Let me know in the comments what sort of content you're most interested in: - tutorials on something specific (Next.js/Django/Redis/Docker/etc.) - how to build certain apps (e-commerce/social media/real-estate/clones of other apps/etc.) - overview of how something works (authentication/app architecture/deployment/etc.) - other (career/learning/habits/energy/procrastination/focus/etc.) Also one thing I'm thinking is to have things outside of just tutorials on this channel, could be interesting to dive into some topics like the ones in the last point. I like putting together tutorials, but also don't want to just be a tutorial channel. Let me know your thoughts on some of these things!
Django With Next Auth would be like eating coffee sitting in a mountain. Just perfect. Can you please create one? There's nothing I can find online on this topic
If I had a wish: django-tenants on NextJS (subfolder tenants on the frontend) / DjangoNinja (subdomain tenants) and app architecture (separate repositories for front and backend?) + deployment
I believe this is the most exceptional Django tutorial I've encountered since the day I first saw the sun. It's truly a comprehensive, well-structured, and insightful resource that stands out above all others.
This is an awesome video, especially for someone who moves from Django as a full-stack, to Django as a backend only, this is where the challenge comes to understand the lower layers of authentication and how to customize everything to work with the JS frameworks. Thanks, @bryanbrkic for this awesome video.
Maybe something like OTP authentication with next and django? Being new to frontend technologies, your previous videos on how to implement jwt authentication with react and django helped me a lot, as these kinda tutorials are rare out there. Also doing some system design stuff, as people already do tons of tutorials without any thoughts of how potentially an app can get messy without a well organized structure would be pretty come in handy ☺️
I'm trying to imagine how on earth you have only 720 likes. this is the best tutorial about authentication using JWT I Have ever seen. I have been the last month researching about the topic and just now I have found something that really helped me to understand the core concepts behind. And the use of postman is a bonus! Thanks a lot my friend. Sorry for my ugly English
Hello, thank you for the detailed tutorial. Nice work. Do you have a tutorial where you have set up the domain name from vercel and connected it to Digital Ocean that one can follow? and lastly, why did you choose Vercel for your domain? Is it personal preferences or is there something advantageous about vercel?
Amazing content, a new series idea could be using docker, redis, celery with django and deploying to production as ive had a hard time finding content with all of them togethor. Awesome vid!
Thank you Bryan, It was awesome.I learned alot. as a side note, your speaking and teaching style and even tone your voice reminds me of Adam Swaap (Houdini Artist)
Hello Bryan, whatever you do, thank you so much for your videos that helped me a lot in the past. I think it's necessary to vary the production of videos on different topics.
Hello Bryan, thanks for your tutorial! Is it possible for u to do follow-up series on top of this tutorial, for example building some function like blog posting or so on on top? Thanks again
What you shared in this video is just incredible, documentations resources, explanations, examples, straight to the point. Thank you dear. I don't really understand why you are at 500 likes.
Hello @bryanbrkic this is an awesome tutorial. Thank you for efforts you put in it. As I was following the tutorial, I got stuckat the section Testing Google OAuth2. I am using insomnia for testing the endpoints I get the following error: { "non_field_errors": [ "State could not be found in server-side session data." ] } whenever I try the Google OAuth2 Login endpoint. Any idea how to fix this ?
Hello there. Yes I was able to get it to work. In my cas this error was linked to the Insomnia app. I edited the cookie "session id" to include the domain name (localhost) and set Same site to None
I've traced back over all the steps, the only thing I've found to be missing is setting the refresh and access expiration on djangos end, as currently it appears to be stuck at its default value, have checked through both the git and the video.
Hey Bryan, by setting AUTH_COOKIE_SAMESITE = 'None', wouldn't that make it vulnerable to CSRF attacks? How could we avoid this in this case, if we still want to use all methods, including POST, for example? Is it possible to combine this jwt cookie approach with csrf token? If so, how could we do that? Thanks, man!
CSRF is a pretty old attack that is next to impossible to pull off these days, but you can still add the protection. This is how you'd set up the CustomJWTAuthentication class if you want this: ` from django.conf import settings from rest_framework_simplejwt.authentication import JWTAuthentication from rest_framework.authentication import CSRFCheck from rest_framework import exceptions class CustomJWTAuthentication(JWTAuthentication): def enforce_csrf(self, request): def dummy_get_response(request): return None check = CSRFCheck(dummy_get_response) check.process_request(request) reason = check.process_view(request, None, (), {}) if reason: raise exceptions.PermissionDenied('CSRF Failed: %s' % reason) def authenticate(self, request): try: header = self.get_header(request) if header is None: raw_token = request.COOKIES.get(settings.AUTH_COOKIE) else: raw_token = self.get_raw_token(header) if raw_token is None: return None validated_token = self.get_validated_token(raw_token) self.enforce_csrf(request) return self.get_user(validated_token), validated_token except: return None ` Then you'd want to set up a view that would allow you to retrieve a CSRF token on the client with something like this: ` @method_decorator(ensure_csrf_cookie, name='dispatch') class GetCSRFToken(APIView): def get(self, request): return Response(status=status.HTTP_204_NO_CONTENT) ` Then you'd want to use `@method_decorator(csrf_protect, name='dispatch')` above any class-based view where you want CSRF enforced. Another thing you can do is also rotate CSRF tokens in particular cases, like for example when a user retrieves an access token. You can use the import `from django.middleware.csrf import rotate_token`, then do `rotate_token(request)` within your view to rotate the CSRF token, which basically means in the response you'd sent a new CSRF token which the client would need to use. Then also on any endpoint where CSRF is enforced, you'd need to use the `X-CSRFToken` header and pass the CSRF token as the value for the header. With RTK Query on the client, you'd also need to prepare the headers on the baseQuery in order to have this working, you'd do that with something like this: ` const baseQuery = fetchBaseQuery({ baseUrl: `${process.env.NEXT_PUBLIC_HOST}/api`, prepareHeaders: headers => { const csrftoken = getCSRFToken(); if (csrftoken) { headers.set('X-CSRFToken', csrftoken); } return headers; }, credentials: 'include', }); ` Then in this example, getCSRFToken would be a function that gets your csrf token from the browser cookies (this wouldn't be a cookie with the HttpOnly flag). And if you're curious, that function would look like the following: ` export const getCSRFToken = () => { const name = 'csrftoken'; let cookieValue = null; if (document.cookie && document.cookie !== '') { let cookies = document.cookie.split(';'); for (let i = 0; i < cookies.length; i++) { let cookie = cookies[i].trim(); if (cookie.substring(0, name.length + 1) === name + '=') { cookieValue = decodeURIComponent( cookie.substring(name.length + 1) ); break; } } } return cookieValue; }; ` So that would pretty much be the setup if you want CSRF token involved in the flow. I omitted mostly because of the complexity it adds and the benefit isn't too high since CSRF attacks are almost impossible to pull off these days. Hope this helps!
@@bryanbrkic hey Bryan, why would i need this `csrf_protect` function in my CustomJWTAuthentication class? Wouldnt using `@method_decorator(csrf_protect, name='dispatch')` above any class-based view where we want CSRF enforced be enough? Thanks!
How can I view my tables in pgadmin? I look at the tables for the postgres db but nothing shows up? I am using docker to containerize django, celery, redis, postgres. Can I not view my db because of this?
Hi, thanks for the this content, when are you planning to release the next part where we can see how to connect django rest framework to next js frontend?
Amazing tutorial, one of the best on internet, u should have more views! I hope your channel grows, thanks man for quality video. Im facing a problem tho, on POST request to OAuth2, Im having an error, I can GET the Url, getting the Code and state on URL. But when I make post request, im having this error: { "non_field_errors": [ "Authentication process canceled" ] } Obs: I'm passing everything needed on the cookies on postman. Someone has similar problem? I can't debug this to find solution
hi! is there a way for the custom auth model, to show up on the admin panel? currently having trouble getting the the users to show up on the admin panel, thanks!
When I follow along and test the endpoints using Postman and add an extra character at the end of the token, it still succeeds. And yes, when I remove the extra character, it still succeeds. Any ideas or suggestions?
I have been checking out Django Rest API and have noticed the heavy usage on the serializers file can you explain why you dont use serializers and when they are needed?
I TRY RUN SERVER BUT DROP THIS ERROR, "ImportError: Could not import 'users.authentication.CustomJWTAuthentication' for API setting 'DEFAULT_AUTHENTICATION_CLASSES'. ModuleNotFoundError: No module named 'users.authentication'."
Make sure you have a users app that is in your installed apps setting, and that you named the file correctly, double check the spelling on authentication.py
As always, your content is pretty amazing and professionally educating. Thank you greatly for your time and effort. However, Django / Next.js is a nice combo and DevOps based on the two. 🙄
Going to make content with the devops setup too, in this series left it out mostly to avoid a lot of devops setup and instead focus on just the authentication. Glad you’re enjoying the content!
Yes you could, but there are benefits to building APIs with frameworks built for building APIs since they're designed to be efficient at doing just that. You also get separation of concerns by having frontend and backend completely separated. But you absolutely could make a full-stack app with just Next.js, all depends on the type of project, a very complex project I'd lean towards separation of concerns, with a project that isn't as intensive with features would probably just do everything on Next.js.
@@bryanbrkic Hello bryan, everything works, but when I use the production url for the google auth the response is "redirect_uri must be in SOCIAL_AUTH_ALLOWED_REDIRECT_URIS". i have tried solving it. it just won't work, breaks my heart that I will be skipping it and move on to fetching the endpoints
Hi brayan, i follow this tutorial but i got 500 response when ever i try to create user but the user data is store in the database. i set up everything correctly.
Let me know in the comments what sort of content you're most interested in:
- tutorials on something specific (Next.js/Django/Redis/Docker/etc.)
- how to build certain apps (e-commerce/social media/real-estate/clones of other apps/etc.)
- overview of how something works (authentication/app architecture/deployment/etc.)
- other (career/learning/habits/energy/procrastination/focus/etc.)
Also one thing I'm thinking is to have things outside of just tutorials on this channel, could be interesting to dive into some topics like the ones in the last point. I like putting together tutorials, but also don't want to just be a tutorial channel.
Let me know your thoughts on some of these things!
Django With Next Auth would be like eating coffee sitting in a mountain. Just perfect. Can you please create one? There's nothing I can find online on this topic
If I had a wish: django-tenants on NextJS (subfolder tenants on the frontend) / DjangoNinja (subdomain tenants) and app architecture (separate repositories for front and backend?) + deployment
I believe this is the most exceptional Django tutorial I've encountered since the day I first saw the sun. It's truly a comprehensive, well-structured, and insightful resource that stands out above all others.
I don't understand how you got only 260 likes. It is by far the best tutorial I have watched on the topic !
This is an awesome video, especially for someone who moves from Django as a full-stack, to Django as a backend only, this is where the challenge comes to understand the lower layers of authentication and how to customize everything to work with the JS frameworks. Thanks, @bryanbrkic for this awesome video.
Maybe something like OTP authentication with next and django?
Being new to frontend technologies, your previous videos on how to implement jwt authentication with react and django helped me a lot, as these kinda tutorials are rare out there.
Also doing some system design stuff, as people already do tons of tutorials without any thoughts of how potentially an app can get messy without a well organized structure would be pretty come in handy ☺️
This is by far the best course I found on UA-cam. Thank you.
This is GOLD! Finally someone who knows their Django!
I'm trying to imagine how on earth you have only 720 likes. this is the best tutorial about authentication using JWT I Have ever seen. I have been the last month researching about the topic and just now I have found something that really helped me to understand the core concepts behind. And the use of postman is a bonus! Thanks a lot my friend. Sorry for my ugly English
Thank you, I appreciate it, and glad you found what you were looking for!
Bryan remembers he has a UA-cam channel and audience.
super excited for this. :D
Haha, glad to hear you're excited :D
you are the best tutor on youtube the next project will be mobile otp authentication ecommerse project
Months later this is still one of the best, if not the best tutorial on this topic by far! Hope you are well Bryan!
Thank you :)
@@bryanbrkic bryand can you a do next-auth /django tutorial ? Tks in advance
Thank you immensely! I'm positively brimming with excitement for the second part!
Thank you, NextJS with Django is my fave combo!
Hello, thank you for the detailed tutorial. Nice work. Do you have a tutorial where you have set up the domain name from vercel and connected it to Digital Ocean that one can follow? and lastly, why did you choose Vercel for your domain? Is it personal preferences or is there something advantageous about vercel?
Amazing content, a new series idea could be using docker, redis, celery with django and deploying to production as ive had a hard time finding content with all of them togethor. Awesome vid!
Thank you Bryan, It was awesome.I learned alot.
as a side note, your speaking and teaching style and even tone your voice reminds me of Adam Swaap (Houdini Artist)
Love to see more of exactly this content, also welcome back hopefully you're planning to update your course!
Eres un chingón, el mejor video que he visto sobre el tema.
Thanks a lot !
Thank you Bryan, great video, learned so much about Django and Python coming from the JavaScript ecosystem
Hello Bryan, whatever you do, thank you so much for your videos that helped me a lot in the past. I think it's necessary to vary the production of videos on different topics.
Hello Bryan, thanks for your tutorial! Is it possible for u to do follow-up series on top of this tutorial, for example building some function like blog posting or so on on top? Thanks again
Thank you! Was looking for a tutorial like this for ages! Very useful
Your search is now over!
What you shared in this video is just incredible, documentations resources, explanations, examples, straight to the point. Thank you dear. I don't really understand why you are at 500 likes.
Waiting for part 2 to come out :)
Hello Bryan, I have a question. By storing jwt in httponly cookies, without a csrf token, isn't the api vulnerable to CSRF?
Hello @bryanbrkic this is an awesome tutorial. Thank you for efforts you put in it.
As I was following the tutorial, I got stuckat the section Testing Google OAuth2.
I am using insomnia for testing the endpoints I get the following error:
{
"non_field_errors": [
"State could not be found in server-side session data."
]
}
whenever I try the Google OAuth2 Login endpoint. Any idea how to fix this ?
Hey there did you fix it? and please can tell me how you did it?
Hello there. Yes I was able to get it to work. In my cas this error was linked to the Insomnia app. I edited the cookie "session id" to include the domain name (localhost) and set Same site to None
Hey Bryan, can you show us how to deploy the frontend on vercel and the backend on heroku? Thanks!
it would be great if you could show us how to create a saas with nextjs and django
i like your teaching style a lot, thank you sir
Thank you so much for this incredible value you're sharing with us 🙏, keep up the good work!
Love your tutorial, a question....
How can I make so that the users without verified identities on AWS can register in my Django website?
This content is really excellent, thank you. I think you can also produce content about application architectures (microservice etc.) in Django.
I've traced back over all the steps, the only thing I've found to be missing is setting the refresh and access expiration on djangos end, as currently it appears to be stuck at its default value, have checked through both the git and the video.
Hey Bryan, by setting AUTH_COOKIE_SAMESITE = 'None', wouldn't that make it vulnerable to CSRF attacks? How could we avoid this in this case, if we still want to use all methods, including POST, for example? Is it possible to combine this jwt cookie approach with csrf token? If so, how could we do that? Thanks, man!
CSRF is a pretty old attack that is next to impossible to pull off these days, but you can still add the protection. This is how you'd set up the CustomJWTAuthentication class if you want this:
`
from django.conf import settings
from rest_framework_simplejwt.authentication import JWTAuthentication
from rest_framework.authentication import CSRFCheck
from rest_framework import exceptions
class CustomJWTAuthentication(JWTAuthentication):
def enforce_csrf(self, request):
def dummy_get_response(request):
return None
check = CSRFCheck(dummy_get_response)
check.process_request(request)
reason = check.process_view(request, None, (), {})
if reason:
raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
def authenticate(self, request):
try:
header = self.get_header(request)
if header is None:
raw_token = request.COOKIES.get(settings.AUTH_COOKIE)
else:
raw_token = self.get_raw_token(header)
if raw_token is None:
return None
validated_token = self.get_validated_token(raw_token)
self.enforce_csrf(request)
return self.get_user(validated_token), validated_token
except:
return None
`
Then you'd want to set up a view that would allow you to retrieve a CSRF token on the client with something like this:
`
@method_decorator(ensure_csrf_cookie, name='dispatch')
class GetCSRFToken(APIView):
def get(self, request):
return Response(status=status.HTTP_204_NO_CONTENT)
`
Then you'd want to use `@method_decorator(csrf_protect, name='dispatch')` above any class-based view where you want CSRF enforced.
Another thing you can do is also rotate CSRF tokens in particular cases, like for example when a user retrieves an access token. You can use the import `from django.middleware.csrf import rotate_token`, then do `rotate_token(request)` within your view to rotate the CSRF token, which basically means in the response you'd sent a new CSRF token which the client would need to use.
Then also on any endpoint where CSRF is enforced, you'd need to use the `X-CSRFToken` header and pass the CSRF token as the value for the header.
With RTK Query on the client, you'd also need to prepare the headers on the baseQuery in order to have this working, you'd do that with something like this:
`
const baseQuery = fetchBaseQuery({
baseUrl: `${process.env.NEXT_PUBLIC_HOST}/api`,
prepareHeaders: headers => {
const csrftoken = getCSRFToken();
if (csrftoken) {
headers.set('X-CSRFToken', csrftoken);
}
return headers;
},
credentials: 'include',
});
`
Then in this example, getCSRFToken would be a function that gets your csrf token from the browser cookies (this wouldn't be a cookie with the HttpOnly flag). And if you're curious, that function would look like the following:
`
export const getCSRFToken = () => {
const name = 'csrftoken';
let cookieValue = null;
if (document.cookie && document.cookie !== '') {
let cookies = document.cookie.split(';');
for (let i = 0; i < cookies.length; i++) {
let cookie = cookies[i].trim();
if (cookie.substring(0, name.length + 1) === name + '=') {
cookieValue = decodeURIComponent(
cookie.substring(name.length + 1)
);
break;
}
}
}
return cookieValue;
};
`
So that would pretty much be the setup if you want CSRF token involved in the flow. I omitted mostly because of the complexity it adds and the benefit isn't too high since CSRF attacks are almost impossible to pull off these days.
Hope this helps!
@@bryanbrkic hey Bryan, why would i need this `csrf_protect` function in my CustomJWTAuthentication class? Wouldnt using `@method_decorator(csrf_protect, name='dispatch')` above any class-based view where we want CSRF enforced be enough? Thanks!
Hey Bryan , First of all thank you for this video and when you'll upload the part 2 ?
Part 2 is scheduled to upload today!
Wow super excited
Glad to hear :)
so when will be realse the part 2? thanks
that will come out on monday!
How can I view my tables in pgadmin? I look at the tables for the postgres db but nothing shows up? I am using docker to containerize django, celery, redis, postgres. Can I not view my db because of this?
thanks for the tutorial man ❤
Hi, thanks for the this content, when are you planning to release the next part where we can see how to connect django rest framework to next js frontend?
That will be coming this Monday!
If I want to use djoser but also use OTP as my activation, how do i do that?
You're amazing. OTP would be great! or authentication overall.
awesome
hi can i use django sesion instead of django cookies,which is more secure thanks....lot thanks
Amazing tutorial, one of the best on internet, u should have more views! I hope your channel grows, thanks man for quality video. Im facing a problem tho, on POST request to OAuth2, Im having an error, I can GET the Url, getting the Code and state on URL. But when I make post request, im having this error:
{
"non_field_errors": [
"Authentication process canceled"
]
}
Obs: I'm passing everything needed on the cookies on postman.
Someone has similar problem? I can't debug this to find solution
hi! is there a way for the custom auth model, to show up on the admin panel? currently having trouble getting the the users to show up on the admin panel, thanks!
Hey awesome content, instant follow :)
Thank you so much ❤ could u create django nextjs 13 and stripe / razorpay payment integration video...???
I'll be putting together some projects with stripe integration!
Why didn't you use Bearer token and went for cookie instead? Can you please make a similar tutorial to implement Django With Next Auth?
guys, the logout view is throwing this "'type' object is not iterable" error and I can't figure out which class object is trying to iterate.
When I follow along and test the endpoints using Postman and add an extra character at the end of the token, it still succeeds. And yes, when I remove the extra character, it still succeeds. Any ideas or suggestions?
Turns out this was on me. I didn't realize that when he did his first round of testing, he hadn't customized the views or the urls yet. All is well!!
how react native social login connect to django djoser oauth to get jwt?
I have a question, Djoser is under maintenance?
please videos on micro services would be perfect
I really appreciate this 😊
I have been checking out Django Rest API and have noticed the heavy usage on the serializers file can you explain why you dont use serializers and when they are needed?
I think it's because he's using the djoser library for user auth, it has serializers in it's source code...
I TRY RUN SERVER BUT DROP THIS ERROR, "ImportError: Could not import 'users.authentication.CustomJWTAuthentication' for API setting 'DEFAULT_AUTHENTICATION_CLASSES'. ModuleNotFoundError: No module named 'users.authentication'."
Make sure you have a users app that is in your installed apps setting, and that you named the file correctly, double check the spelling on authentication.py
Hey @bryanbrkic i am just following your video but got stuck at 2:17:00 , that i got an error as Missing backend "google-oauth2" entry Please help me.
Hi, how are you doing? Were you able to solve that problem? I ran into the same problem.
@@maximoag NO please help me too if you got the solution
As always, your content is pretty amazing and professionally educating. Thank you greatly for your time and effort. However, Django / Next.js is a nice combo and DevOps based on the two. 🙄
Going to make content with the devops setup too, in this series left it out mostly to avoid a lot of devops setup and instead focus on just the authentication. Glad you’re enjoying the content!
Yes I do, senior. Can't wait to have more of these from you.
couldnt you build this only using nextjs? im confused on why you need django as well, isnt nextjs a full stack framework?
Yes you could, but there are benefits to building APIs with frameworks built for building APIs since they're designed to be efficient at doing just that. You also get separation of concerns by having frontend and backend completely separated. But you absolutely could make a full-stack app with just Next.js, all depends on the type of project, a very complex project I'd lean towards separation of concerns, with a project that isn't as intensive with features would probably just do everything on Next.js.
thanks, You did not deploy it on github?
Links are in description
@@bryanbrkic Hello bryan, everything works, but when I use the production url for the google auth the response is "redirect_uri must be in SOCIAL_AUTH_ALLOWED_REDIRECT_URIS".
i have tried solving it. it just won't work, breaks my heart that I will be skipping it and move on to fetching the endpoints
do you have react-native authentication?
I hope OTP authentication with djangorestframework next time because there is no content on this topic in youtube, Thank you very much
Sir next Django and React Native sir Integrating
Nice tutorial
Hi brayan, i follow this tutorial but i got 500 response when ever i try to create user but the user data is store in the database. i set up everything correctly.
Same...
Love this teaching technic. Thanks a lot @bryanbrkic ❤❤❤❤❤❤
I wish there was this with Laravel 😢
Thank You
Thanks
Thanks
having ads at the middle of a video is pretty annoying
Do you have premium?
who had this issue, and how did you solve it when working with djoser google oauth2
"{
"non_field_errors": [
"Authentication process canceled"
]
}"