Custom user authentication in Django, with tests
In the previous part, we created a custom user model in Django. In this part, I'd like to show how to roll custom authentication. Neither custom user model nor custom authentication are required for the granular role-based access control, but I'd like this series to be a complete tour of authentication and authorization in Django. The code accompanying the series can be found in GitHub. So let's get started!
Django authentication 101
Authentication is the process of figuring out who the user claims to be and verifying the claim. In Django's authentication system, the "low-level" approach to verifying the user identity is to call
django.contrib.auth.authenticate. This function checks the user identity against each authentication backend configured in
AUTHENTICATION_BACKENDS variable of
By default, Django uses
ModelBackend as the only authentication backend. It's instructive to look into the implementation of
ModelBackend in GitHub:
class ModelBackend(BaseBackend): def authenticate(self, request, username=None, password=None, **kwargs): if username is None: username = kwargs.get(UserModel.USERNAME_FIELD) if username is None or password is None: return try: user = UserModel._default_manager.get_by_natural_key(username) except UserModel.DoesNotExist: # Run the default password hasher once to reduce the timing # difference between an existing and a nonexistent user (#20760). UserModel().set_password(password) else: if user.check_password(password) and self.user_can_authenticate(user): return user ...
ModelBackend fetches the appropriate user from the backend using either the given
username or the
USERNAME_FIELD defined in user model. The backend then checks the password and also checks if the user can authenticate (checking if the user has
is_active set to
True). Quite simple, eh?
As we'll be authenticating our users with their username (e-mail) and password in this series, we could use the
ModelBackend. However, it's instructive to write our own backend. Also, we'll get rid of all the unnecessary boilerplate in
ModelBackend coming from Django's default permission system, which we won't need.
Custom authentication backend
Every authentication backend in Django should have methods
authenticate() method should check the credentials it gets and return a user object that matches those credentials if the credentials are valid. If the credentials are not valid, it should return
Here's a simple implementation of
# rbac/core/auth.py import typing from rbac.core.models import User from rbac.core import services class CheckPasswordBackend: def authenticate( self, request=None, email=None, password=None ) -> typing.Optional[User]: try: user = services.find_user_by_email(email=email) except Http404: return None return user if user.check_password(password) else None def get_user(self, user_id) -> typing.Optional[User]: try: return User.objects.get(id=user_id) except User.DoesNotExist: return None
services.find_user_by_email method created in the previous post for fetching the user by email. If the password matches, we return the corresponding user. And that's it! Let's set Django to use this backend for authentication:
Now, whenever we call
django.contrib.auth, we're essentially calling
Why did we also define
get_user above in
CheckPasswordBackend? That's a very good question. The answer is that Django documentation says it should be implemented, but I have no idea why. Please drop a comment if you know!
So now we have a great new authentication backend, how do we actually use it? We write a view
auth/login that allows users to login with their email and password. If the user identity is verified, we log them in by calling
login(). This creates a session for the user and stores the
sessionid in a cookie, allowing the user to perform authenticated requests.
Before implementing the
login view, let's be responsible developers and write tests.
To test login, we need to create a sample user. We do that in a
# tests/test_views.py import pytest from rbac.core.services import create_user TEST_USER_NAME = "Jane Doe" TEST_USER_EMAIL = "email@example.com" TEST_USER_PASSWORD = "aösdkfjgösdgäs" @pytest.fixture def sample_user(): user = create_user( name=TEST_USER_NAME, email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD ) return user
Now let's use this fixture in two tests. The first test verifies that logging in with invalid password returns 401:
from django.test import Client @pytest.mark.django_db def test_login_fails_with_invalid_credentials(sample_user): client = Client() response = client.post( "/auth/login", dict(email=TEST_USER_EMAIL, password="wrong-password"), content_type="application/json", ) assert response.status_code == 401 assert "sessionid" not in client.cookies
We're using the Django test client for making requests from tests without actually running the server.
The second test verifies that login succeeds with valid credentials:
@pytest.mark.django_db def test_login_succeeds_with_valid_credentials(sample_user): client = Client() assert "sessionid" not in client.cookies response = client.post( "/auth/login", dict(email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD), content_type="application/json", ) assert response.status_code == 200 assert "sessionid" in client.cookies
At this point, we can start
pytest-watch with the command
ptw -- tests/test_views.py and code until the tests pass. If you haven't added
requirements-dev.txt yet, you should do it now.
Let's now add the view for logging in a user. We expect users to post their email and password in a JSON request body. Here's how we parse the body, authenticate the user, and log them in:
# rbac/core/auth.py import json from django.contrib.auth import authenticate, login from django.http import HttpResponse from django.views.decorators.http import require_http_methods @require_http_methods(["POST"]) def login_view(request): body = json.loads(request.body.decode()) user = authenticate(request, email=body["email"], password=body["password"]) if user: login(request, user) return HttpResponse("OK") else: return HttpResponse("Unauthorized", status=401)
If the call to
authenticate returns a valid user, we login the user, create a session and set the session cookie. Otherwise, we return 401.
Now we need to define the endpoint for our view:
# rbac/core/auth.py from django.urls.conf import re_path urlpatterns = [ re_path("^login$", login_view), ]
We also need to define a new route named
# rbac/core/urls.py from django.conf.urls import include, re_path from rbac.core import views urlpatterns = [ re_path(r"^$", views.index), re_path(r"^auth/", include("rbac.core.auth")), ]
With all this done, your tests should pass with flying colors.
Congratulations, you should now have a much deeper understanding of how authentication works in Django! Please leave a comment how you liked the article. In the next parts, we'll work towards role-based access control. See you next time!