djaodjin / djaodjin-signup Goto Github PK

View Code? Open in Web Editor NEW

20.0 3.0 8.0 1.98 MB

Django app for frictionless signup

License: BSD 2-Clause "Simplified" License

Makefile 0.82% Python 76.08% HTML 3.93% JavaScript 19.17%

django registration frictionless authentication mfa

djaodjin-signup's Introduction

DjaoDjin-Signup

This repository contains a Django App for frictionless signup.

The app will register and login a user with as little as only an email address.

When the user logs out and tries to logs back in with the same email address, the app will first verify the email address through an activation url send to the registered email address. Setting the password is deferred to after the email address has been verified.

If during the first login and/or subsequent login, the email address should be verified before moving forward (ex: before presenting a payment view), you should decorate the view with an active_required decorator.

This project contains bare bone templates which are compatible with Django and Jinja2 template engines. To see djaodjin-signup in action as part of a full-fledged subscription-based session proxy, take a look at djaoapp.

Install

Add the signup urls to your urlpatterns and EmailOrUsernameModelBackend to the settings AUTHENTICATION_BACKENDS.

urls.py:

    urlpatterns = ('',
        (r'^api/', include('signup.urls.api')),
        (r'^', include('signup.urls.views')),

    )

settings.py:

    AUTHENTICATION_BACKENDS = (
        'signup.backends.auth.EmailOrUsernameModelBackend',
        'django.contrib.auth.backends.ModelBackend'

    )

Development

After cloning the repository, create a virtualenv environment, install the prerequisites, create and load initial data into the database, then run the testsite webapp.

$ python -m venv .venv
$ source .venv/bin/activate
$ pip install -r testsite/requirements.txt
$ make vendor-assets-prerequisites
$ make initdb
$ python manage.py runserver

# Browse http://localhost:8000/

Release Notes

Tested with

Python: 3.7, Django: 3.2 (LTS)
Python: 3.10, Django: 4.2 (latest) - see #55
Python: 2.7, Django: 1.11 (legacy) - use testsite/requirements-legacy.txt

0.9.6

redirects to activate page when a contact exists but no user
presents the activation/registration page when recovering password
supports full_name or first_name/last_name form fields
handles alpha channel properly in profile pictures
falls back on verifying e-mail if there are no phone backend

previous release notes

djaodjin-signup's People

Contributors

Stargazers

Watchers

Forkers

smirolo harmy knivets archbobo vanl chowagroup iotiq steve-njuguna-k

djaodjin-signup's Issues

Add API endpoint to recover an account

A POST to /api/auth/recover/ with an email address should trigger a notification to the user so she can recover the account. Currently this functionality is only available through the /recover/ page URL.

login through JWT API

Add a second login form in the testsite such that login, instead of returning a session cookie, uses the JWT login API to return a JSON Web Token.
Add a second register form in the testsite for doing the same for register.
Upgrade the vuejs component to generate requests with the CSRF/Cookie or JWT authorization header.

uploadImage returns a permission denied

1/ Calling uploadImage in djaodjin-signup-vue.js results in a permission denied. This is due to an $.ajax call without authorization / csrf headers.

2/ uploadImage should use a dedicated API end-point name even if in some cases it will default to djaodjinSettings.urls.user.api_contact (Ex: djaodjinSettings.urls.api.upload_profile_picture).

3/ Reviewing the #user-profile-container widget, updateProfile is also not working in the presence of a profile picture because saveProfileWithPicture and saveProfile do not exist. In all cases, There should only be one PATCH request in updateProfile.

4/ Rename uploadImage to uploadProfilePicture to be more accurate.

Always re-authenticate request.user when updating credentials

The request.user password should be passed along on POST /api/users/<user>/password/, POST /api/auth/keys/{user}/, POST /users/<user>/password/, and POST /users/<user>/pubkey/.

upgrade to Django 4.0

waiting for django-recaptcha, social-auth-app-django and social-auth-core to support Django 4.0.

Create an API end point to upload a public key

Named /api/auth/pubkey/<user>/ to follow current convention (aka /api/auth/keys/<user>/).

Optional double factor authentication

Rework the workflow after login to support double factor authentication.

Introduce Contact.verification_token and Contact.verification_token_expires_at fields to hold the second (generated) factor.
Based on the design for get_broker, retrieve a settings to enable double-factor authentication.
Emit a signal that will implement sending the verification_token to the user (defaults to e-mail in testsuite).

support multi-tenants

In signup/settings.py, DISABLED_AUTHENTICATION, DISABLED_REGISTRATION are used to enable/disable authentication and registration globally. This needs to be changed to use the output of a function instead. The function will look like the following in saas/models.py:

def get_broker():
    """
    Returns the site-wide provider from a request.
    """
    from saas.compat import import_string
    LOGGER.debug("get_broker('%s')", settings.BROKER_CALLABLE)
    try:
        return import_string(settings.BROKER_CALLABLE)()
    except ImportError:
        pass
    return Organization.objects.get(slug=settings.BROKER_CALLABLE)

Builtin registration view is broken

When trying to signup I get this ValueError: The given username must be set. The problem is that username field is always empty in the file signup/views/users.py on the line 266. And apparently the NameEmailForm is not expecting a username parameter, while the call on line 266 is trying to fetch the field from the form data.

enable user to choose notifications received

Create a model for Notification, API end-point and HTML views such that a User can pick and choose which notifications she wants to receive.

API for daily active users metrics

We will count as a daily active user one where start_of_day(yesterday) < User.last_login < end_of_day(yesterday). This will be used in dashboard widget:

This API endpoint could also be used to show a graph of daily active users through time. So it could/should be modeled on the model of saas.api.metrics.RevenueMetricAPIView for both request parameters and result JSON schema.
The definition of start_of_day/end_of_day should take into account timezones to make sure metrics do not change based on where the browser making a request is located.

Remove `User = get_user_model()` in signup.compat.

We cannot import extra mixins otherwise.

Cannot register with non-ASCII content in form

This issue was originally opened here in djaodjin-saas.

@marmida said:

Validation rules fire that prevent the entry of non-ASCII content into the registration form. See the attached image.

This may be specific to the wrapping site, or may be part of the djaodjin-signup core. I'm not certain. It should be the case that the registration form instead allows non-ASCII input.

add profile picture on `Contact` model

upload them to a S3 bucket.
Find out if there is a JS widget that will resize picture before upload