hello all! i'm trying to test a django view that has a login_required decorator set. how do I go about that? create a dummy user in the test suite and use that for authentication? or can I mock the authentication decorator away somehow?
DodgeThis has quit
asking for django 2.1
adlpaf joined the channel
jtiai joined the channel
Keyra1 has quit
nix64bit has quit
v0lksman
anyone know of a module that would let me setup an event people could RSVP for and provide a list of those that RSVPd?
jtiai
code one?
mikeliss joined the channel
v0lksman
uhg...what kind of answer is that
mikeliss
schinckel: I've been playing with the extended ModelQuerySet we were talking about the other day. It's...limited. Here's the one you shared: https://dpaste.de/cQEa#L9
schinckel: The big limitation I'm hitting is that I can't use it to do Q queries or queries through joined models.
xliiv joined the channel
jtiai
v0lksman: A good one?
chasonchaffin has quit
mikeliss
schinckel: Like, say I have a Book object with Authors. Using your code, I can do Author.objects.with_name('Joe Smith'). I can't do Book.objects.filter(authors__with_name='Joe Smith')
morenoh149: That kind of depends. csrf is meant to make sure that for example login form you're filling originates from trusted page and not for example some phising site.
moldy
morenoh149: yes, but it might be better to use another authentication scheme to begin with
finster
moldy: alright, thanks!
crCr62U0 has quit
morenoh149
jtiai: yep I kind of understood that the cross-site bit means it's designed to work in the browser, not really a concern when writing a phone app
jtiai
morenoh149: So as moldy said, you might consider some other authentication scheme.
morenoh149
moldy: would you use token authentication? I just read a lot of materials saying tokens are poor solutions for tracking sessions
I'd love to leverage django's auth since it's rock solid and handles reset passwords
crCr62U0 joined the channel
I _could_ store the token in a cookie but I don't see any tutorial on how to do this either (either generic with curls nor in react native which is what I'm using)
moldy
morenoh149: yes, i usually use token auth for this
chasonchaffin joined the channel
morenoh149: are you using django-rest-framework?
morenoh149
yes, trying to anyway, kinda wavering back and forth between drf and vanilla django
morenoh149: I actually use stateless, short living JWT not ones that for example holds session information.
LordVan has quit
morenoh149
I've only ever used jwt as an auth token, stored in localstorage (for a website). The stuff I've read today suggest that is poor security, and brittle if you try to update or sign ppl out
perhaps a phone app doesn't have to worry about xss? so it's okay for it to store the token on the phone's disk?
jtiai: do you use a token that only stores the session id?
jtiai
morenoh149: Nope. I trust django to handle that part correctly for me :)
moldy
morenoh149: DRF offers the auth scheme you need out of the box, you realize that, right?
v0lksman
jtiai: yeah saw that and django-event-rsvp both over 5 years old at this point. also found one that is used specifically for a wedding app. reviewing them in plan to write my own that will use mailchimp to maintain the lists and drip campaigns that could come from it
moldy
morenoh149: no need to get clever here, IMO.
"Token authentication is appropriate for client-server setups, such as native desktop and mobile clients."
v0lksman
thought I had seen a bunch of apps for DjangoCon in the past. can't find any info about them at all now though
googling "django event" anything returns stuff about celery and redis etc...not a great term to try to find hence my earlier question
morenoh149
moldy: I thought so, but when I chatted about it in this channel in the evening I got suggested to stick to sessions and cookies.
different crowd in this channel at different times of day
moldy
morenoh149: huh, that is surprising
morenoh149: maybe those people did not realize you are talking about a native desktop client
theo_moore has quit
morenoh149
folks telling me "every mobile stdlib has support for cookies" so I started studying cookies and sessions and django built in auth
and reading about the disadvantages of jwt's for session management
tdy joined the channel
morenoh149 shrugs
moldy
if you are already using DRF, use the token auth it gives you
morenoh149
and when I make the SPA version of this project store the token as an httpOnly token right?
crCr62U0 has quit
token in an httpOnly cookie rather
does DRF do that ootb?
chasonchaffin has quit
moldy
i am not very familiar with SPAs, the ones i am involved with use oauth, but don't do that if you don't need it
i think you will want token auth there as well, but i am not sure
tdy has quit
adsworth has quit
not sure if you'll want to store the token in a cookie, i think localstorage is more common?
jtiai
SPA is "simple". since it's just web stuff. and a lot of javascript...
moldy
but, i know very little about frontend development
morenoh149
auth0 looks good but I'm building a consumer app so don't want to go there, for a smaller number of potential users I'd definitely use it
localstorage may be more common but I think it's wrong, if an attacker gets to execute js they can read the token, if the token has sensitive info they can get that. So you could also limit what you place in the token, like just the session id.