DEV Community: Bhavana The latest articles on DEV Community by Bhavana (@bhavanaeh). https://dev.to/bhavanaeh https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F440981%2F754fb69a-244e-4bd2-a604-3498f561d7f8.jpeg DEV Community: Bhavana https://dev.to/bhavanaeh en JWT Authentication with Django REST Framework - What? Why? How? Bhavana Sat, 19 Jun 2021 15:49:14 +0000 https://dev.to/bhavanaeh/jwt-authentication-with-django-rest-framework-what-why-how-50kj https://dev.to/bhavanaeh/jwt-authentication-with-django-rest-framework-what-why-how-50kj <p>Hi community, I have had a lot of trouble understanding the use of authentication mechanisms and securing API endpoints until recently, when I was expected to implement JWT authentication to secure the APIs being used in my project. I had to do my fair amount of reading and research which made me want to take a stab at helping others understand what JWT Authentication is, why it is needed and how you can implement it in your project to ensure user authentication.<br> </p> <h1> Problem </h1> <p>My approach to perform authentication has been on the following lines - </p> <p>My REST API should ask for a username and password. Once provided, it will be used to filter out the database to check if a user with those credentials exist. </p> <p><em>Sounded logical to me.</em></p> <p>But, the real problem is the <strong>stateless nature of the HTTP protocol</strong>. This meant that anytime, a new request was issued, the user issuing the request would have to be authenticated AGAIN. Luckily, Django has its own session based authentication system. In Django, 'sessions' are stored as cookies. This session-based authentication is stateful. Each time a client requests the server, the server locates the session in memory in order to map the session ID back to the requested user.These sessions, ensure that there is a user returned every time a request is made. The user can be accessed as <code>request.user</code>.</p> <p><em>So, if Django has a default session authentication system, then what REALLY is the problem?</em></p> <blockquote> <p><strong>Django's authentication only works with the traditional HTML request-response cycle</strong></p> </blockquote> <p>What that means is anytime a request is made to the server, the server will have the control to process that request and would respond with HTML. The issue is the client side application does not follow the traditional HTML request-response cycle.Instead, the client expects the server to return JSON instead of HTML. By returning JSON, we can let the client decide what it should do next instead of letting the server decide. Thus, the JSON response does not control the behaviour of the browser, it just returns the result of the request made.</p> <p>Another issue with Django's session based authentication is handling different domains for client and server, making it difficult to use sessions. What this means is, since Django sessions are stored in cookies, allowing external domains to access the cookies will make it vulnerable to CSRF attacks. <em>CSRF attacks are events where authenticated users are tricked into performing malicious actions when the attacker gains access to these stored cookies</em>. Moreover, <strong>DRF disables CSRF handling for APIViews</strong> making it difficult to rely on session based authentication (especially when using customs models, templates and views)</p> <p>The most common alternative to session based authentication is the token based authentication system. Token based authentication as the name suggests, generates a token (by the server) each time the user is logged in successfully, mapping the token generated with the user and storing it in localStorage in the client side. The client will now be expected to send this generated token as a header for every subsequent request to authenticate the user. If a token for the said user exists in the localStorage, then the user is authenticated.Since these token are the only requirement for the server to verify a user's identity, it is stateless.The most popular token based authentication with REST APIs is the JWT (JSON Web Token) Authentication. It is an encoded (secure) representation of claims to between two parties.</p> <p><em>Sounds fairly simple but-</em></p> <p>Storing a generated token in a localStorage makes the system vulnerable to XSS attacks. <em>XSS attacks are a type of malicious injections through the client side that can easily manipulate the localStorage</em> </p> <p><em>SO WHAT NOW?</em></p> <blockquote> <ol> <li>Need to figure out a way to store the tokens in the client-side ( Can't use localStorage since its prone to XSS attacks )</li> <li>Can't use session based auth since cookies are prone to CSRF attacks.</li> </ol> </blockquote> <h1> Proposed Solution </h1> <p>Lets understand the process flow alongside the code.</p> <p><em>step 1</em>: Setup your project (I'll call mine jwtauth) and install the following dependencies:</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">pip</span> <span class="n">install</span> <span class="n">django</span> <span class="n">django</span><span class="o">-</span><span class="n">cors</span><span class="o">-</span><span class="n">headers</span> <span class="n">djangorestframework</span> <span class="n">PyJWT</span> <span class="n">django</span><span class="o">-</span><span class="n">admin</span> <span class="n">startproject</span> <span class="n">jwtauth</span> <span class="n">cd</span> <span class="n">jwtauth</span> <span class="n">django</span><span class="o">-</span><span class="n">admin</span> <span class="n">startapp</span> <span class="n">demo</span> </code></pre> </div> <p><em>step 1</em>: Modify your jwtauth/settings.py file</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="p">[</span> <span class="bp">...</span> <span class="sh">'</span><span class="s">corsheaders</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">rest_framework</span><span class="sh">'</span><span class="p">,</span> <span class="bp">...</span> <span class="sh">'</span><span class="s">app_name</span><span class="sh">'</span> <span class="c1">#demo in my example </span> <span class="p">]</span> <span class="n">MIDDLEWARE</span> <span class="o">=</span> <span class="p">[</span> <span class="bp">...</span> <span class="sh">'</span><span class="s">corsheaders.middleware.CorsMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.middleware.common.CommonMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="bp">...</span> <span class="p">]</span> <span class="n">CORS_ALLOW_CREDENTIALS</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">CORS_ORIGIN_WHITELIST</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">http://localhost:3000</span><span class="sh">'</span><span class="p">]</span> <span class="n">REST_FRAMEWORK</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">DEFAULT_AUTHENTICATION_CLASSES</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span> <span class="sh">'</span><span class="s">demo.verify.JWTAuthentication</span><span class="sh">'</span><span class="p">,</span> <span class="p">),</span> <span class="sh">'</span><span class="s">DEFAULT_PERMISSION_CLASSES</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span> <span class="sh">'</span><span class="s">rest_framework.permissions.IsAuthenticated</span><span class="sh">'</span><span class="p">,</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>CORS_ALLOW_CREDENTIALS = True allows cookies to be sent in cross-domain responses<br> CORS_ORIGIN_WHITELIST = ['<a href="http://localhost:3000'" rel="noopener noreferrer">http://localhost:3000'</a>] is the domain for your front-end application or where your client is.</p> <p><em>step 2</em>: Create a superuser </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">python</span> <span class="n">manage</span><span class="p">.</span><span class="n">py</span> <span class="n">createsuper</span> </code></pre> </div> <p><em>step 3</em>: Create a user serializer so that the user api can return the details as a JSON object</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">rest_framework</span> <span class="kn">import</span> <span class="n">serializers</span> <span class="kn">from</span> <span class="n">django.contrib.auth</span> <span class="kn">import</span> <span class="n">get_user_model</span> <span class="k">class</span> <span class="nc">UserSerializer</span><span class="p">(</span><span class="n">serializers</span><span class="p">.</span><span class="n">ModelSerializer</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="nf">get_user_model</span><span class="p">()</span> <span class="n">fields</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">,</span><span class="sh">'</span><span class="s">first_name</span><span class="sh">'</span><span class="p">,</span><span class="sh">'</span><span class="s">is_active</span><span class="sh">'</span><span class="p">]</span> </code></pre> </div> <p><em>step 4</em>: Create a new python file under demo as auth.py (demo/auth.py) to generate and refresh access tokens</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="kn">from</span> <span class="n">django.conf</span> <span class="kn">import</span> <span class="n">settings</span> <span class="k">def</span> <span class="nf">generate_access_token</span><span class="p">(</span><span class="n">user</span><span class="p">):</span> <span class="n">access_token_payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="sh">'</span><span class="s">exp</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">minutes</span><span class="o">=</span><span class="mi">5</span><span class="p">),</span> <span class="sh">'</span><span class="s">iat</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">(),</span> <span class="p">}</span> <span class="n">access_token</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">access_token_payload</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="n">access_token</span> <span class="k">def</span> <span class="nf">generate_refresh_token</span><span class="p">(</span><span class="n">user</span><span class="p">):</span> <span class="n">refresh_token_payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="sh">'</span><span class="s">exp</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">7</span><span class="p">),</span> <span class="sh">'</span><span class="s">iat</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="p">}</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span> <span class="n">refresh_token_payload</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="n">refresh_token</span> </code></pre> </div> <p><em>step 5</em>: Create a user view and url in demo/views.py and demo/urls.py respectively</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="n">.serializers</span> <span class="kn">import</span> <span class="n">UserSerializer</span> <span class="kn">from</span> <span class="n">rest_framework</span> <span class="kn">import</span> <span class="n">viewsets</span> <span class="kn">from</span> <span class="n">rest_framework.decorators</span> <span class="kn">import</span> <span class="n">api_view</span> <span class="kn">from</span> <span class="n">rest_framework.response</span> <span class="kn">import</span> <span class="n">Response</span> <span class="kn">from</span> <span class="n">django.contrib.auth</span> <span class="kn">import</span> <span class="n">get_user_model</span> <span class="kn">from</span> <span class="n">rest_framework</span> <span class="kn">import</span> <span class="n">exceptions</span> <span class="kn">from</span> <span class="n">rest_framework.permissions</span> <span class="kn">import</span> <span class="n">AllowAny</span> <span class="kn">from</span> <span class="n">rest_framework.decorators</span> <span class="kn">import</span> <span class="n">api_view</span><span class="p">,</span> <span class="n">permission_classes</span> <span class="kn">from</span> <span class="n">django.views.decorators.csrf</span> <span class="kn">import</span> <span class="n">ensure_csrf_cookie</span> <span class="kn">from</span> <span class="n">.auth</span> <span class="kn">import</span> <span class="n">generate_access_token</span><span class="p">,</span> <span class="n">generate_refresh_token</span> <span class="kn">from</span> <span class="n">django.views.decorators.csrf</span> <span class="kn">import</span> <span class="n">csrf_protect</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="kn">from</span> <span class="n">django.conf</span> <span class="kn">import</span> <span class="n">settings</span> <span class="nd">@api_view</span><span class="p">([</span><span class="sh">'</span><span class="s">GET</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">user</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">user</span> <span class="n">serialized_user</span> <span class="o">=</span> <span class="nc">UserSerializer</span><span class="p">(</span><span class="n">user</span><span class="p">).</span><span class="n">data</span> <span class="k">return</span> <span class="nc">Response</span><span class="p">({</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">:</span> <span class="n">serialized_user</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">django.urls</span> <span class="kn">import</span> <span class="n">include</span><span class="p">,</span> <span class="n">path</span> <span class="kn">from</span> <span class="n">.views</span> <span class="kn">import</span> <span class="n">user</span><span class="p">,</span><span class="n">login_view</span> <span class="kn">from</span> <span class="n">rest_framework.routers</span> <span class="kn">import</span> <span class="n">DefaultRouter</span> <span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="nf">path</span><span class="p">(</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">,</span> <span class="n">user</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">),</span> </code></pre> </div> <p><em>step 6</em>: Create a login view and url in demo/views.py and demo/urls.py respectively</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="nd">@api_view</span><span class="p">([</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="nd">@permission_classes</span><span class="p">([</span><span class="n">AllowAny</span><span class="p">])</span> <span class="nd">@ensure_csrf_cookie</span> <span class="k">def</span> <span class="nf">login_view</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">User</span> <span class="o">=</span> <span class="nf">get_user_model</span><span class="p">()</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="nc">Response</span><span class="p">()</span> <span class="nf">if </span><span class="p">(</span><span class="n">username</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">)</span> <span class="ow">or</span> <span class="p">(</span><span class="n">password</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">):</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">AuthenticationFailed</span><span class="p">(</span> <span class="sh">'</span><span class="s">username and password required</span><span class="sh">'</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="n">username</span><span class="o">=</span><span class="n">username</span><span class="p">).</span><span class="nf">first</span><span class="p">()</span> <span class="nf">if</span><span class="p">(</span><span class="n">user</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">):</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">AuthenticationFailed</span><span class="p">(</span><span class="sh">'</span><span class="s">user not found</span><span class="sh">'</span><span class="p">)</span> <span class="nf">if </span><span class="p">(</span><span class="ow">not</span> <span class="n">user</span><span class="p">.</span><span class="nf">check_password</span><span class="p">(</span><span class="n">password</span><span class="p">)):</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">AuthenticationFailed</span><span class="p">(</span><span class="sh">'</span><span class="s">wrong password</span><span class="sh">'</span><span class="p">)</span> <span class="n">serialized_user</span> <span class="o">=</span> <span class="nc">UserSerializer</span><span class="p">(</span><span class="n">user</span><span class="p">).</span><span class="n">data</span> <span class="n">access_token</span> <span class="o">=</span> <span class="nf">generate_access_token</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="nf">generate_refresh_token</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">set_cookie</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="sh">'</span><span class="s">refreshtoken</span><span class="sh">'</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="n">refresh_token</span><span class="p">,</span> <span class="n">httponly</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="n">data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">:</span> <span class="n">access_token</span><span class="p">,</span> <span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">:</span> <span class="n">serialized_user</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">django.urls</span> <span class="kn">import</span> <span class="n">include</span><span class="p">,</span> <span class="n">path</span> <span class="kn">from</span> <span class="n">.views</span> <span class="kn">import</span> <span class="n">user</span><span class="p">,</span><span class="n">login_view</span> <span class="kn">from</span> <span class="n">rest_framework.routers</span> <span class="kn">import</span> <span class="n">DefaultRouter</span> <span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="nf">path</span><span class="p">(</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">,</span> <span class="n">user</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">),</span> <span class="nf">path</span><span class="p">(</span><span class="sh">'</span><span class="s">login</span><span class="sh">'</span><span class="p">,</span><span class="n">login_view</span><span class="p">,</span><span class="n">name</span><span class="o">=</span><span class="sh">'</span><span class="s">login</span><span class="sh">'</span><span class="p">),</span> <span class="p">]</span> </code></pre> </div> <p>To understand this step is crucial.</p> <p>The login_view API endpoint has three decorators :</p> <p>@api_view(['POST']) - Allows a post request with username and password in the body of the request<br> @permission_classes([AllowAny]) - Makes the login view public<br> @ensure_csrf_cookie - Enforces DRF to send CSRF cookie as a response in case of a successful login</p> <p>Now, </p> <ol> <li>we have an access_token in the response body</li> <li>a refreshtoken as a HttpOnly cookie</li> <li>a CSRF token as a normal cookie which can be consumed by the frontend easily</li> </ol> <p>Now, lets try to test this out -</p> <p>go to <code>http://127.0.0.1:8000/users/login</code> and enter username and password in the request body. Ensure that a user with these credentials is registered in your database, if not go to <code>http://127.0.0.1:8000/admin/</code> and create a set of test users by logging in with the superuser credentials.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F52f0e4za46d7njv228qf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F52f0e4za46d7njv228qf.png" alt="image"></a></p> <p>A successful entry would generate the following response -</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fho99h204ydhvtk21ylyr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fho99h204ydhvtk21ylyr.png" alt="image"></a></p> <p>if you hit <code>http://127.0.0.1:8000/users/login</code> on postman you'll be able to see the following-</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9a6d46st14gdic4mi4vu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9a6d46st14gdic4mi4vu.png" alt="image"></a></p> <p>that we have successfully generated two cookies </p> <ol> <li> a refreshtoken as a HttpOnly cookie</li> <li> a CSRF token as a normal cookie</li> </ol> <p><em>step 7</em>: Create a new python file as verify.py under demo (demo/verify.py) </p> <p>Since DRF enforces CSRF only in the session authentication, we need to ensure DRF enforces CSRF for API views as well, that's where the decorator @ensure_csrf_cookie comes into picture. </p> <p>Lets define that in our custom authentication file verify.py </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">jwt</span> <span class="kn">from</span> <span class="n">rest_framework.authentication</span> <span class="kn">import</span> <span class="n">BaseAuthentication</span> <span class="kn">from</span> <span class="n">django.middleware.csrf</span> <span class="kn">import</span> <span class="n">CsrfViewMiddleware</span> <span class="kn">from</span> <span class="n">rest_framework</span> <span class="kn">import</span> <span class="n">exceptions</span> <span class="kn">from</span> <span class="n">django.conf</span> <span class="kn">import</span> <span class="n">settings</span> <span class="kn">from</span> <span class="n">django.contrib.auth</span> <span class="kn">import</span> <span class="n">get_user_model</span> <span class="k">class</span> <span class="nc">CSRFCheck</span><span class="p">(</span><span class="n">CsrfViewMiddleware</span><span class="p">):</span> <span class="k">def</span> <span class="nf">_reject</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">reason</span><span class="p">):</span> <span class="k">return</span> <span class="n">reason</span> <span class="k">class</span> <span class="nc">JWTAuthentication</span><span class="p">(</span><span class="n">BaseAuthentication</span><span class="p">):</span> <span class="k">def</span> <span class="nf">authenticate</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">request</span><span class="p">):</span> <span class="n">User</span> <span class="o">=</span> <span class="nf">get_user_model</span><span class="p">()</span> <span class="n">authorization_heaader</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">authorization_heaader</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">try</span><span class="p">:</span> <span class="n">access_token</span> <span class="o">=</span> <span class="n">authorization_heaader</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s"> </span><span class="sh">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span> <span class="n">access_token</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">])</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">AuthenticationFailed</span><span class="p">(</span><span class="sh">'</span><span class="s">access_token expired</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="nb">IndexError</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">AuthenticationFailed</span><span class="p">(</span><span class="sh">'</span><span class="s">Token prefix missing</span><span class="sh">'</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">]).</span><span class="nf">first</span><span class="p">()</span> <span class="k">if</span> <span class="n">user</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">AuthenticationFailed</span><span class="p">(</span><span class="sh">'</span><span class="s">User not found</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">.</span><span class="n">is_active</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">AuthenticationFailed</span><span class="p">(</span><span class="sh">'</span><span class="s">user is inactive</span><span class="sh">'</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">enforce_csrf</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="nf">return </span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="k">def</span> <span class="nf">enforce_csrf</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">request</span><span class="p">):</span> <span class="n">check</span> <span class="o">=</span> <span class="nc">CSRFCheck</span><span class="p">()</span> <span class="n">check</span><span class="p">.</span><span class="nf">process_request</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="n">reason</span> <span class="o">=</span> <span class="n">check</span><span class="p">.</span><span class="nf">process_view</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="p">(),</span> <span class="p">{})</span> <span class="nf">print</span><span class="p">(</span><span class="n">reason</span><span class="p">)</span> <span class="k">if</span> <span class="n">reason</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">PermissionDenied</span><span class="p">(</span><span class="sh">'</span><span class="s">CSRF Failed: %s</span><span class="sh">'</span> <span class="o">%</span> <span class="n">reason</span><span class="p">)</span> </code></pre> </div> <p>Open postman again, and under the headers tab add the following as your key value pair, please provide the value in the following format <code>token&lt;space&gt;access_token_generated</code> </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbwv0ss8hzkdqx5r138c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbwv0ss8hzkdqx5r138c.png" alt="Capture3"></a></p> <p>You might then face the following error -</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fysyamspcinlw63fpm2iy.PNG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fysyamspcinlw63fpm2iy.PNG" alt="Capture"></a></p> <p>This is because the frontend is supposed to pass the CSRF Token generated back to the server in the header, but for testing purposes you can proceed by manually adding the X-CSRFToken value pair -</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh8h031x38ns2qlojolsf.PNG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh8h031x38ns2qlojolsf.PNG" alt="Capture2"></a></p> <p><em>step 8</em>: Create the refresh token view under demo/views.py and add its url to demo/urls.py</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="nd">@api_view</span><span class="p">([</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="nd">@permission_classes</span><span class="p">([</span><span class="n">AllowAny</span><span class="p">])</span> <span class="nd">@csrf_protect</span> <span class="k">def</span> <span class="nf">refresh_token_view</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">User</span> <span class="o">=</span> <span class="nf">get_user_model</span><span class="p">()</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">COOKIES</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">refreshtoken</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">refresh_token</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">AuthenticationFailed</span><span class="p">(</span> <span class="sh">'</span><span class="s">Authentication credentials were not provided.</span><span class="sh">'</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span> <span class="n">refresh_token</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">REFRESH_TOKEN_SECRET</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">])</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">AuthenticationFailed</span><span class="p">(</span> <span class="sh">'</span><span class="s">expired refresh token, please login again.</span><span class="sh">'</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">)).</span><span class="nf">first</span><span class="p">()</span> <span class="k">if</span> <span class="n">user</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">AuthenticationFailed</span><span class="p">(</span><span class="sh">'</span><span class="s">User not found</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">.</span><span class="n">is_active</span><span class="p">:</span> <span class="k">raise</span> <span class="n">exceptions</span><span class="p">.</span><span class="nc">AuthenticationFailed</span><span class="p">(</span><span class="sh">'</span><span class="s">user is inactive</span><span class="sh">'</span><span class="p">)</span> <span class="n">access_token</span> <span class="o">=</span> <span class="nf">generate_access_token</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="k">return</span> <span class="nc">Response</span><span class="p">({</span><span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">:</span> <span class="n">access_token</span><span class="p">})</span> </code></pre> </div> <p>Important points to note here are,<br> to generate a new access token the request expects - </p> <ol> <li>A cookie that contains a valid refresh_token</li> <li>A header 'X-CSRFTOKEN' with a valid csrf token</li> <li>Only if the refresh_token is invalid or has expired, the user will need to re-login.</li> </ol> <p>Thus, if everything worked fine, you should be able to see something on the same lines-</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6kdrknvlx6wp4b9hd9bk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6kdrknvlx6wp4b9hd9bk.png" alt="tempsnip"></a></p> <h1> Conclusion </h1> <p>I had a really hard time understanding the whole mechanism of securing endpoints and why it is really needed. Through this post I hope I can be of help to people like me, struggling to understand and implement JWT authentication in the most optimal way. As always, I am open to thoughts, queries and discussions. I'd love to understand if there is a more optimal approach to the problem. </p> <h1> References ( some really good reads ) </h1> <ol> <li><p>The source code - <a href="https://dev.to/a_atalla/django-rest-framework-custom-jwt-authentication-5n5">https://dev.to/a_atalla/django-rest-framework-custom-jwt-authentication-5n5</a> (have modified it a little in this post)</p></li> <li><p>Difference between Session Based and Token Based Mechanisms - <a href="https://dev.to/thecodearcher/what-really-is-the-difference-between-session-and-token-based-authentication-2o39">https://dev.to/thecodearcher/what-really-is-the-difference-between-session-and-token-based-authentication-2o39</a></p></li> <li><p>The request-response cycle in Django - <a href="https://medium.com/@ksarthak4ever/django-request-response-cycle-2626e9e8606e" rel="noopener noreferrer">https://medium.com/@ksarthak4ever/django-request-response-cycle-2626e9e8606e</a></p></li> <li><p>CSRF Attacks - <a href="https://dev.to/_smellycode/csrf-in-action-21n3">https://dev.to/_smellycode/csrf-in-action-21n3</a></p></li> <li><p>XSS Attacks - <a href="https://dev.to/kmistele/xss-what-it-is-how-it-works-and-how-to-prevent-it-589o">https://dev.to/kmistele/xss-what-it-is-how-it-works-and-how-to-prevent-it-589o</a></p></li> <li><p>Why JWT in Django? <a href="https://stackoverflow.com/questions/31600497/django-drf-token-based-authentication-vs-json-web-token" rel="noopener noreferrer">https://stackoverflow.com/questions/31600497/django-drf-token-based-authentication-vs-json-web-token</a></p></li> </ol> django drf jwt python Python function to work with dynamic SQL Queries Bhavana Thu, 10 Jun 2021 18:06:14 +0000 https://dev.to/bhavanaeh/python-function-to-work-with-dynamic-sql-queries-25gk https://dev.to/bhavanaeh/python-function-to-work-with-dynamic-sql-queries-25gk <p>Hi community, I'm new here and well, relatively new to development too! I aspire to be a full stack developer one day and I'm looking forward to all the inspiration, encouragement and guidance along the way.</p> <h1> The Problem </h1> <p>Today at work I came across a really interesting requirement, which honestly seemed to be challenging at first but was more of an eye opener for me about my very <em>static</em> approach to SQL queries. Anytime I was expected to query a database, this is how I would do it:</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">details</span> <span class="k">WHERE</span> <span class="n">firstName</span><span class="o">=</span><span class="s1">'John'</span> <span class="k">AND</span> <span class="n">lastName</span><span class="o">=</span><span class="s1">'Doe'</span><span class="p">;</span> </code></pre> </div> <p>What I want mean is, I would use a static query, because I'd always be aware of the parameters ( the column names, the column values and the different clauses too! ) but today, I was expected to search across the table based solely on the user input i.e search across a specific table without knowing anything about the entries in that table or the search query. At first, the very notion of using the user inputs as search parameters baffled me. I wasn't aware of the possibility of working with dynamic SQL queries (hey, in my defence, I'm just a amateur backend developer) but since it was a non-negotiable requirement, I decided to take a shot at it. </p> <h1> My approach towards solving the problem </h1> <p>For this particular project, I am working with:</p> <ol> <li>Django (Python web framework - Backend)</li> <li>PostgreSQL (RDBMS - Database)</li> <li>React (JavaScript Library - Frontend)</li> </ol> <p>The project I am working on is fairly complex, so I'll try to keep the process flow as simple as I can and focus more on the actual logic to solve the problem at hand. The user inputs are captured in a form of sorts with various possible searchable field names alongside a search box for each field. These are then sent to the backend as a query object, when the user hits the search button as follows:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">res</span><span class="o">=</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://127.0.0.1:8000/application/search/?query=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">queryObj</span><span class="p">));</span> </code></pre> </div> <p>In case you are curious to know what the query object looks like, here's a possible search query example generated from the inputs-<br> First Name: John<br> Last Name: Doe</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">let</span> <span class="nx">queryObj</span><span class="o">=</span><span class="p">{</span><span class="na">firstName</span><span class="p">:</span><span class="dl">"</span><span class="s2">John</span><span class="dl">"</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span><span class="dl">"</span><span class="s2">Doe</span><span class="dl">"</span><span class="p">,};</span> </code></pre> </div> <p>In the backend(<em>inside the Django application\views.py</em>), the queryObj is processed as follows:</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">JsonResponse</span> <span class="kn">import</span> <span class="n">psycopg2</span> <span class="kn">import</span> <span class="n">ast</span> <span class="k">def</span> <span class="nf">search_table</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">search_query</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">query</span><span class="sh">'</span><span class="p">)</span> <span class="n">queryparam</span><span class="o">=</span><span class="n">ast</span><span class="p">.</span><span class="nf">literal_eval</span><span class="p">(</span><span class="n">search_query</span><span class="p">)</span> </code></pre> </div> <p>Just in case you are wondering why I have used the built-in function <em>ast.literal_eval(search_query)</em> here, it is because the search_query is a string object and not a python dictionary of key-value pairs. This function helps converting the string object keys in search_query to actual python dictionary keys.</p> <p>Moving on, establishing a connection with the postgresql database using psycopg2:</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">JsonResponse</span> <span class="kn">import</span> <span class="n">psycopg2</span> <span class="kn">import</span> <span class="n">ast</span> <span class="k">def</span> <span class="nf">search_table</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">search_query</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">query</span><span class="sh">'</span><span class="p">)</span> <span class="n">queryparam</span><span class="o">=</span><span class="n">ast</span><span class="p">.</span><span class="nf">literal_eval</span><span class="p">(</span><span class="n">search_query</span><span class="p">)</span> <span class="n">con</span><span class="o">=</span><span class="n">psycopg2</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="n">database</span><span class="o">=</span><span class="sh">"</span><span class="s">database_name</span><span class="sh">"</span><span class="p">,</span><span class="n">user</span><span class="o">=</span><span class="sh">"</span><span class="s">user_name</span><span class="sh">"</span><span class="p">,</span><span class="n">password</span><span class="o">=</span><span class="sh">"</span><span class="s">pwd</span><span class="sh">"</span><span class="p">,</span><span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span><span class="n">port</span><span class="o">=</span><span class="sh">"</span><span class="s">12345</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span><span class="o">=</span><span class="n">con</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">and_clause</span><span class="o">=</span><span class="p">[]</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span><span class="n">v</span> <span class="ow">in</span> <span class="n">queryparam</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="n">and_clause</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">"</span><span class="s">%s = </span><span class="sh">'</span><span class="s">%s</span><span class="sh">'"</span> <span class="o">%</span> <span class="p">(</span><span class="n">k</span><span class="p">,</span><span class="n">v</span><span class="p">))</span> <span class="n">and_clause_str</span><span class="o">=</span><span class="sh">'</span><span class="s"> AND </span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">and_clause</span><span class="p">)</span> <span class="n">sql_query</span><span class="o">=</span><span class="sh">'</span><span class="s">SELECT * FROM table_name WHERE </span><span class="sh">'</span> <span class="o">+</span> <span class="n">and_clause_str</span> <span class="nf">print</span><span class="p">(</span><span class="n">sql_query</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">sql_query</span><span class="p">)</span> <span class="n">result</span><span class="o">=</span><span class="n">cursor</span><span class="p">.</span><span class="nf">fetchall</span><span class="p">()</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> </code></pre> </div> <p>So, the code here is pretty self explanatory, but just to quickly walk you through the logic -</p> <p>I have declared a list of strings named <em>and_clause</em> which will store the <em>query_param</em> dictionary keys to be used as column names and <em>query_param</em> dictionary values as the actual value to be searched for seperated by <em>=</em> to structure it like a SQL query. </p> <p>If there is more than one entry in the <em>query_param</em> dictionary i.e when the user wants to search based on multiple parameters or columns, I join these strings using 'AND' and store it in a new string variable called <em>and_clause_str</em>.</p> <p>This is how the final SQL statement will look:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frb9s5dthfte1uuzgct9n.PNG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frb9s5dthfte1uuzgct9n.PNG" alt="SQL-Output"></a></p> <h1> Key points to consider </h1> <ol> <li> <p>The function right now doesn't generate entirely dynamic queries. If you would have noticed I still do specify the table name and also have a mandatory where clause. I have this specifically for two reasons:</p> <ul> <li>The project I am working on aims to perform search operations across databases so the 'where' clause needs to be present as it acts as the search parameter.</li> <li>The table name in my project, is going to be a very standard and common table name, which will be maintained as the same name across different databases, thus I have a query with a hard-coded table name.</li> </ul> </li> <li><p>My understanding on SQL Injections is still very poor and I agree this code might be prone to SQL injections, I do plan on optimising it further to prevent any possibility of being prone to such attacks.</p></li> <li><p>In case you are wondering, what if the user provided input isn't an actual column name in the table, then I'd like to let you know that form column fields are generated from the backend and sent to the frontend to enable search. So in a way, only the existing column names are populated.</p></li> </ol> <p>I hope I did justice to my very first blog post! I really hope this proves to be useful or something new to anyone reading this. I am open to suggestions on further enhancing the code and would love to hear your thoughts or questions on dynamic SQL queries.</p> <p>Thank you for reading!</p> python postgres sql webdev