Note_Tech

All technological notes.

Project maintained by simonangel-fong Hosted on GitHub Pages — Theme by mattgraham

Django - Authentication

Back

Django - Authentication
- Overview
  - Installation
- Authentication in web requests

Overview

Django authentication system
- handles both authentication and authorization.
Authentication
- verifies a user is who they claim to be.
Authorization
- determines what an authenticated user is allowed to do.
The term authentication is used to refer to both tasks.
The auth system consists of:
- Users
- Permissions
  - Binary (yes/no) flags designating whether a user may perform a certain task.
- Groups
  - A generic way of applying labels and permissions to more than one user.
- A configurable password hashing system
- Forms and view tools for logging in users, or restricting content
- A pluggable backend system
Django comes with a user authentication system.
- It handles user accounts, groups, permissions and cookie-based user sessions.
- The authentication system in Django aims to be very generic and doesn’t provide some features commonly found in web authentication systems.
Solutions for some of these common problems have been implemented in third-party packages:
- Password strength checking
- Throttling of login attempts
- Authentication against third-parties (OAuth, for example)
- Object-level permissions

Installation

Authentication support is bundled as a Django contrib module in django.contrib.auth.
- By default, the required configuration is already included in the settings.py generated by django-admin startproject, these consist of two items listed in your INSTALLED_APPS setting:
  - 'django.contrib.auth':
    - contains the core of the authentication framework, and its default models.
  - 'django.contrib.contenttypes':
  - the Django content type system, which allows permissions to be associated with models developers create.
- Also, these items in your MIDDLEWARE setting:
  - SessionMiddleware:
    - manages sessions across requests.
  - AuthenticationMiddleware:
    - associates users with requests using sessions.
- With these settings in place, running the command manage.py migrate creates the necessary database tables for auth related models and permissions for any models defined in your installed apps.

Authentication in web requests

Django uses sessions and middleware to hook the authentication system into request objects.
On every request, the .user attribute represents the current user.
- If the current user has not logged in, this attribute will be set to an instance of AnonymousUser.
- Otherwise it will be an instance of User.
The is_authenticated attribute can tell apart.

if request.user.is_authenticated:
    # Do something for authenticated users.
else:
    # Do something for anonymous users.

Log in a User

Using login(request, user) to attatch an authenticated user to the current session.
- This function saves the user’s ID in the session.
- Note that any data set during the anonymous session is retained in the session after a user logs in.
Example:

from django.contrib.auth import authenticate, login


def my_view(request):
    username = request.POST["username"]
    password = request.POST["password"]
    # authenticate the user with username and pwd by the current seesion.
    user = authenticate(request, username=username, password=password)
    if user is not None:
        login(request, user)    # attach the authenticated user to the current session.
        # Redirect to a success page.
    else:
        # Return an 'invalid login' error message.

Log out a User

Using logout(request) to log out the logged user.
- No return value.
Note that logout() doesn’t throw any errors if the user wasn’t logged in.
When calling logout(), the session data for the current request is completely cleaned out. All existing data is removed.

from django.contrib.auth import logout

def logout_view(request):
    logout(request)
    # Redirect to a success page.

Limiting access to logged-in users

The raw way
- The raw way to limit access to pages is to check request.user.is_authenticated and either redirect to a login page or display an error message.

# login page
from django.conf import settings
from django.shortcuts import redirect


def my_view(request):
    if not request.user.is_authenticated:
        return redirect(f"{settings.LOGIN_URL}?next={request.path}")
    # ...

# display an error message.
from django.shortcuts import render


def my_view(request):
    if not request.user.is_authenticated:
        return render(request, "myapp/login_error.html")
    # ...

Using login_required decorator
login_required():
- If the user isn’t logged in, redirect to settings.LOGIN_URL, passing the current absolute path in the query string. Example: /accounts/login/?next=/polls/3/.
- If the user is logged in, execute the view normally. The view code is free to assume the user is logged in.
Parameter:
- redirect_field_name:
  - By default, the path should be redirected is stoing with the next parameter in query string
  - a different parameter name for the path to be redirected.
- login_url:
  - the login url
  - default: settings.LOGIN_URL

from django.contrib.auth.decorators import login_required


@login_required
def my_view(request):
    pass

Limiting access to logged-in users that pass a test

run test on request.user in the view directly using user_passes_test()
Example:

from django.shortcuts import redirect


def my_view(request):
    # this view checks to make sure the user has an email in the desired domain and if not, redirects to the login page
    if not request.user.email.endswith("@example.com"):
        return redirect("/login/?next=%s" % request.path)

Using @user_passes_test decorator

from django.contrib.auth.decorators import user_passes_test

def email_check(user):
    return user.email.endswith("@example.com")

@user_passes_test(email_check)
def my_view(request):

Using permission_required() decorator
- check whether a user has a particular permission

from django.contrib.auth.decorators import permission_required


@permission_required("polls.add_choice")
def my_view(request):
  pass

TOP