Django With Next Auth would be like eating coffee sitting in a mountain. Just perfect. Can you please create one? There's nothing I can find online on this topic

If I had a wish: django-tenants on NextJS (subfolder tenants on the frontend) / DjangoNinja (subdomain tenants) and app architecture (separate repositories for front and backend?) + deployment

Thank you, I appreciate it, and glad you found what you were looking for!

Haha, glad to hear you're excited :D

Thank you :)

@@bryanbrkic bryand can you a do next-auth /django tutorial ? Tks in advance

Your search is now over!

That will be coming this Monday!

that will come out on monday!

Hey there did you fix it? and please can tell me how you did it?

Hello there. Yes I was able to get it to work. In my cas this error was linked to the Insomnia app. I edited the cookie "session id" to include the domain name (localhost) and set Same site to None

Glad to hear :)

Part 2 is scheduled to upload today!

CSRF is a pretty old attack that is next to impossible to pull off these days, but you can still add the protection. This is how you'd set up the CustomJWTAuthentication class if you want this: ` from django.conf import settings from rest_framework_simplejwt.authentication import JWTAuthentication from rest_framework.authentication import CSRFCheck from rest_framework import exceptions class CustomJWTAuthentication(JWTAuthentication): def enforce_csrf(self, request): def dummy_get_response(request): return None check = CSRFCheck(dummy_get_response) check.process_request(request) reason = check.process_view(request, None, (), {}) if reason: raise exceptions.PermissionDenied('CSRF Failed: %s' % reason) def authenticate(self, request): try: header = self.get_header(request) if header is None: raw_token = request.COOKIES.get(settings.AUTH_COOKIE) else: raw_token = self.get_raw_token(header) if raw_token is None: return None validated_token = self.get_validated_token(raw_token) self.enforce_csrf(request) return self.get_user(validated_token), validated_token except: return None ` Then you'd want to set up a view that would allow you to retrieve a CSRF token on the client with something like this: ` @method_decorator(ensure_csrf_cookie, name='dispatch') class GetCSRFToken(APIView): def get(self, request): return Response(status=status.HTTP_204_NO_CONTENT) ` Then you'd want to use `@method_decorator(csrf_protect, name='dispatch')` above any class-based view where you want CSRF enforced. Another thing you can do is also rotate CSRF tokens in particular cases, like for example when a user retrieves an access token. You can use the import `from django.middleware.csrf import rotate_token`, then do `rotate_token(request)` within your view to rotate the CSRF token, which basically means in the response you'd sent a new CSRF token which the client would need to use. Then also on any endpoint where CSRF is enforced, you'd need to use the `X-CSRFToken` header and pass the CSRF token as the value for the header. With RTK Query on the client, you'd also need to prepare the headers on the baseQuery in order to have this working, you'd do that with something like this: ` const baseQuery = fetchBaseQuery({ baseUrl: `${process.env.NEXT_PUBLIC_HOST}/api`, prepareHeaders: headers => { const csrftoken = getCSRFToken(); if (csrftoken) { headers.set('X-CSRFToken', csrftoken); } return headers; }, credentials: 'include', }); ` Then in this example, getCSRFToken would be a function that gets your csrf token from the browser cookies (this wouldn't be a cookie with the HttpOnly flag). And if you're curious, that function would look like the following: ` export const getCSRFToken = () => { const name = 'csrftoken'; let cookieValue = null; if (document.cookie && document.cookie !== '') { let cookies = document.cookie.split(';'); for (let i = 0; i < cookies.length; i++) { let cookie = cookies[i].trim(); if (cookie.substring(0, name.length + 1) === name + '=') { cookieValue = decodeURIComponent( cookie.substring(name.length + 1) ); break; } } } return cookieValue; }; ` So that would pretty much be the setup if you want CSRF token involved in the flow. I omitted mostly because of the complexity it adds and the benefit isn't too high since CSRF attacks are almost impossible to pull off these days. Hope this helps!

@@bryanbrkic hey Bryan, why would i need this `csrf_protect` function in my CustomJWTAuthentication class? Wouldnt using `@method_decorator(csrf_protect, name='dispatch')` above any class-based view where we want CSRF enforced be enough? Thanks!

Hi, how are you doing? Were you able to solve that problem? I ran into the same problem.

@@maximoag NO please help me too if you got the solution

Turns out this was on me. I didn't realize that when he did his first round of testing, he hadn't customized the views or the urls yet. All is well!!

I'll be putting together some projects with stripe integration!

Going to make content with the devops setup too, in this series left it out mostly to avoid a lot of devops setup and instead focus on just the authentication. Glad you’re enjoying the content!

Yes I do, senior. Can't wait to have more of these from you.

I think it's because he's using the djoser library for user auth, it has serializers in it's source code...

Yes you could, but there are benefits to building APIs with frameworks built for building APIs since they're designed to be efficient at doing just that. You also get separation of concerns by having frontend and backend completely separated. But you absolutely could make a full-stack app with just Next.js, all depends on the type of project, a very complex project I'd lean towards separation of concerns, with a project that isn't as intensive with features would probably just do everything on Next.js.

Links are in description

@@bryanbrkic Hello bryan, everything works, but when I use the production url for the google auth the response is "redirect_uri must be in SOCIAL_AUTH_ALLOWED_REDIRECT_URIS". i have tried solving it. it just won't work, breaks my heart that I will be skipping it and move on to fetching the endpoints

dude dude is it solved ? i am also getting same error

Same...

Make sure you have a users app that is in your installed apps setting, and that you named the file correctly, double check the spelling on authentication.py

Do you have premium?