Reputation: 60
django-allauth logging in with Facebook token from iOS Device
I am using the Facebook iOS SDK to POST the Facebook Access Token to my Django server URI. The corresponding views.py function is shown below and I get a 200 Response code when I do the POST from iOS. However, I have a second @login_required decorated URI that I call from the iOS Device immediately afterword which considers me not logged in and redirects me to my main page. What am I doing wrong? How do I 'stay' logged in after my successful POST from iOS?
# For POSTing the facebook token
from django.views.decorators.csrf import csrf_exempt
from allauth.socialaccount import providers
from allauth.socialaccount.models import SocialLogin, SocialToken, SocialApp
from allauth.socialaccount.providers.facebook.views import fb_complete_login
from allauth.socialaccount.helpers import complete_social_login
# Log in from Facebook
@csrf_exempt
def mobile_facebook_login(request):
response = HttpResponse() ## Create an HTTP Response Object
if request.method == "POST": # The method better be a POST
access_token = request.POST.get('access_token') # Get token
try:
app = SocialApp.objects.get(provider="facebook")
token = SocialToken(app=app, token=access_token)
# Check token against facebook
login = fb_complete_login(request, app, token)
login.token = token
login.state = SocialLogin.state_from_request(request)
# Add or update the user into users table
ret = complete_social_login(request, login)
# If we get here we've succeeded
response['Auth-Response'] = 'success'
response.status_code = 200 # Set status
return response
except Exception,e:
# If we get here we've failed
response['Auth-Response'] = 'failure: %s'%(e)
response.status_code = 401 # Set status
return response
else:
# If we get here we've failed
response['Auth-Response'] = 'failure'
response.status_code = 401 # Set status
return response
======= UPDATE ==========
Ok, thanks for the comments. So I am now POSTing the facebook email address as well and getting the user and logging them in manually. However, subsequent requests STILL are not authenticated. So the @login_required decorator still fails.. Any other ideas?
# Log in from Facebook
@csrf_exempt
def mobile_facebook_login(request):
response = HttpResponse() ## Create an HTTP Response Object
if request.method == "POST": # The method better be a POST
access_token = request.POST.get('access_token') # Get token
email = request.POST.get('email') # Get email
try:
app = SocialApp.objects.get(provider="facebook")
token = SocialToken(app=app, token=access_token)
# Check token against facebook
login = fb_complete_login(request, app, token)
login.token = token
login.state = SocialLogin.state_from_request(request)
# Add or update the user into users table
ret = complete_social_login(request, login)
# Try to get username from email
try:
user = User.objects.get(email=email) # Get User
# Login the user from Django's perspective
user.backend = 'django.contrib.auth.backends.ModelBackend'
auth_login(request,user)
except User.DoesNotExist:
# If we get here we've failed
response['Auth-Response'] = 'failure: %s'%(e)
response.status_code = 401 # Set status
return response
# If we get here we've succeeded
response['Auth-Response'] = 'success'
response.status_code = 200 # Set status
return response
except Exception,e:
# If we get here we've failed
response['Auth-Response'] = 'failure: %s'%(e)
response.status_code = 401 # Set status
return response
else:
# If we get here we've failed
response['Auth-Response'] = 'failure'
response.status_code = 401 # Set status
return response
==== Another Update ==========
Based on the 2nd answer in this post: django authentication without a password
I created a custom login backend that does not require a password. The 3rd answer in that post discusses how doing this:
user.backend = 'django.contrib.auth.backends.ModelBackend'
login(request, user)
Doesn't store the login validation in the session. So I tried using a custom backend.
Here is my modified code:
# Log in from Facebook
@csrf_exempt
def mobile_facebook_login(request):
response = HttpResponse() ## Create an HTTP Response Object
if request.method == "POST": # The method better be a POST
access_token = request.POST.get('access_token') # Get token
email = request.POST.get('email') # Get email
try:
app = SocialApp.objects.get(provider="facebook")
token = SocialToken(app=app, token=access_token)
# Check token against facebook
login = fb_complete_login(request, app, token)
login.token = token
login.state = SocialLogin.state_from_request(request)
# Add or update the user into users table
ret = complete_social_login(request, login)
# Try to get username from email
try:
user = User.objects.get(email=email) # Get User
# Login the user from Django's perspective
user.backend = 'django_tours.auth_backend.PasswordlessAuthBackend'
user = authenticate(email=user.email)
auth_login(request,user)
#request.session.cycle_key()
except User.DoesNotExist:
# If we get here we've failed
response['Auth-Response'] = 'failure: %s'%(e)
response.status_code = 401 # Set status
return response
# If we get here we've succeeded
response['Auth-Response'] = 'success'
response['User-Is-Authenticated'] = '%s'%(request.user.is_authenticated())
response.status_code = 200 # Set status
return response
except Exception,e:
# If we get here we've failed
response['Auth-Response'] = 'failure: %s'%(e)
response.status_code = 401 # Set status
return response
else:
# If we get here we've failed
response['Auth-Response'] = 'failure'
response.status_code = 401 # Set status
return response
Using hurl.it I get this HTTP 200 response, but am still NOT considered logged in from the iPhone:
Auth-Response: success
Content-Encoding: gzip
Content-Length: 20
Content-Type: text/html; charset=utf-8
Date: Thu, 08 May 2014 00:22:47 GMT
Server: Apache/2.2.22 (Ubuntu)
Set-Cookie: csrftoken=UuJDP6OB3YCSDtXLEa10MgJ70tDtIfZX; expires=Thu, 07-May-2015 00:22:48 GMT; Max-Age=31449600; Path=/, sessionid=kdr061v1pcsbqtvgsn3pyyqj9237z6k8; expires=Thu, 22-May-2014 00:22:48 GMT; httponly; Max-Age=1209600; Path=/, messages="4f919699a4730a3df220a0eb3799ed59d2756825$[[\"__json_message\"\0540\05425\054\"Successfully signed in as philbot.\"]]"; Path=/
User-Is-Authenticated: True
Vary: Cookie,Accept-Encoding
Upvotes: 11
Views: 3508
Answers (2)
Reputation: 60
Thanks for all the help and input -- I finally solved it. I don't know the exact root cause of why logging in with Facebook munged the cookies and standard login worked fine. I did notice that the domain of the cookies returned from the Facebook login were formatted with a leading "." like this:
[ .domain.com ]
Whereas the standard login that worked had cookie domains like this:
[ www.domain.com ]
I parsed the cookies from the HTTP response after successfully logging in with Facebook and stored them in the singleton:
// Extract cookie information
NSRange range = [cookieString rangeOfString:@"csrftoken="];
if (range.location!=NSNotFound){
cookieString = [cookieString substringFromIndex:NSMaxRange(range)];
range = [cookieString rangeOfString:@";"];
if (range.location!=NSNotFound){
self.appDelegate.djangoCsrftoken = [cookieString substringToIndex:range.location];
}
}
range = [cookieString rangeOfString:@"sessionid="];
if (range.location!=NSNotFound){
cookieString = [cookieString substringFromIndex:NSMaxRange(range)];
range = [cookieString rangeOfString:@";"];
if (range.location!=NSNotFound){
self.appDelegate.djangoSessionId = [cookieString substringToIndex:range.location];
}
}
if (LOGIN_DEBUG) { // Debug the response
NSLog(@"Extracted csrftoken is: %@",self.appDelegate.djangoCsrftoken);
NSLog(@"Extracted sessionid is: %@",self.appDelegate.djangoSessionId);
}
I then, created those cookies explicitly for the following request:
// Clear all cookies when app launches
NSHTTPCookieStorage *cookieStorage = [NSHTTPCookieStorage sharedHTTPCookieStorage];
for (NSHTTPCookie *each in cookieStorage.cookies) {
//if ( [each.domain isEqualToString:DOMAIN] ) {
NSLog(@"Deleting cookie: %@ -- %@",each.name,each.domain);
[cookieStorage deleteCookie:each];
//}
}
//////////////// CSRF TOKEN /////////////////////
// Create cookies based on parsed values
NSMutableDictionary *cookieCsrfProperties = [NSMutableDictionary dictionary];
[cookieCsrfProperties setObject:@"csrftoken" forKey:NSHTTPCookieName];
[cookieCsrfProperties setObject:self.appDelegate.djangoCsrftoken forKey:NSHTTPCookieValue];
[cookieCsrfProperties setObject:DOMAIN forKey:NSHTTPCookieDomain];
[cookieCsrfProperties setObject:DOMAIN forKey:NSHTTPCookieOriginURL];
[cookieCsrfProperties setObject:@"/" forKey:NSHTTPCookiePath];
[cookieCsrfProperties setObject:@"0" forKey:NSHTTPCookieVersion];
// Set expiration to one month from now or any NSDate of your choosing
// this makes the cookie sessionless and it will persist across web sessions and app launches
/// if you want the cookie to be destroyed when your app exits, don't set this
[cookieCsrfProperties setObject:[[NSDate date] dateByAddingTimeInterval:2629743] forKey:NSHTTPCookieExpires];
NSHTTPCookie *csrfCookie = [NSHTTPCookie cookieWithProperties:cookieCsrfProperties];
[[NSHTTPCookieStorage sharedHTTPCookieStorage] setCookie:csrfCookie];
//////////////// SessionId TOKEN /////////////////////
// Create cookies based on parsed values
NSMutableDictionary *cookieSessionIdProperties = [NSMutableDictionary dictionary];
[cookieSessionIdProperties setObject:@"sessionid" forKey:NSHTTPCookieName];
[cookieSessionIdProperties setObject:self.appDelegate.djangoSessionId forKey:NSHTTPCookieValue];
[cookieSessionIdProperties setObject:DOMAIN forKey:NSHTTPCookieDomain];
[cookieSessionIdProperties setObject:DOMAIN forKey:NSHTTPCookieOriginURL];
[cookieSessionIdProperties setObject:@"/" forKey:NSHTTPCookiePath];
[cookieSessionIdProperties setObject:@"0" forKey:NSHTTPCookieVersion];
// Set expiration to one month from now or any NSDate of your choosing
// this makes the cookie sessionless and it will persist across web sessions and app launches
/// if you want the cookie to be destroyed when your app exits, don't set this
[cookieCsrfProperties setObject:[[NSDate date] dateByAddingTimeInterval:2629743] forKey:NSHTTPCookieExpires];
NSHTTPCookie *sessionIdCookie = [NSHTTPCookie cookieWithProperties:cookieSessionIdProperties];
[[NSHTTPCookieStorage sharedHTTPCookieStorage] setCookie:sessionIdCookie];
///////////////////////////////////////////////////
// Create request
NSURL *url = [NSURL URLWithString:requestUrl];
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:url];
urlRequest.HTTPShouldHandleCookies = YES;
NSHTTPCookie *setCookie;
for (setCookie in [NSHTTPCookieStorage sharedHTTPCookieStorage].cookies) {
if ( ([setCookie.name isEqualToString:@"csrftoken" ] || [setCookie.name isEqualToString:@"sessionid"]) ) {
NSLog(@"Adding Cookie: %@ = %@ [ %@ ]", setCookie.name, setCookie.value, setCookie.domain);
[urlRequest addValue:setCookie.value forHTTPHeaderField:setCookie.name];
}
}
NSURLResponse *response = nil;
NSError * error = nil;
NSData *responseData = [NSURLConnection sendSynchronousRequest:urlRequest returningResponse:&response error:&error];
After doing that, I could successfully login with Facebook using Django-allauth.
Upvotes: 0
Reputation: 1177
I have run into a very similar problem as yours, in implementing Facebook login from an iOS app to a server running django-allauth. I noticed in the successful POST response in iOS that the sessionid cookie was not being automatically saved as it normally is. I believe that's the reason your subsequent calls are being denied and redirected to your main page.
Adding the following line seemed to solve it for me, but I admit that I do not have a complete understanding of why it works. Something to do with refreshing the session key, perhaps. Anyway, since there were no other answers, thought this might be helpful for you to try:
user = User.objects.get(email=email) # Get User
# Login the user from Django's perspective
user.backend = 'django.contrib.auth.backends.ModelBackend'
auth_login(request,user)
request.session.cycle_key() #Refresh session key
Then, on the iOS app side, I check whether there exists a session cookie:
NSArray *cookies = [[NSHTTPCookieStorage sharedHTTPCookieStorage] cookiesForURL:[NSURL URLWithString:WEB_APP_BASE_URL]];
for (NSHTTPCookie *cookie in cookies)
{
if ([cookie.name isEqualToString:@"sessionid"]) {
NSLog(@"found session cookie: %@",cookie.value);
}
}
Upvotes: 1
Related Questions
- Django 2.0 allauth Facebook 2018
- login with facebook: django-allauth
- Django Allauth Facebook Integration Login Failure
- Django-allauth use for facebook login/signup on a json api
- Android django facebook login
- python-social-auth + mobile app
- How to make Facebook Login possible in Django app ?
- How to configure facebook to enable "facebook login" for a django server?
- django-allauth connect with facebook
- Django ,Facebook Graph API and iOS