go-rest | Go library that makes it easy to build | REST library

Defining the lookup_field attribute for the options in the CategorySerializer solved the problem.

Here's the CategorySerializer class:

After investigating a bit on my end, I think I might have a solution that works for you.

I've messed with OAuth before, and it's quite tricky sometimes because it has to be robust. So a bunch of security policies usually get in the way.

I'll provide my full step-by-step, since I was able to get it working, trying my best to match what you posted.

Firstly, to have a clean slate, I went off the example code linked in the tutorials. I cloned and built the project, and did the following:

• Creating a new project on GCP
  • Configured the OAuth consent screen
    • I set the User type to "internal". This options may not be available if you're not using an account under GSuite (which I am). "External" should be fine though, just that "internal" is the easiest to test.
  • Created a OAuth 2.0 Client
    • Added http://localhost:3000 to the "Authorized JavaScript origins" and "Authorized redirect URIs" sections
• Register a Django superuser
  • Registered a Site, with value of localhost:8000 for both fields.
  • Went into the admin panel, and added a Social Application with Client ID and Secret Key as the "Client ID" and "Client Secret" from GCP, respectively. I also picked the localhost site that we added earlier and added it to the right hand box. (I left Key blank)

Example of my Application Page

• Filled in the clientId field in App.js, in the params of the GoogleLogin component.

Here's where I ran into a bit of trouble, but this is good news as I was able to reproduce your error! Looking at the request in the network inspector, I see that for me, no body was passed, which is clearly the direct cause of the error. But looking at App#responseGoogle(response), it clearly should pass a token of some sort, because we see the line googleLogin(response.accessToken).

So what is happening is that accounts.google.com is NOT returning a proper response, so something is happening on their end, and we get an invalid response, but we fail silently because javascript is javascript.

After examining the response that Google gave back, I found this related SO post that allowed me to fix the issue, and interestingly, the solution to it was quite simple: Clear your cache. I'll be honest, I'm not exactly sure why this works, but I suspect it has something to do with the fact that development is on your local machine (localhost/127.0.0.1 difference, perhaps?).

You can also try to access your site via incognito mode, or another browser, which also worked for me.

I have knox token set up, can I use it instead of the JWT tokens?

I don't think I have enough knowledge to properly answer this, but my preliminary research suggests no. AFAIK, you should just store the token that Google gives you, as the token itself is what you'll use to authenticate. It seems that Knox replaces Django's TokenAuthentication, which means that Knox is in charge of generating the token. If you're offloading the login work to Google, I don't see how you could leverage something like Knox. However, I could be very wrong.

Does the class GoogleLogin(SocialLoginView), take care of the steps of validating the access token and code with google and creating the user with that email in database?

I believe so. After successfully authenticating with Google (and it calls the backend endpoint correctly), it seems to create a "Social Account" model. An example of what it created for me is below. It retrieved all this information (like my name) from Google.

Example of my "Social Accounts" page

As for how to retrieve the login from the browser's local storage, I have no idea. I see no evidence of a cookie, so it must be storing it somewhere else, or you might have to set that up yourself (with React Providers, Services, or even Redux.

I did some research into the link you shared, Django's source and Django REST Framework's source.

Bare-bones Django is not vulnerable to this, since it doesn't uses X-Forwarded-For, and neither is Python.

Virtually all versions of Django REST Framework are vulnerable, since this commit 9 years ago added the HTTP_X_FORWARDED_FOR check: https://github.com/encode/django-rest-framework/blob/d18d32669ac47178f26409f149160dc2c0c5359c/rest_framework/throttling.py#L155

For measures you can take to avoid this, since a patch is not yet available, you could implement your own ratelimitter, and replace get_ident to only use REMOTE_ADDR.

If your Djando REST Framework application is behind a proxy, you might not be vulnerable to this.

An index can be scanned in both directions, but it needs to be sorted exactly like the ORDER BY clause it is intended by default. A plain index is sorted in ASC NULLS LAST order, so it can support that order or the reverse, namely DESC NULLS FIRST. To create an index that can support your ORDER BY clause, use

You can work with an annotation:

For Question 2, add this code on your settings.py file

The test you have written is also testing the Django framework logic (ie: Django admin login). I recommend testing your own functionality, which occurs after login to the Django admin. Django's testing framework offers a helper for logging into the admin, client.login. This allows you to focus on testing your own business logic/not need to maintain internal django authentication business logic tests, which may change release to release.

You can use Pagination https://www.django-rest-framework.org/api-guide/pagination/

You can create an ApiView and validate each single data by iterating. If all the data is valid then create the objects.

Example: