Transcript: Third Party Packages

00:00.0

Hello, welcome to another episode of Django chat. I'm Will Vincent, joined by Carlton

00:10.6

Gibson. Hello. And today we're going to talk about third party packages, which are often

00:15.4

referred to as a secret sauce of Django. So to start things off, why do we have third

00:21.0

party packages, Carlton? Why would you say, you know, Django is a batteries included framework,

00:25.0

it comes with a lot out of the box why not have everything in the box because it's been possible

00:30.7

to maintain essentially um yeah and for 80 of projects they wouldn't need 80 of the functionality

00:37.9

um so batteries included is it's the 80 cases it's almost every project should need everything

00:44.7

that comes with the core framework and then in order to keep it maintainable but also to keep

00:49.9

it relevant. Extra functionality lives outside the core. So we wanted to go through our favorite

00:55.9

third-party packages and we'll list to them because there are, let's say thousands. There's

01:00.7

a website, Django Packages, that lists all of them that we'll link to in the show notes. There

01:04.4

are tons and tons and tons, partly because Django with its projects and app structure lends itself

01:10.4

quite well to separating out functionality for these things. So if you build it for yourself,

01:15.2

you can make it available to other developers and then, you know, can be community projects.

01:21.7

But it's always been encouraged, right? So now we've got 10 year history of people being

01:26.8

encouraged to build third party apps, and then building third party apps and making them

01:30.9

available. And so there are just so many, almost everything you think of, there's a good app out

01:37.0

there that does it, or there's one that's at least good, good enough for you to think users are kind

01:41.6

of um inspiration to copy it in your own project yeah yeah i i think it's often it's a great way

01:46.9

to learn if you're to if it doesn't do exactly what you want to look and see how someone

01:51.1

implemented functionality because again with the web almost nothing is unique um it's someone's

01:57.6

had the problem and tackled it before and um just one caveat is that you before you install a third

02:04.3

party app just have a look and make sure it's well maintained um because what can happen is

02:09.0

you install a third-party app and it works great and that's fine but it doesn't get updated

02:13.8

and over time then when you want to upgrade Django you can't upgrade Django because you're tied to

02:18.8

this third-party app so just just vet them before you install yeah don't don't go crazy I mean in

02:24.6

the way to you know how do you know something's active I would say you should have a fair number

02:28.6

of stars so probably a couple hundred and you should see some action within the last three to

02:36.5

six months if not daily well okay but no django app well yes but like be sensible but django

02:43.8

app conf which is a um a package i maintained it's used by django compressor and a few other

02:50.6

applications but i this week i released um a new version which just changed the

02:57.5

packaging metadata to say it supports python 3.7 and the latest djangos and things like this

03:03.1

but it hadn't been updated for two years but it had zero issues and zero pull requests yeah okay

03:07.8

that's that's very great yeah so you know it's not that it hasn't been updated like things which

03:14.8

are very stable they don't need updating every week yeah fair enough i know i brought it up

03:18.9

because it's it's sometimes hard to hard to tell but anyways all the packages we're going to talk

03:22.7

about today are vetted and so if they're what you need um you should feel as comfortable as one can

03:28.8

using them and we should note we're not going to be so there's also what's a third-party app there

03:33.8

are additional things like wagtail django cms which um i guess they're technically apps but

03:40.2

they're really more like frameworks on frameworks yeah frameworks on frameworks so we're not

03:44.7

wagtail and cms they're full cms frameworks and they're amazing and they're great but they're

03:48.8

they've got their own ecosystems they've got their own dependencies oh wow you know yeah so we're not

03:54.5

going to talk about those today, maybe in a future episode. So let's start right at the top. I mean,

03:59.4

I think everyone would agree the number one third-party package, and most people probably

04:04.1

don't know that it's a third-party package, is Django REST Framework, which is how one builds

04:09.1

RESTful APIs with Django. It is what the majority of Django, professional Django developers,

04:15.6

I would say, use when they use Django. And yet it is not part of Django core, which, you know,

04:21.0

you're a co-maintainer on it so perhaps you can speak to why it's not part of django itself

04:25.5

just historical i guess um to create json responses was you know there's a json response

04:34.9

class and then there was a um a package called tasty pie which um enabled you to do restful apis

04:42.6

which was a third-party package and then long came rest framework and it was never it was just

04:49.5

it just was built as a third-party package and it survived as a third-party package and it continues

04:54.3

to this day but it's yeah i mean for me django django is framework right now what else do i need

04:59.9

yeah no exactly so it's um that's probably the number one third-party app that everyone will use

05:07.4

um and we will we'll do an entire episode or episodes on on it it has its own third-party

05:13.6

packages um that we're not going to talk about today yeah but that's um you know another big

05:20.0

one so i'll actually in in the in the news is django channels um because you've um you've taken

05:26.7

on a new role with this right carlton yeah so andrew godwin who created channels has stepped

05:31.5

back from that um so hopefully that gives him a bit of capacity to work on bringing async support

05:37.5

into django core itself um but he stepped back from the maintenance maintenance role in django

05:43.2

channels and I've stepped up to do that with a couple of other people so we're just keeping

05:46.4

that ticking over but that gives async support to right this is really a future yeah the main

05:52.1

the main use case I guess right now is for web sockets right if you want a web socket thing

05:57.5

then Django channels is the way to go but also if you want to build async applications using Django

06:02.4

you can do that right now with channels and then we'll see what happens with the work that Andrew

06:06.8

comes in perhaps over the next six or twelve months we'll start seeing how Django itself will

06:11.7

provide support for Async

06:13.8

Gold. But Django Channels, if you want

06:15.7

WebSockets, Django Channels.

06:17.6

Yeah, exactly.

06:20.1

Moving on. So I would

06:21.6

say the one that i use on every project is django debug toolbar which is a way to view your your

06:28.7

requests so to see how efficient you know your your blog list is this is a small one um it's

06:37.5

i can't think of why you wouldn't want on every every project yeah it's just super it lets you

06:41.6

view template context variables which and which template you know you always this template extends

06:46.9

that template that includes this template which templates actually did get rendered and what were

06:51.9

the contexts that they actually saw this is just super lets you view your sql requests lets you i

06:58.6

know you can and you can create plugins for if you want to view extra bits and bobs you can um yeah

07:03.8

so panels so both to you know hop into your own project or a new project and see yeah that what

07:10.2

is the template structure and especially for performance you can really see um you know how

07:14.7

many queries are involved. So that's really a must-have. I can't think of a project I've worked

07:19.1

on that didn't have that. Another one that I especially like is Django Extensions, which is a

07:26.6

way, it's several tools, but the really nice one is you can add, what is it, plus, right? So you

07:33.9

can do Python run server plus. So if you want to go into the Django shell, it will automatically

07:39.7

preload all the things that you'll need it has a whole bunch of it's really a swiss army knife

07:45.1

of sort of additional tools that as you become more experienced with django are just really nice

07:49.9

to have yeah my my favorite one there is it will graph your models for you and output those in a

07:56.0

in the dot format the graph is format which then i drag into omni grapple which is a capable editor

08:02.7

for editing those but you can drag that into anywhere and then it gives you a nice um kind

08:07.1

a class diagram of your models which is lovely to have and you can edit that and you can it's

08:13.1

one i use a lot so django extensions super yeah yeah i i don't use all those all those parts of

08:19.2

it you just mentioned i should i should look into that um well which ones do you have we've got a

08:24.4

list of things well so jack so another one i maintain is django filter which is awesome if

08:29.7

you want to create um filter if you want to allow people to filter by url parameters so you know if

08:36.3

I put in size equals a bit large and I want to filter my query set.

08:42.0

Well, you don't just want to expose that raw user input

08:45.6

and then feed it into the ORM because that's dangerous.

08:48.4

So Django Filter will create a form which will then validate that the value is sensible.

08:53.5

It will then take a Quilter set and it will filter it.

08:56.5

And you can very easily and very declaratively create filter sets for your models

09:04.3

which enable you to filter by the parameters that you want

09:06.8

and you can filter across relationships and things like this.

09:09.9

And Django Filter integrates with Django itself

09:12.8

but also with Django REST Framework too.

09:14.5

So it enables you to create very easily

09:16.8

filterable endpoints on your APIs, which is kind of cool.

09:20.5

So, you know, I've got a list of blog posts

09:23.0

I want to filter by those that are tagged Django.

09:25.1

Easy peasy.

09:26.4

Yeah.

09:27.0

Yeah, I mean, that's a separate security thing around

09:29.7

just what you sort of alluded to it with URLs,

09:32.7

you know why you often probably don't want to include the primary key um you know for blog

09:39.2

posts because it'll give away the number of blogs that you have right like you would use a uuid or

09:45.6

you could slugify it um yeah there's a nice little thing called hash ids which is worth looking up i

09:51.5

did so oh i don't i don't know what they do is they take the number and they pass it through a

09:56.1

little algorithm and it comes up with a um with like a say seven or eight digit random string

10:02.9

and it can and it's reversible and that that's great but it's it's they're slightly longer than

10:08.9

one two three ten yeah and it's not necessarily giving away that you know you have 100 you know

10:16.1

blog posts on your site and the order the also important the order is not um deducible right so

10:22.7

you can't predict what the next one will be right yeah i mean you know slugs the problem with slugs

10:27.9

if people haven't experienced this is you know what do you do if you know your url structure is

10:32.7

you know my website.com slash blog slash the name and i write one called hello world and then

10:39.0

carlton writes one called hello world they can't exist at the same url url endpoint so you have to

10:44.1

deal with um the conflicts collisions of that sort so that's why um so one thing is you were

10:50.8

just on slugs while we're here we might as well say i quite like using unique for month or unique

10:54.8

for year so you put a um in the url you might have 2019 or two for february and then you might

11:01.5

have a slug which is unique for that month and then it's not unique forever yeah only one that

11:07.8

month and i kind of quite like using that sometimes and that's an option on model fields

11:12.4

you can if you've got a date time field on the model you can give unique for month and say it

11:18.0

has to be unique on reference to this date time field yeah i mean i didn't know that i mean there's

11:24.6

also an argument around not putting the uh you know not time stamping things in the url because

11:31.4

lots of people don't like that now lots of people don't like but if it is that's an interesting

11:34.3

approach if it is a traditional blog like a web log yes there's a difference between kind of what

11:39.8

you want to have put out evergreen content where you don't want the date in the url yeah and a web

11:45.1

blog where it literally is saying hey today i did this there's no harm then that being grouped by

11:49.3

month or by year or yep anyway yeah yeah um so what else do i like i like jango watson which is

11:56.8

a super package which enables you to make use of your database's text searching features um

12:04.1

it's slightly perhaps viewed as slightly out of date now because jango has got more full text

12:10.6

search features built in but jenga watson is is very good and worth looking at and it supports

12:16.3

all the different backends oh great i haven't i haven't used it well it's great if you it enables

12:22.8

you to um set up an index on a model and then you can pass in a query set and you can just get back

12:29.3

the you can get back a query set which only matches which the search and then you could

12:33.2

filter them further so you might say filter by a tag then search for a string and then filter again

12:40.1

by, you know, publish this, whatever you want it to.

12:43.1

but it's it's super um janga watson that's called the other one by by the same author is called um

12:50.4

janga reversion and this enables you to keep um model histories of your models so say you've got

12:56.5

blog posts and you wanted to be able to go back in history um and say oh what i've edited it and

13:04.2

then it's been edited again it's been edited again but actually the version two ago twice

13:08.6

ago i need to go and look at again django reversion lets you do that oh yeah that'd be very useful

13:14.4

he's a very you know he's two two good apps there that i like yeah well another one next on our list

13:20.9

that i really like um is called django all off which is what you would use for authentication

13:27.1

again because the challenge is that django does not come with a built-in user registration sign

13:32.2

up form um so there's a couple packages out there i like django all off the best it does i guess two

13:38.6

things. One is it enables social authentication. So if you want to add Google, Facebook, Twitter,

13:43.7

it's very straightforward to do that. The other is that it provides a whole ton of customizable

13:51.5

features. You can swap in email instead of username. There's a whole bunch of additional

13:57.1

settings. So, you know, it is a third-party package. So, you know, like, for example,

14:02.2

with email, this is a common, common one. The Django default is to have username, email,

14:07.1

password, which is a little bit outdated right now. More common on websites is to have login

14:12.6

or sign up be with email and password. So you can do that yourself. You need to dive in and

14:19.1

use the model managers, which is a little bit of an advanced feature for people.

14:23.8

Or you can, if you know that you need social or you want some of these additional features,

14:27.6

you can just use Django all off and it's a bit faster to get up and going. So in my first book,

14:34.4

Django for Beginners, I show how to do, we use Django AllAuth in some of the later chapters.

14:40.9

And I think in my new book, I'm going to show, for the example with email, I'm going to show

14:45.3

how to do it with model managers. But we're going to end up using Django AllAuth because if you do

14:49.8

want to have social authentication, which a lot of people do, it's a great way to do it and not

14:56.5

have to roll your own solution. Yeah, and it will capture the OAuth tokens you need to hit the API.

15:03.9

If you've got Twitter login and you want to add Twitter features to your website, you've got the right credential to then make user requests to the Twitter API on the user's behalf.

15:13.4

Yeah, yeah.

15:13.9

You can see in the admin.

15:15.0

I mean, all that auth stuff is a bit of a minefield.

15:17.5

You really don't want to roll your own solution.

15:18.8

One thing I was going to say about AllAuth was that it needs a better tutorial because it is quite opaque.

15:23.9

But then you've just said it's in your book.

15:25.3

I have one.

15:25.6

I have one.

15:26.2

Brilliant.

15:27.0

There you are.

15:27.6

Yeah, yeah.

15:28.2

Of course, there is one from, I think, four or five years ago called the Missing AllAuth Tutorial.

15:32.7

yeah do a google search for django all auth tutorial see what comes up right okay because

15:36.5

because because i you know this is this is how i learn i get frustrated and

15:41.0

i write it up um no i remember when i started using all auth it was like wow this is this is

15:46.1

powerful it does exactly what i want but i have no way of understanding this um apart from reading

15:50.5

the code and working it out and it is a package that i use and i was thinking well it needs

15:55.6

tutorials but of course you've written one already well yeah well that's i mean and you know that is

15:59.3

the the thing about all these third-party packages is you get a tremendous amount of power but then

16:03.4

you need to learn how to use the packages and um you know as i sort of mentioned with django all

16:08.3

off you know i've gone full circle on it where i you know i didn't i didn't initially know how to

16:13.7

you know years ago how to do email instead of username i found django all off i sort of you

16:18.8

know yeah clues together how to do it and then i wanted and sort of learned how to do it the raw

16:24.3

way and now most cases i use jangle all off um because i understand what it's doing and it's

16:30.8

managing the complexity but it's a bit of a circle in the same way um you know i would say generic

16:36.4

class-based views are versus function-based views no and the other thing i like about all we've

16:40.7

turned this into an all-off podcast now but the thing i like about all of as well as it enables

16:44.4

users to manage multiple email addresses which is nice if you want to um if they they want to

16:49.7

control notifications if you need to send a user notifications they want to say look i want

16:53.6

notifications to this email address not that one and it enables them to add multiple email addresses

16:58.6

and choose which one's their primary and things like that so it's what something that i like about

17:03.4

it anyway we should move on yeah and i and i include in in uh django x which is my django

17:08.1

starter project because i think it's um it's a great i think it's it's it's something i use in

17:13.5

almost every project all right moving on um so we have ones for deployment which are or static files

17:20.4

which is static files yeah yeah so white noise do you want to talk about that uh well yeah okay so

17:26.3

there's two there's two strategies here static files can be a pain so the white noise but let's

17:34.1

explain so static files you can when you're just prototyping you can store them um within django

17:39.4

but you really don't want to do that you want them on a cdn for performance reasons yes yeah yes um

17:47.6

the thing is you can have that within django so you know when i teach this i i just sort of show

17:54.6

how to set up static files and stuff and then and we use it and then later i show how to um

18:01.7

you know deploy using django storages or something on s3 or something i don't i sort of go i go

18:08.8

progressively with it right but the thing the thing is that the static files app will serve

18:13.9

your views in in development is perfectly well and so they've got this little if debug that

18:19.3

we all use and that's perfect but you can't use that in in um in development so then white noise

18:25.8

comes along and it gives you a view which will serve your static files and it adds the right

18:29.7

caching headers and it does all these nice things for you that's so that's one strategy so it's

18:34.4

called white noise and then the other option is django storages which if you want to put your

18:38.4

static files on S3 or as your storage is or Google Blob Store, it gives you the tools to do those.

18:46.2

Yeah, because I think you can use, White Noise in particular integrates well with Heroku.

18:51.6

Right, okay.

18:53.0

In general though, you do want to put your static files on a CDM.

18:58.6

Yeah, so even if you use Django storages and put your static files in S3, for example,

19:04.7

where you then put CloudFront in front of it

19:07.1

to speed that up or whatever.

19:10.8

Yeah, well, we can get into all that later.

19:13.4

Another big one.

19:14.2

Anyway, those two good ones.

19:15.7

Yeah, yeah, no, those are great.

19:16.6

Those are ones I use all the time.

19:18.8

Environment variables.

19:20.1

This is something you should use in your projects.

19:23.5

And Django environment is sort of the default.

19:26.9

Well, yeah, there's also .env,

19:28.5

but Django environment is sort of managing

19:30.4

your environment variables.

19:33.4

Do you want to—I'm blanking here on how to explain the package properly other than it helps you manage your environment variables.

19:39.1

Yeah, no, it helps you control your environment.

19:40.9

I mean, this is a fuss, right?

19:42.1

We want to keep—we want to use—we want to do the right thing and not put sensitive variables into our settings files, so we keep them in the environment.

19:52.0

But then we've got to remember that we need to export them into the calling process before we can launch Django.

19:59.8

It's all a pain.

20:00.6

Django environment will help you manage all that.

20:02.6

Right, because you'll use different variables, you know, locally versus deployment.

20:05.3

Yeah, yeah.

20:05.9

And you don't want to put that in source control.

20:08.0

For example, like your secret key or your, you know, your Stripe ID if you're using payments or something.

20:13.7

Yeah, or your database, you know, your AWS.

20:15.3

Yeah, your database.

20:18.1

What's it called? IAM access key thing.

20:21.0

Yeah.

20:21.3

You need to keep that secret, so environment variables for that.

20:27.9

Okay, fine. We'll skip on that one.

20:30.5

Django Guardian is another nice one.

20:31.9

So Django has a nice permissions system, which by default, the Django control.auth permissions will say, yes, you can access blog posts.

20:43.2

Yes, you can access, I don't know, the sales catalog.

20:48.4

But if you want to restrict access to individual objects, then Django Guardian will help you do that.

20:58.1

So you can create object permissions for this specific blog post

21:02.0

or this specific item in the sales catalog.

21:06.3

And that's a useful addition.

21:08.8

Django doesn't provide that.

21:10.5

Yeah, permissions and authorizations is very much an intermediate level thing,

21:16.9

but every single project you want to lock those down and set up the hierarchy.

21:20.3

And that's, again, every project you're doing that.

21:25.1

Yeah, I mean, you know, once you get beyond a certain size of team, it will always be the case that there's a category which people can only access a subset of.

21:35.0

And as soon as you need that, you need object permissions.

21:37.1

And Django Guardian is the go-to solution for that.

21:40.3

Yep.

21:40.6

So another one, I'll tee this up.

21:42.1

Django Compressor is one I really like that you maintain, which is for compressing your static files.

21:50.0

Yeah.

21:50.3

So you should do that.

21:53.3

You should use Django Compressor or something like that.

21:55.1

on all your projects yeah i mean so what's really good about it as well as if you use pre-processors

21:59.7

like um sass or less or post css or um you know i use it for elm but other people can you use it

22:06.8

for react and what you you do is you just create a template block which has got you with the

22:12.0

compressed tag and then you put your script tags in them as normal so you might put your or your

22:16.4

link tags for your css um or your script tags for your javascript but you give them a special media

22:22.6

type which will be like for sass so content style sheets slash sass and then when it sees that it

22:29.5

will run it through the pre-processor and convert your sass into css so that you can load it straight

22:35.7

into the browser and in development it keeps them separate so that you can trace it back to the

22:40.4

individual style sheets but then for production you run a compress command and it compiles them

22:45.5

all into one file and you can minimize them and you can gzip them and you can run it whatever

22:50.4

of pipeline you want to and then it puts them into the static static files folders for white

22:56.5

noise or django storages to deploy and job done and it's yeah no it all ties in very nicely and

23:01.9

and you know there's a number of local versus production things with django that um you know

23:07.1

we've talked about a couple that these packages help you with because you'll you know you want

23:11.1

to get up and running quickly and um locally but then for production it's a different set of

23:15.5

requirements often yeah and so anyway i really love that and i'm not a front-end developer and

23:23.2

so if i work in a you know a team where there's a you know professional front-end developer they

23:29.1

they will replace django compressor with their own build system and their own whatever and we'll

23:33.8

work out the deployment but for me as a django developer i can do something that's semi-respectable

23:38.6

quite more than semi-respectable just using django compressor and then when people need to go that

23:44.2

bridge further, they can do that. Yeah, no, it's a really nice optimization. You know, maybe so one

23:49.9

more, this is sort of a fun one, Django admin honeypot. So a best practice is that one will

23:56.8

notice that every Django site has the admin at slash admin. So if you were a malicious actor,

24:02.3

you could write a script and find out if a site was a Django site. And then you could try to

24:06.9

hack it. There's a couple ways you can safeguard that number one is change the URL. So don't

24:12.9

don't have admin at admin um django admin honeypot lets you see people trying to break into your

24:20.1

admin um so it's a you know it's sort of a fun one it's a good reminder that you should

24:25.3

harden your admin um there's actually a number of steps to do on that but that's sort of a fun

24:30.5

one if you want to see someone in particular trying to break in your site versus just random

24:34.3

bots on the internet yeah right brilliant all right okay so look well that's a whole long list

24:40.9

right um but check the show notes for more on those this is a just a quick run through of our

24:45.8

favorites there are as we said millions or thousands of others um there's a group on github

24:51.7

called jazz band which maintain a whole group and so the danger with a third-party app is it's

24:57.1

difficult to maintain over time and so jazz band take on packages which need help maintenance and

25:02.3

then they maintain them as a group and so they keep these packages going and they're lively so

25:06.2

anything in jazz band you can rely on as being well maintained check out django packages as will

25:11.6

said if you think there's any packages that we haven't covered or should go in depth on please

25:16.9

let us know you can do that at django chat.com there's a way to contact us we're also on chat

25:21.9

django and we'll see you in the next episode okay bye