Security & Authentication
What to keep in mind when safe-guarding your applications.
When a reflex is executed you will have access to the underlying session, and as such you will be able to tell whether the user is authenticated or not. Even if the user is not logged it will work as expected.
from sockpuppet.reflex import Reflex
user = self.request.user
# Here you could add a variable that shows that the user is
# authenticated, or perform other lookups or whatever need be.
else if user.is_anonymous:
# Based on this case you could take other measures that changes
# the context.
Above you can see an example of what the reflex could look like. Once the
check_authmethod of the reflex method is called from the frontend the template will be updated according to your logic in the reflex.
If the website uses https, it will be using a secure websocket, another concern when it comes to security are cross-site request forgery (CSRF). You can read more about how this works for django-channels.
By default django-sockpuppet is using
AllowedHostsOriginValidatorwhich means that a websocket can only be opened from the same domains in
In the setup stage you defined
sockpuppet.routing.application. So if you need to not use the origin validator for any reason you'll need to create a routing file of your own and update the
settings.pyfile to reflect that.