All geek questions in one place

Authentication for web and mobile application through django's RESTfull web service

I am developing a solution for my company with the following architecture: RESTfull Web Service , built on django, which provides a level of authentication and persistence for both the web client application and the mobile client application (which is written using phonegap ).

We read a lot around the Internet about client-side authentication methods, providing support for both web and mobile applications, and from what we found (which is very bad), we are thinking about creating an API key for each user registered in the mobile client application, and saving this API key in the local storage of the device; and in the web client using traditional cookie session management, including the CSRF token in POST, PUT, and DELETE requests.

We would like to know what are the best authentication methods and is this approach good enough? Are there other methods for authentication? which one is the best?

We are trying to discontinue using oAuth , as this adds complexity to our development.

We already checked this question , but its answers did not help us very much, since we use phonegap and have the indicated architecture.

Thanks for your help!

+6
source share
1 answer

If you really really want to create your own solution. This is my old bad decision before aata time.

  • Create a view that returns some key after a successful login with username / pass and adds the generated access_key to db

  • Check key in request => if exists in db => login

    #pseudo code #view from django.contrib.auth import authenticate, login def get_my_token(request, username, password): user = authenticate(username, password) if user is not None: login(request,user) #first should check has access_key try: return UserAuth.objects.filter(user=user).access_key except: pass access_key = 'somecrazy_random_unique_number' user_auth = UserAuth() user_auth.user = user user_auth.access_key = access_key user_auth.save() return access_key

Now you can save access_key somewhere and add as the header 'access_key_or_any_other_name' for each call of recreation resources. Create authentication middleware, not server storage.

  #auth_middelware class StupidNoAuthMid(object): def process_request(self, request): access_key = reuest.META['access_key_or_any_other_name']: try: user = UserAuth.objects.filter(access_key=acces_key).user auth.login(request, user) except: pass

You do not want to reinvent the wheel. Use oAauth, you can save access_token in the future.

+1
source

Source: https://habr.com/ru/post/924216/

More articles:


All Articles