Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DjangoCon US 2018 - Finally Understand User Aut...

William S. Vincent
November 01, 2018
0
3

DjangoCon US 2018 - Finally Understand User Authentication in Django REST Framework

Traditional Django handles user authentication for us. REST Framework? Not so much. The abundance of choice is overwhelming and typically THE biggest obstacle for newcomers. This talk is a deep dive on authentication in Django REST Framework. We’ll start with an overview of HTTP and REST APIs before demonstrating how to implement the 4 built-in auth modes and their respective pros/cons. Special attention will be paid to common gotchas such as, Why do I need “both” TokenAuth and SessionAuth? What are JWTs? Next we’ll implement a real-world REST auth setup that includes user registration, password reset/confirm, social auth, and endpoints for sign up, log in, and log out. The third-party packages django-rest-auth and django-allauth will be used . By the end of the talk attendees will understand the basics of REST authentication, the tradeoffs involved, and walk away with a working implementation to jumpstart their future projects.

William S. Vincent

November 01, 2018
Tweet

More Decks by William S. Vincent

See All by William S. Vincent
DjangoCon Europe 2025 Keynote - Django for Data Science
wsvincent
0
250
Django for Data Science (Boston Python Meetup, March 2025)
wsvincent
0
420
DjangoConUS 2024 - Django User Model: Past, Present, and Future
wsvincent
0
2
DjangoCon US 2022 - Solving the Django Jigsaw Puzzle
wsvincent
0
0
DjangoCon US 2019 - Search from the Ground Up
wsvincent
0
410
8 Reasons Why Learning Django is Hard (Django Boston - January 2019)
wsvincent
0
2
Django APIs + React (Django Boston - May 2018)
wsvincent
0
2

Featured

See All Featured
[RailsConf 2023] Rails as a piece of cake
palkan
54
5.5k
Git: the NoSQL Database
bkeepers
PRO
430
65k
Rails Girls Zürich Keynote
gr2m
94
13k
Product Roadmaps are Hard
iamctodd
PRO
52
11k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
119
51k
Adopting Sorbet at Scale
ufuk
76
9.3k
We Have a Design System, Now What?
morganepeng
52
7.5k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Speed Design
sergeychernyshev
29
920
Why You Should Never Use an ORM
jnunemaker
PRO
56
9.3k
The Cult of Friendly URLs
andyhume
78
6.3k
Visualization
eitanlees
146
16k

Transcript

  1. Finally Understand User Authentication in Django REST Framework William Vincent

    DjangoCon US 2018 https://wsvincent.com

  2. William Vincent

  3. None

  4. wsvincent.com

  5. /wsvincent

  6. API Application Programming Interface

  7. RESTful APIs • Stateless • Support HTTP methods • URL

    endpoints • Return JSON or XML

  8. +

  9. None
  10. None

  11. HTTP HyperText Transfer Protocol

  12. HTTP Request/Response Cycle CLIENT SERVER

  13. HTTP Verbs Functionality Create Read Update Delete HTTP Method/Verb POST

    GET PUT/PATCH DELETE Rough equivalence between CRUD & HTTP verbs

  14. HTTP Status Codes Code 2xx 3xx 4xx 5xx Meaning Success

    (200, 201) Redirection (301) Client error (404, 401) Server error (500)
  15. None
  16. None

  17. HTTP Anatomy 1) Start/Status line 2) Headers 3) Body (optional)

  18. HTTP Request Start Line GET http://www.example.com HTTP/1.1 HTTP method URL

    HTTP version

  19. HTTP Response Status Line HTTP/1.1 200 OK Status Code HTTP

    version

  20. HTTP Anatomy 1) Start/Status line 2) Headers 3) Body (optional)

  21. HTTP Request Message GET http://www.example.com HTTP/1.1 Host: www.example.com Start Line

    Header(s)

  22. HTTP Response Message HTTP/1.1 200 OK Date: Wed, 03 Oct

    2018 17:50:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1270 Start Line Header(s)

  23. HTTP Anatomy 1) Start/Status line 2) Headers 3) Body (optional)

  24. HTTP Request Message GET http://www.example.com HTTP/1.1 Host: www.example.com

  25. HTTP Response Message HTTP/1.1 200 OK Date: Wed, 03 Oct

    2018 17:50:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1270 <!doctype html> <html> <head> <title>Example Domain</title> ...

  26. Takeaway CLIENT SERVER GET http://www.example.com HTTP/1.1 HTTP/1.1 200 OK Host:

    www.example.com Date: Tue, 16 Oct 2018 22:38:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1270 <!doctype html> <html> <head> <title>Example Domain</title> ...

  27. REST API Endpoint

  28. https://github.com/wsvincent/djangocon2018-rest-auth/

  29. $ curl http://127.0.0.1:8000/users/ [{"id":1,"username":"wsv"}]

  30. $ curl http://127.0.0.1:8000/users/ -v > GET /users/ HTTP/1.1 > Host:

    127.0.0.1:8000 > < HTTP/1.1 200 OK < Date: Wed, 03 Oct 2018 16:37:28 GMT < Server: WSGIServer/0.2 CPython/3.7.0 < Vary: Accept, Cookie < Allow: GET, HEAD, OPTIONS < X-Frame-Options: SAMEORIGIN < [{“id”:1,”username”:”wsv”}]
  31. None

  32. https://xkcd.com/1121/

  33. HTTP Authentication CLIENT SERVER GET / HTTP/1.1 HTTP/1.1 401 Unauthorized

    WWW-Authenticate: Basic GET / HTTP/1.1 Authorization: Basic d3N2OnBhc3N3b3JkMTIz HTTP/1.1 200 OK

  34. 1. BasicAuthentication 2. SessionAuthentication 3. TokenAuthentication 4. RemoteUserAuthentication

  35. #1 BasicAuthentication CLIENT SERVER 1) Send me web resource please?

    2) Who are you? Identify yourself! 3) Hereʼs my username/password in Authorization HTTP Header. 4) Checks credentials. Looks good. Letʼs chat!

  36. #1 BasicAuthentication CLIENT SERVER GET / HTTP/1.1 HTTP/1.1 401 Unauthorized

    WWW-Authenticate: Basic GET / HTTP/1.1 Authorization: Basic d3N2OnBhc3N3b3JkMTIz HTTP/1.1 200 OK

  37. #1 BasicAuthentication (code) # settings.py REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': [

    'rest_framework.authentication.BasicAuthentication', ] }

  38. #1 BasicAuthentication Pros Cons Simple Every request look up Session

    Object Credentials passed in clear text Only suitable for testing Must use HTTPS

  39. Cookies & Sessions

  40. #2 SessionAuthentication CLIENT SERVER 1) Send me web resource please?

    2) Who are you? Identify yourself! 3) Ok, Iʼll log in with credentials. 4) Looks good. Iʼve created a Session Object and ID. 5) Cool, Iʼll store the ID locally and include in HTTP Header. 6) Iʼll compare Session ID to Session Object on every request.

  41. #2 SessionAuthentication (code) # settings.py REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': [

    'rest_framework.authentication.SessionAuthentication', ] }

  42. #2 SessionAuthentication Pros Cons Secure Not good for multiple front-ends

    Only validate user once Hard to keep up-to-date

  43. #3 TokenAuthentication CLIENT SERVER 1) Send me web resource please?

    2) Who are you? Identify yourself! 3) Ok, Iʼll log in with credentials. 4) Looks good. Iʼve created a signed Token. 5) Cool, Iʼll store the signed token and include in HTTP Header. 6) Iʼll check the signed token on every request.

  44. #3 TokenAuthentication CLIENT SERVER GET / HTTP/1.1 HTTP/1.1 401 Unauthorized

    WWW-Authenticate: Token GET / HTTP/1.1 Authorization: Token 401f7ac837da42b97f613d789819ff93537bee6a HTTP/1.1 200 OK

  45. #3 TokenAuthentication (code) # settings.py INSTALLED_APPS = [ 'rest_framework.authtoken', ]

    REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': [ 'rest_framework.authentication.TokenAuthentication', ] }

  46. #3 TokenAuthentication Pros Cons Easy to scale Large tokens hurt

    performance Only validate user once Tokens never expire

  47. #4 RemoteUserAuthentication - Rarely used - Primarily for intranet sites

    (private networks)

  48. BasicAuthentication - insecure, for testing only SessionAuthentication - same session

    context as website, powers DRF visualizer TokenAuthentication - secure, recommended default! RemoteUserAuthentication - intranet sites, rarely used

  49. JSON Web Tokens

  50. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJuYW1lIjoiV2lsbGlhbSBWaW5jZW50I iwibWVzc2FnZSI6IkhpIERqYW5nb0NvbiEi fQ.X5tcGt3N99t8HnjdLvPwDBDbgvU0WuqA S8MKX1Ao7RQ

  51. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 { 'alg': 'HS256', 'typ': 'JWT' }

  52. eyJuYW1lIjoiV2lsbGlhbSBWaW5jZW50IiwibWVz c2FnZSI6IkhpIERqYW5nb0NvbiEifQ { "name": "William Vincent", "message": "Hi DjangoCon!" }

  53. X5tcGt3N99t8HnjdLvPwDBDbgvU0WuqAS8MKX1Ao 7RQ

  54. None

  55. JWTs (code) (env) $ pipenv install djangorestframework-simplejwt

  56. JWTs (code) # settings.py REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': [ 'rest_framework_simplejwt.authentication.JWTAuthentication',

    'rest_framework.authentication.SessionAuthentication', ] }

  57. JWTs Pros Cons Store more data Large size Can be

    signed Complicated setup Can be encrypted Can set to expire

  58. https://github.com/wsvincent/drfx DRFx

  59. Example Project

  60. Getting Started $ pipenv install django $ pipenv shell (env)

    $ django-admin startproject example_project . (env) $ python manage.py startapp users

  61. Custom User Model (part 1) # example_project/settings.py INSTALLED_APPS = [

    ... # Local 'users.apps.UsersConfig', # new ] AUTH_USER_MODEL = 'users.CustomUser' # new

  62. Custom User Model (part 2) # users/models.py from django.contrib.auth.models import

    AbstractUser from django.db import models class CustomUser(AbstractUser): pass

  63. Custom User Model (part 3) # users/admin.py from django.contrib import

    admin from django.contrib.auth.admin import UserAdmin from .models import CustomUser class CustomUserAdmin(UserAdmin): model = CustomUser admin.site.register(CustomUser, CustomUserAdmin)

  64. Custom User Model (part 4) (env) $ python manage.py makemigrations

    users (env) $ python manage.py migrate (env) $ python manage.py createsuperuser (env) $ python manage.py runserver

  65. Install Django REST Framework (env) $ pipenv install djangorestframework

  66. Install Django REST Framework # example_project/settings.py INSTALLED_APPS = [ ...

    # Local 'users.apps.UsersConfig', # 3rd party 'rest_framework', # new 'rest_framework.authtoken', # new ]

  67. Add TokenAuthentication # example_project/settings.py REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': [ 'rest_framework.authentication.SessionAuthentication',

    'rest_framework.authentication.TokenAuthentication', ], }

  68. Migrate new changes (env) $ python manage.py migrate

  69. Install django-rest-auth (part 1) (env) $ pipenv install django-rest-auth

  70. Install django-rest-auth (part 2) # example_project/settings.py INSTALLED_APPS = [ ...

    # Local 'users.apps.UsersConfig', # 3rd party 'rest_framework', 'rest_framework.authtoken', 'rest_auth', # new ]

  71. Install django-rest-auth (part 3) # example_project/urls.py from django.contrib import admin

    from django.urls import path, include # new urlpatterns = [ path('admin/', admin.site.urls), path('rest-auth/', include('rest_auth.urls')), # new ]

  72. http://127.0.0.1:8000/rest-auth/login/ http://127.0.0.1:8000/rest-auth/logout/

  73. Install django-allauth (part 1) (env) $ pipenv install django-allauth

  74. Install django-allauth (part 2) # example_project/settings.py INSTALLED_APPS = [ ...

    # Local 'users.apps.UsersConfig', # 3rd party 'rest_framework', 'rest_auth', 'django.contrib.sites', # new 'allauth', # new 'allauth.account', # new 'rest_auth.registration', # new ]

  75. Install django-allauth (part 3) # example_project/settings.py EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' #

    new SITE_ID = 1 # new

  76. Install django-allauth (part 4) # example_project/urls.py from django.contrib import admin

    from django.urls import path, include urlpatterns = [ path('admin/', admin.site.urls), path('users/', include('users.urls')), path('rest-auth/', include('rest_auth.urls')), path('rest-auth/registration/', include('rest_auth.registration.urls')), # new ]

  77. Install django-allauth (part 5) (env) $ python manage.py migrate (env)

    $ python manage.py runserver http://127.0.0.1:8000/rest-auth/registration/

  78. Resources Source Code https://github.com/wsvincent/djangocon2018-rest-auth Slides https://tinyurl.com/djangocon2018-rest-auth My Site https://wsvincent.com