Django has a user authentication system which handles a wide range functions from user accounts and cookie-based user sessions to groups and permissions. Authentication is a mechanism that connects incoming requests with identifying credentials including where the request came from and which token it is signed with. The permission policies can then be used to permit or deny the request.
The Django authentication system deals with both authentication and authorization. Authentication confirms if the user is actually who they claim to be while authorization determines what the user who has already been authenticated is allowed to do. In most cases, the term authentication refers to both tasks. A Django authentication system is composed of the following:
Unlike most web authentic systems, the Django authentication is generic with relatively fewer features. The system uses third party packages to provide solutions for common problems such as checking password strength, throttling login attempts, and authentication of third parties such as OAuth.
Authentication support is provided as a contrib. module (django.contrib.auth). The required configuration is by default included in settings.py which is generated from the django-admin startproject section. In the INSTALLED APPS settings you’ll find these two items:
In the MIDDLEWARE setting, you’ll find these two items:
When you have these settings already in place, you only need to run the command manage.py migrate to create database tables you need for auth related tasks and permissions in the apps you’ve installed.
The Django authentication system has been changing over time as it continues to evolve in order to serve numerous tasks, handle project needs, and implement secure passwords and permissions.
Django also supports a wide range of extension and customizations to handle different types of projects with different authentication needs. The authentication and authorization features in Django authentication are somewhat combined or coupled together.
The Django authentication system relies heavily on user objects. These are basically the people or users interacting with your site. User objects handle issues such as restricting access to specific content, connecting content with its creator, and registering new user profiles among other things.
Django authentication framework has only one user class. The “superusers” and admin staff users are not a different user class but user objects with specific sets of attributes. Default users have the following primary attributes:
For a more detailed reference, you can check the full API documentation https://docs.djangoproject.com/en/1.11/ref/contrib/auth/#django.contrib.auth.models.
You can create users directly via the included create_user( ) function by going to django.contrib.auth.models import user. For example User = User.objects.create_user ( ‘jane’, ‘[email protected]’, ‘janepassword’ ).
Jane is now a user object already created and saved in the database. You can then proceed to make any necessary changes in attributes or other fields such as ‘user.lastname then save at ‘user.save ( ).
Alternatively, you can create users interactively from the Django admin if you have it already installed.
You can create superusers straight from the createsuperuser command. To do this, go to ‘python manage.py createsuperuser — username = jane — email = [email protected]’.
You’ll be required to provide a password. The user will be created once you enter the password. You’ll also be prompted for the values –username or –email if you’ve left them blank.
The system’s user model does not store clear text or raw passwords but stores a hash instead. Check this link for more details about password management: https://docs.djangoproject.com/en/1.11/topics/auth/passwords/.
Avoid manipulating user password attributes directly but refer to the helper function while creating a user. You can however change the user password in several ways.
Keep in mind that when you change your password, the system will automatically log you out of all your active sessions.
To authenticate users, you can use the ‘authenticate ( )’ function to validate user credentials. The function uses credentials as keyword arguments and the username and password values for the default case to verify each case and return the user object if the given credentials are valid for the backend. When the credentials provided are not valid for the backend or if the specified backend responds with PermissionDenied, the system returns a None response.
When a request that has not been authenticated is denied, you’ll get an error code such as HTTP 401 Unauthorized or HTTP 403 Permission denied. It is therefore important to ensure that you have the right username and password values for each user you add to the system.