New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move authentification to the django API #1788
Comments
I took a look at the php-code and I am afraid of changing the session store...
The user is now logged in with his Django "session_cookie" and the PHP_SESSID Advantages:
Disadvantages:
|
Yes, maybe not shared the session store is cleaner. Have you considered adding some internal endpoints to legacy, and rather than redirecting the user, we make a few calls from the api to legacy to maintain the php sessions ? After valid login in the api, we forward the request to legacy, create a session and we respond to the user with both api and legacy data ? And what about not using sessions at all in the API and rather use for example a JWT ? |
This does sound fine and also not hard to implement.
I think JWT is also fine. |
I had some time, so I though I'll give it a try and see how possible this is. I plan to add the JWT endpoints in such a way that a either:
What do you think about this? |
Let's keep JWT away for now, we can always add it later on for external clients. I think the cookie session is our best option for browser clients. The discussion about JWT should probably also involve oauth2 (auth+scopes) and our permission model. So I prefer to keep in a dedicated ticket. I could see the following auth systems:
I don't think there is any other email that we send except the user management emails, which will be moved to Django. This should close #724 and we should probably only use Django as our mail client. (I am very happy that this will be closed as well!) The current login page (legacy) must be kept, but we will have to change the login POST endpoint to use the django api. The changes are minimal, maybe not pretty, but I prefer to transition to the new frontend in a future PR. Legacy is currently supposed to support a LDAP auth backend, I think this should also be taken into consideration when moving the auth system to the API. But I have to admit, I have no idea if this is still working or even used. If a ldap backend is added to the api auth, we need to make it optional, as I prefer not to install too much dependencies if only a few need the feature. I should probably think a bit more about the pros and cons between JWT and sessions (cookies), I have been away for some time, so I need some more time to dive into this. |
With this change I think we can introduce the new Vue based UI, and replace the entire login page. So we don't loose too much time working with the legacy code. |
After looking for a cleaner/alternative solution, I concluded that we should rather use a database based session store for the legacy app, and manage the store from the Django side. This prevents us from doing HTTP requests between services, which would introduce a lot of headache. For example, just to find the internal URL of the legacy service without adding an extra configuration entry is not so straight forward. Here are few steps to solve:
This is a decent amount of work, but it is a good step to properly handle the migration from the legacy code to django. |
Do you mean the new approach would prevent us from doing HTTP requests between services? We currently use HTTP requests between services a fair amount - e.g. downloading files from legacy for playout and getting the schedule some of the time.
There is some of this already implemented - login and logout at least. It handles both API tokens and user accounts. We could either extend that or replace it with dj-rest-auth. |
Indeed, we do use HTTP calls between Playout and legacy/API, this is the architecture we agreed on (Schedule and Play blocks). But in our case, we have to make HTTP calls between 2 services that are supposed to be blended together. We cannot use the However, if there is a better alternative/trick, I'm happy to work towards it.
Hmm, then I am confused. I did find the api token auth system, but I couldn't find the login/logout views with or without sessions, maybe you have a link ? |
The default DRF login/logout views work with standard Django session management AFAIR. I'll have to test it out and see if I can remember what I did to get it working |
Oh, you are referring to the existing DRF API browser views, do you think those are usable in production ? I think we should prefer using a library battery included instead of tweaking the API browser views. |
This comment was marked as outdated.
This comment was marked as outdated.
I've been playing a bit with this new idea, and I managed to create a legacy session in the db, from a django command. Once the session is inserted, the browser with that session id can navigate the UI without going through the legacy login process. I've started to work in this in #2523, and have more work in other branches, as I wanted to split the work in multiple PRs. Now comes the question, are we moving towards this, or should we investigate other solutions ? |
In the transition to Django, I think we should setup a shared session store in the db (or in a key/value store). I am unsure how feasible this is on the PHP side, but this should simplify the authentication management.
The future Webapp will need to call the Django API, and we will probably reuse the same shared session.
Ideally we would have a single place with Write access to the store, and the rest will only have a read only permissions to the store to authenticate a request and restore session data.
The text was updated successfully, but these errors were encountered: