TechVic
Building a Secure User Authentication System in Django

Building a Secure User Authentication System in Django

Victor Uzoagba's photo
Victor Uzoagba
·

4 min read

Table of contents

Introduction

Authentication is a critical component of any web application, ensuring that users can securely access their accounts and sensitive data. Django, a high-level Python web framework, provides a robust authentication system out of the box, making it easy to implement secure user authentication.

In this tutorial, we will walk through the process of building a secure authentication system in Django. We will cover user registration, login, logout, password management, and social authentication using django-allauth. By the end of this guide, you will have a fully functional authentication system that adheres to best security practices.

Setting Up a Django Project

Before we start implementing authentication, we need to set up a Django project.

Step 1: Installing Django

Ensure you have Python installed, then create a virtual environment and install Django:

# Create a virtual environment (optional but recommended)
python -m venv env
source env/bin/activate  # On Windows, use: env\Scripts\activate

# Install Django
pip install django

Step 2: Creating a New Django Project

Run the following command to create a new Django project:

django-admin startproject myproject
cd myproject

Step 3: Starting the Development Server

Run the Django development server to confirm the setup is successful:

python manage.py runserver

You should see Django’s default welcome page when you visit http://127.0.0.1:8000/ in your browser.

Creating a User Authentication System

Creating a Django App for Authentication

In Django, an app is a modular component of a project. Let’s create an accounts app to handle user authentication:

python manage.py startapp accounts

Add accounts to the INSTALLED_APPS section in settings.py:

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'accounts',
]

Configuring Django’s Built-in User Model

Django provides a built-in User model that includes fields for authentication, such as username, email, and password. To extend the user model, we can create a custom model in accounts/models.py:

from django.contrib.auth.models import AbstractUser

class CustomUser(AbstractUser):
    pass  # Add custom fields if needed

Update settings.py to use the custom user model:

AUTH_USER_MODEL = 'accounts.CustomUser'

Run migrations to apply changes:

python manage.py makemigrations accounts
python manage.py migrate

Implementing User Registration

Creating a Registration Form

Django provides a built-in UserCreationForm that simplifies user registration. Create a forms.py file in the accounts app and define the form:

from django import forms
from django.contrib.auth.forms import UserCreationForm
from .models import CustomUser

class RegistrationForm(UserCreationForm):
    email = forms.EmailField(required=True)

    class Meta:
        model = CustomUser
        fields = ('username', 'email', 'password1', 'password2')

Creating a Registration View

In accounts/views.py:

from django.shortcuts import render, redirect
from django.contrib.auth import login
from .forms import RegistrationForm

def register(request):
    if request.method == 'POST':
        form = RegistrationForm(request.POST)
        if form.is_valid():
            user = form.save()
            login(request, user)
            return redirect('home')
    else:
        form = RegistrationForm()
    return render(request, 'accounts/register.html', {'form': form})

Setting Up Registration URLs

In accounts/urls.py:

from django.urls import path
from .views import register

urlpatterns = [
    path('register/', register, name='register'),
]

Add accounts.urls to myproject/urls.py:

from django.urls import include

urlpatterns = [
    path('accounts/', include('accounts.urls')),
]

Creating the Registration Template

Create templates/accounts/register.html:

<form method="post">
    {% csrf_token %}
    {{ form.as_p }}
    <button type="submit">Register</button>
</form>

Implementing Login and Logout

Django provides built-in authentication views for login and logout.

Configuring Authentication URLs

In accounts/urls.py:

from django.contrib.auth import views as auth_views

urlpatterns += [
    path('login/', auth_views.LoginView.as_view(template_name='accounts/login.html'), name='login'),
    path('logout/', auth_views.LogoutView.as_view(), name='logout'),
]

Creating Login and Logout Templates

Create templates/accounts/login.html:

<form method="post">
    {% csrf_token %}
    {{ form.as_p }}
    <button type="submit">Login</button>
</form>

After login, the user is redirected to /accounts/profile/. To change this, add in settings.py:

LOGIN_REDIRECT_URL = '/'
LOGOUT_REDIRECT_URL = '/'

Implementing Password Reset & Change

Django has built-in views for password management. Add these to accounts/urls.py:

urlpatterns += [
    path('password_reset/', auth_views.PasswordResetView.as_view(), name='password_reset'),
    path('password_reset/done/', auth_views.PasswordResetDoneView.as_view(), name='password_reset_done'),
    path('reset/<uidb64>/<token>/', auth_views.PasswordResetConfirmView.as_view(), name='password_reset_confirm'),
    path('reset/done/', auth_views.PasswordResetCompleteView.as_view(), name='password_reset_complete'),
]

Configure email settings in settings.py for password reset emails:

EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'

Enhancing Security in Authentication

  • Enforce strong passwords using Django’s validators in settings.py:

      AUTH_PASSWORD_VALIDATORS = [
      {'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator', 'OPTIONS': {'min_length': 8}},
  ]

  • Use HTTPS in production:

      SECURE_SSL_REDIRECT = True

  • Enable CSRF protection (enabled by default).

Adding Social Authentication

Install django-allauth:

pip install django-allauth

Add allauth to INSTALLED_APPS and configure it in settings.py:

INSTALLED_APPS += ['allauth', 'allauth.account', 'allauth.socialaccount']
AUTHENTICATION_BACKENDS += ['allauth.account.auth_backends.AuthenticationBackend']

Set up OAuth providers for Google, GitHub, etc., via Django admin.

Conclusion & Next Steps

We have built a secure authentication system in Django, covering user registration, login, logout, password management, and social authentication.

Next Steps:

  • Implement email verification.

  • Add user profile management.

  • Secure deployment using a cloud provider.

authentication vs authorizationauthenticationAuthentication and Authorization ManagementAuthentication Bypasssoftware developmentsoftware architecturesoftwareSoftwareSoftware Engineering#Email Verification APIsdjango rest frameworkDjangoRestFrameworkdjango ormdjango master