not</span> <span class="n">user</span><span class="p">.</span><span class="n">check_password</span><span class="p">(</span><span class="n">password</span><span class="p">)):</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">AuthenticationFailed</span><span class="p">(</span><span class="s">'wrong password'</span><span class="p">)</span> <span class="n">serialized_user</span> <span class="o">=</span> <span class="n">UserSerializer</span><span class="p">(</span><span class="n">user</span><span class="p">).</span><span class="n">data</span> <span class="n">access_token</span> <span class="o">=</span> <span class="n">generate_access_token</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="n">generate_refresh_token</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="n">set_cookie</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="s">'refreshtoken'</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="n">refresh_token</span><span class="p">,</span> <span class="n">httponly</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="n">data</span> <span class="o">=</span> <span class="p">{</span> <span class="s">'access_token'</span><span class="p">:</span> <span class="n">access_token</span><span class="p">,</span> <span class="s">'user'</span><span class="p">:</span> <span class="n">serialized_user</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <p>and here are the functions that generate the tokens, notice that I use a different secret to sign refresh token for more security<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># accounts.utils </span><span class="kn">import</span> <span class="nn">datetime</span> <span class="kn">import</span> <span class="nn">jwt</span> <span class="kn">from</span> <span class="nn">django.conf</span> <span class="kn">import</span> <span class="n">settings</span> <span class="k">def</span> <span class="nf">generate_access_token</span><span class="p">(</span><span class="n">user</span><span class="p">):</span> <span class="n">access_token_payload</span> <span class="o">=</span> <span class="p">{</span> <span class="s">'user_id'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="s">'exp'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="n">datetime</span><span class="p">.</span><span class="n">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">minutes</span><span class="o">=</span><span class="mi">5</span><span class="p">),</span> <span class="s">'iat'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">(),</span> <span class="p">}</span> <span class="n">access_token</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="n">encode</span><span class="p">(</span><span class="n">access_token_payload</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="s">'HS256'</span><span class="p">).</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf-8'</span><span class="p">)</span> <span class="k">return</span> <span class="n">access_token</span> <span class="k">def</span> <span class="nf">generate_refresh_token</span><span class="p">(</span><span class="n">user</span><span class="p">):</span> <span class="n">refresh_token_payload</span> <span class="o">=</span> <span class="p">{</span> <span class="s">'user_id'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="s">'exp'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="n">datetime</span><span class="p">.</span><span class="n">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">7</span><span class="p">),</span> <span class="s">'iat'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">()</span> <span class="p">}</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="n">encode</span><span class="p">(</span> <span class="n">refresh_token_payload</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">REFRESH_TOKEN_SECRET</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="s">'HS256'</span><span class="p">).</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf-8'</span><span class="p">)</span> <span class="k">return</span> <span class="n">refresh_token</span> </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--aweBUASu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://i.imgur.com/nC2HM5t.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--aweBUASu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://i.imgur.com/nC2HM5t.png" alt="Login Response Body" width="880" height="732"></a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--e0GpZfyd--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://i.imgur.com/kNnrFdE.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--e0GpZfyd--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://i.imgur.com/kNnrFdE.png" alt="Login Response Cookies" width="880" height="947"></a></p> <h2> Custom Authentication Class for DRF </h2> <p>Django Rest Framework makes it easy to create a custom authentication scheme, it described in details in the <a href="https://www.django-rest-framework.org/api-guide/authentication/#custom-authentication">official docs</a><br> The following code is originally taken from DRF source code then I add my changes as required.<br> notice that DRF enforce CSRF only in the session authentication <a href="https://github.com/encode/django-rest-framework/blob/master/rest_framework/authentication.py">rest_framework/authentication.py</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># accounts.authentication </span> <span class="kn">import</span> <span class="nn">jwt</span> <span class="kn">from</span> <span class="nn">rest_framework.authentication</span> <span class="kn">import</span> <span class="n">BaseAuthentication</span> <span class="kn">from</span> <span class="nn">django.middleware.csrf</span> <span class="kn">import</span> <span class="n">CsrfViewMiddleware</span> <span class="kn">from</span> <span class="nn">rest_framework</span> <span class="kn">import</span> <span class="n">exceptions</span> <span class="kn">from</span> <span class="nn">django.conf</span> <span class="kn">import</span> <span class="n">settings</span> <span class="kn">from</span> <span class="nn">django.contrib.auth</span> <span class="kn">import</span> <span class="n">get_user_model</span> <span class="k">class</span> <span class="nc">CSRFCheck</span><span class="p">(</span><span class="n">CsrfViewMiddleware</span><span class="p">):</span> <span class="k">def</span> <span class="nf">_reject</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">reason</span><span class="p">):</span> <span class="c1"># Return the failure reason instead of an HttpResponse </span> <span class="k">return</span> <span class="n">reason</span> <span class="k">class</span> <span class="nc">SafeJWTAuthentication</span><span class="p">(</span><span class="n">BaseAuthentication</span><span class="p">):</span> <span class="s">''' custom authentication class for DRF and JWT https://github.com/encode/django-rest-framework/blob/master/rest_framework/authentication.py '''</span> <span class="k">def</span> <span class="nf">authenticate</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">):</span> <span class="n">User</span> <span class="o">=</span> <span class="n">get_user_model</span><span class="p">()</span> <span class="n">authorization_heaader</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'Authorization'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">authorization_heaader</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># header = 'Token xxxxxxxxxxxxxxxxxxxxxxxx' </span> <span class="n">access_token</span> <span class="o">=</span> <span class="n">authorization_heaader</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">' '</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span> <span class="n">access_token</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="s">'HS256'</span><span class="p">])</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">AuthenticationFailed</span><span class="p">(</span><span class="s">'access_token expired'</span><span class="p">)</span> <span class="k">except</span> <span class="nb">IndexError</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">AuthenticationFailed</span><span class="p">(</span><span class="s">'Token prefix missing'</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nb">filter</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">payload</span><span class="p">[</span><span class="s">'user_id'</span><span class="p">]).</span><span class="n">first</span><span class="p">()</span> <span class="k">if</span> <span class="n">user</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">AuthenticationFailed</span><span class="p">(</span><span class="s">'User not found'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">.</span><span class="n">is_active</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">AuthenticationFailed</span><span class="p">(</span><span class="s">'user is inactive'</span><span class="p">)</span> <span class="bp">self</span><span class="p">.</span><span class="n">enforce_csrf</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">return</span> <span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="k">def</span> <span class="nf">enforce_csrf</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">):</span> <span class="s">""" Enforce CSRF validation """</span> <span class="n">check</span> <span class="o">=</span> <span class="n">CSRFCheck</span><span class="p">()</span> <span class="c1"># populates request.META['CSRF_COOKIE'], which is used in process_view() </span> <span class="n">check</span><span class="p">.</span><span class="n">process_request</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="n">reason</span> <span class="o">=</span> <span class="n">check</span><span class="p">.</span><span class="n">process_view</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="p">(),</span> <span class="p">{})</span> <span class="k">print</span><span class="p">(</span><span class="n">reason</span><span class="p">)</span> <span class="k">if</span> <span class="n">reason</span><span class="p">:</span> <span class="c1"># CSRF failed, bail with explicit error message </span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">PermissionDenied</span><span class="p">(</span><span class="s">'CSRF Failed: %s'</span> <span class="o">%</span> <span class="n">reason</span><span class="p">)</span> </code></pre> </div> <p>once you create that class, go to the <code>project.settings</code> and activate it in the <code>REST_FRAMEWORK</code> section like this <code>appname.filename.classname</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">REST_FRAMEWORK</span> <span class="o">=</span> <span class="p">{</span> <span class="s">'DEFAULT_AUTHENTICATION_CLASSES'</span><span class="p">:</span> <span class="p">(</span> <span class="s">'accounts.authentication.SafeJWTAuthentication'</span><span class="p">,</span> <span class="p">),</span> <span class="s">'DEFAULT_PERMISSION_CLASSES'</span><span class="p">:</span> <span class="p">(</span> <span class="s">'rest_framework.permissions.IsAuthenticated'</span><span class="p">,</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Now as we have <code>access_token</code> and set the authentication method we can revisit the <code>profile</code> endpoint but this time we will set the <code>Authorization</code> header</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--cEtlU7Gb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://i.imgur.com/rOrsafD.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--cEtlU7Gb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://i.imgur.com/rOrsafD.png" alt="Profile endpoint response" width="880" height="861"></a></p> <h2> Refresh Token View </h2> <p>Whenever the token is expired or you need a new token for any reason we need a <code>refresh_token</code> endpoint.<br> this view needs the permission of <code>AlloAny</code> because we don't have an <code>access_token</code> but it will be protected by 2 other things</p> <ul> <li>a valid <code>refresh_token</code> that sent in the httoponly cookie.</li> <li>the CSRF token so we are sure the above cookie not compromised if the 2 conditions are satisfied then the server will generate a new valid <code>access_token</code> and send it back.</li> </ul> <p>if the <code>refresh_token</code> is invalid or expired, the user will need to re-logion<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="nn">jwt</span> <span class="kn">from</span> <span class="nn">django.conf</span> <span class="kn">import</span> <span class="n">settings</span> <span class="kn">from</span> <span class="nn">django.contrib.auth</span> <span class="kn">import</span> <span class="n">get_user_model</span> <span class="kn">from</span> <span class="nn">django.views.decorators.csrf</span> <span class="kn">import</span> <span class="n">csrf_protect</span> <span class="kn">from</span> <span class="nn">rest_framework</span> <span class="kn">import</span> <span class="n">exceptions</span> <span class="kn">from</span> <span class="nn">rest_framework.response</span> <span class="kn">import</span> <span class="n">Response</span> <span class="kn">from</span> <span class="nn">rest_framework.permissions</span> <span class="kn">import</span> <span class="n">AllowAny</span> <span class="kn">from</span> <span class="nn">rest_framework.decorators</span> <span class="kn">import</span> <span class="n">api_view</span><span class="p">,</span> <span class="n">permission_classes</span> <span class="kn">from</span> <span class="nn">accounts.utils</span> <span class="kn">import</span> <span class="n">generate_access_token</span> <span class="o">@</span><span class="n">api_view</span><span class="p">([</span><span class="s">'POST'</span><span class="p">])</span> <span class="o">@</span><span class="n">permission_classes</span><span class="p">([</span><span class="n">AllowAny</span><span class="p">])</span> <span class="o">@</span><span class="n">csrf_protect</span> <span class="k">def</span> <span class="nf">refresh_token_view</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="s">''' To obtain a new access_token this view expects 2 important things: 1. a cookie that contains a valid refresh_token 2. a header 'X-CSRFTOKEN' with a valid csrf token, client app can get it from cookies "csrftoken" '''</span> <span class="n">User</span> <span class="o">=</span> <span class="n">get_user_model</span><span class="p">()</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">COOKIES</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'refreshtoken'</span><span class="p">)</span> <span class="k">if</span> <span class="n">refresh_token</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">AuthenticationFailed</span><span class="p">(</span> <span class="s">'Authentication credentials were not provided.'</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span> <span class="n">refresh_token</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">REFRESH_TOKEN_SECRET</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="s">'HS256'</span><span class="p">])</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">AuthenticationFailed</span><span class="p">(</span> <span class="s">'expired refresh token, please login again.'</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nb">filter</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">payload</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'user_id'</span><span class="p">)).</span><span class="n">first</span><span class="p">()</span> <span class="k">if</span> <span class="n">user</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">AuthenticationFailed</span><span class="p">(</span><span class="s">'User not found'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">.</span><span class="n">is_active</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">AuthenticationFailed</span><span class="p">(</span><span class="s">'user is inactive'</span><span class="p">)</span> <span class="n">access_token</span> <span class="o">=</span> <span class="n">generate_access_token</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="k">return</span> <span class="n">Response</span><span class="p">({</span><span class="s">'access_token'</span><span class="p">:</span> <span class="n">access_token</span><span class="p">})</span> </code></pre> </div> <h2> Token Revoke </h2> <p>The last piece of the puzzle is a way to revoke the refresh token which has a long lifetime, you might blacklist the token or assign a uuid for the token and put it in the payload then link it to the user and save it in the database, when revoking or logout you just change that uuid in the database to not match the value in the payload, you can pick what suits your application need</p> django jwt security djangorestframework