2

The code I'm showing you below its what works for me right now. its not the most secure but does the job but i want to do it using POST method. any ideas how to change it?

I have a serializer.py class

class userLoginSerializer(serializers.ModelSerializer):

class Meta:
    model = users
    fields = ('nick', 'pass_field')


@api_view(['GET'])
def user_login(request,nick,pass_field):

but when i sent the 2 values nick and passfield it says that the nick already exist and returns 404 because it passes it to serializers.errors. I just need to pass the code using POST and validating if it exist and return a success JSON. The code below works but its not the best implementation.

if request.method == 'GET':

    try: 

        users.objects.get(nick=nick,pass_field=pass_field)
        json = {}
        json['message'] = 'success'

        return Response(json, status=status.HTTP_201_CREATED)

    except users.DoesNotExist:

        json = {}
        json['message'] = 'error'

        return Response(json, status=status.HTTP_400_BAD_REQUEST)
Improve this question
2
  • Are you storing passwords as plain text? Not good. Anyway, POST request with username and password looks very much as authentication. Please tell us more about why do you do the request at the first place. Maybe there's a better way to solve your problem. Commented May 11, 2014 at 19:44
  • an iOS application sends nick and pass_field values to the API. it must check if they are in the database and return success,error message on either case. i'm using request.DATA['nick'] using POST but still cant validate the fields :( as serializer.data does. Commented May 11, 2014 at 22:57

2 Answers 2

Reset to default
3

The models is users or User? Why don't you use the Django User model?

The class User has already a check_password method and store it with a hash algoritm: https://docs.djangoproject.com/en/dev/ref/contrib/auth/#methods Never store a password in plain text, it's very insecure.

Using Django User model (or a class that inherits from it) you can simply check if it's valid this way:

try:
   user = User.objects.get(username=nick)
   if user.check_password(pass_field):
      #TODO: Valid password, insert your code here
   else:
      #TODO: Password not valid, handle it here
      pass
except User.DoesNotExist:
   #TODO: Your error handler goes here
   pass

Another thing you can do is inherits from ApiView and implement your code in post method: http://www.django-rest-framework.org/api-guide/views

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I implemented a method for Sign In with JWT and what it does is:

  1. Fetches the email and password that is send with the request and converts it into a string variable
  2. I check if the email already exists in the custom user model i made.
  3. If the user already exists, i convert the object model to dictionary so that i can get its particular password.
  4. In that i match the password corresponding to user model and the password that is send with the post request.
  5. if the email exists in the user model and the password corresponding to that user model matches the password that is sent with the post request i use the pyJWT to make the JWT with my custom data and return the response.
  6. In all other cases the email and password don't match and i return "No Match"

Suppose the request is {"email":"[email protected]", "password":"12345" }

    @api_view(['POST'])
    def signin(request):

    email = list(request.data.values())[0] #gets email value from post request {"email":"[email protected]", "password":"123"} -> this [email protected]
    password = list(request.data.values())[1] #gets password value from post request {"email":"[email protected]", "password":"123"} -> this 123

    usr = User.objects.filter(email=email).exists() #checks if email exists
    if usr:
      dictionary = User.objects.filter(email=email).values()[0] #converts object to dictionary for accessing data like dictionary["password"] dictionary["first_name"] etc
      if usr and dictionary["password"] == password: #check if email and its corresponing password stored matches the password that is sent
        branch = dictionary["branch"]
        id = dictionary["id"]
        encoded_jwt = jwt.encode({'email': email,}, 'secret', algorithm='HS256')
        return Response({'token':encoded_jwt,'email':email,'branch':branch,'id':id})
      else: 
        return Response({'No Match'})
    return Response({'No Match'})
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.