jespino / django-lot Goto Github PK

View Code? Open in Web Editor NEW

26.0 4.0 7.0 80 KB

Django Login over Token

License: Other

Python 100.00%

django-lot's Introduction

Django Login over Token

Django Login over Token easy the creation of token based logins. Can be one-time-logins, temporary valid logins or permanent logins, always based on your settings.

How to install

You can also install it with: pip install django-lot

Configuration

Add the lot app to your installed apps and define your settings LOT variable as a dictionary and LOT_MIDDLEWARE_PARAM_NAME if you use the lot middleware.

Example:

LOT = {
  'fast-login': {
      'name': _(u'Fast login'),
      'duration': 60,
      'one-time': True,
  },
  'slow-login': {
      'name': _(u'Slow login'),
      'duration': 60*60*24,
      'one-time': True,
  },
  'always-login': {
      'name': _(u'Always login'),
      'one-time': False,
      'duration': None,
  },
  'morning-login': {
      'name': _(u'Morning login'),
      'one-time': False,
      'duration': None,
      'verify-func': lambda x: datetime.now().hour < 12,
      'delete-on-fail': False
  },
}

LOT_MIDDLEWARE_PARAM_NAME = 'uuid-login'

GET key

Add the lot authentication backend to the AUTHENTICATION_BACKENDS settings variable.

Example:

AUTHENTICATION_BACKENDS = (
    "django.contrib.auth.backends.ModelBackend",
    "lot.auth_backend.LOTBackend",
)

Header Key

Add the lot authentication middleware to the MIDDLEWARE_CLASSES settings variable. Ensure it is __after__ Django's AuthenticationMiddleware.

Example:

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'lot.middleware.LOTAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
)

warning:

This method should ONLY be used over HTTPS.

Usage

You have to create the LOT instances with a user and a type (the uuid and the created date are auto-generated). Then you can use the lot login view, or the the lot login middleware. You can set the session_data attribute to add data to the user session when login with LOT.

If you use the lot middleware you can login in any url that have the param defined in the LOT_MIDDLEWARE_PARAM_NAME and have a valid LOT instance related to it.

If you use the view you can add the next param to redirect the user to an url after the login. By default will redirect you to the "/" url.

django-lot's People

Contributors

Stargazers

Watchers

Forkers

darkness51 funkybob kezabelle n3storm uptick jannekanerva

django-lot's Issues

The LOT model should use Django's model validation

There are two options here:

Instead of https://github.com/jespino/django-lot/blob/master/lot/models.py#L42 we should use clean and raise a validation error if the token has expired.
Call verify inside clean and raise a validation error in order to prevent creating/updating an expired/invalid token.

Middlewares appear to be too eager about doing a database query

When using the LOTMiddleware or LOTAuthenticationMiddleware, both are eager to query the LOT model without performing the same pattern matching that using the provided view does.
I think it'd be prudent to avoid even asking the database for values if the given value input doesn't match [\da-f]{8}-([\da-f]{4}-){3}[\da-f]{12} (or if doing UUID(value) fails)

Tying LOT_TYPE_CHOICES to the model creates impossible migrations

Specifying LOT_TYPE_CHOICES as the choices for the LOT.type field means that migrations will be created for any types created -- however the migrations are created against the contributed module which means they're not going to be included in source control, which means they aren't being deployed.

Let's not do that and just have a validate() method.

Option to delete token from URL after use

An option which will remove the token from the URL get parameters after login. This keeps the URL users see clean.

Django Rest Framework authentication backend

The DRF authentication backend's API is different.
I can create an authentication backend for it if you want me to.

Use an actual UUID field if available

See here why it matters: http://dba.stackexchange.com/questions/6912/should-i-invest-the-time-to-change-the-column-type-from-char36-to-uuid

There are multiple working implementations but django-extensions contain two different implementations.

One that emulates a UUID and uses a char field underneath and one that is actually a UUID field at the database level (which is supported only on postgresql currently).

We need to check if the settings use postgresql and if it does, use that field instead of the emulated UUID field.

urls.py not compatible with Django 1.11

The library can't be used with newest Django. New Django doesn't support patterns(...) anymore. It uses plain brackets instead.

Maybe like this?

from django.conf.urls import url

from . import views

urlpatterns = [
    url(r"^login/(?P<uuid>[\da-f]{8}-([\da-f]{4}-){3}[\da-f]{12})/$", views.LOTLogin.as_view(), name="login"),
]

The middleware can have a behavior of login/logout in the same request

Is posible that a developer want to have a request flow like "login -> do an action -> logout", I have to think how to do this, with another middleware, with configuration...

Option to not log in if already logged in

I have the problem that users will open multiple tabs from links in emails with login tokens, causing multiple logins, which invalidates the CSRF token. When they try to submit a form from any but the last tab open, they get a CSRF error. Only logging in if the user is not currently logged in would resolve this.

jespino / django-lot Goto Github PK

django-lot's Introduction

Django Login over Token

How to install

Configuration

GET key

Header Key

Usage

django-lot's People

Contributors

Stargazers

Watchers

Forkers

django-lot's Issues

Recommend Projects

Recommend Topics

Recommend Org