0

I have a Django REST backend, and it has a /users endpoint where I can add new users through POST method from frontend.

/users endpoint url:

http://192.168.201.211:8024/users/

In this endpoint I can view all users information and add new user, so I must avoid others entry it except Administrator. I create a superuser admin with password admin123 by python manage.py createsuperuser.

My question is, If I want to do a HTTP POST from frontend(I use Angular) I have to pass the Administrator's user name and password, admin and admin123, along with POST head information. So I let others know the user name and password who check the source code of frontend.

Is there any other way to do this Authentication without exposing Administrator's user name and password to others?

Improve this question
2
  • Why would you hardcode the admin's credentials into the frontend? Commented Sep 4, 2017 at 7:57
  • If a new user want to register instead of Administrator, how can I handle it? Commented Sep 4, 2017 at 7:59

3 Answers 3

Reset to default
0

You need to create an API that handles the user creation. This is why we create backends. The user will send the API their credentials and the API will add the user to the database using the admin credentials and post request. The API's code will not be viewable. Depending on your needs, auth0 can be a good solution and save you time on user registration and login. If you make your own sign up and login be sure to hash passwords and make sure they are sent over SSL. A service like auth0 will handle all this for you if you want to focus on other parts of your project.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Do you mean I need to create another endpoint instead of http://192.168.201.211:8024/users/? Like /create_user/, then add new user into db by hand, not use django REST ModelViewSet to add use.
let's say /create_user/ receives the post request then takes that data and posts to django REST ModelViewSet to add the user.
How can we do POST in view function of Django? I mean POST always from frondend to backend, right?
0

token auth is may what you need,i use token auth for DRF as backend and angular as frontend

Improve this answer

6 Comments

I can use token = Token.objects.create(user='admin') to get a token of admin and then use this token to do a POST right?
user login success you need return a token to user client,after this,all the request from client need be add a header format like 'Authorization':'Token 7582b1089cb8fd605d03fe70bcd0ee7c2f7cxf14',then TokenAuthentication will identification of user identity by the header in backend
if you are new to DRF and token auth,django-rest-framework-jwt must be help
I know jwt, if I log in by admin and the related password then I can get a token. But here I want to access the /users/ endpoint by a new user, not admin. This new user does not have admin's password.
I want to give this user a temporary right to access this endpoint
|
0

Finally, I find a method to solve this problem.

Here has a very elegant way to do this, rewrite get_queryset function in my UserViewSet:

class UserViewSet(viewsets.ModelViewSet):

    # permission_classes = (permissions.IsAdminUser, )
    permission_classes = (permissions.AllowAny, )  # <-- change 1
    # queryset = User.objects.all()  # <-- change 2
    serializer_class = UserSerializer

    def get_queryset(self):
        queryset = User.objects.filter(id=self.request.user.id)
        if self.request.user.is_superuser:
            queryset = User.objects.all()
        return queryset

In change 1, permissions allowed anyone to access, so a new user can do a POST without any authentication.

In change 2, I only return all users when the user is superuser, just like rewrote get_queryset done.

Also need to change urls.py file to add base_name for this url like this: 

router.register(r'users', UserViewSet, base_name='user')

ref, https://stackoverflow.com/a/22767325/2803344

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.