Secure JWT Auth Middleware for Django Channels
Project description
Django Channels JWT
Django Channels JWT Middleware is a secure way to handle authentication for Django Channels WebSocket connections without directly exposing JWT tokens. Instead of sending the token itself in the query parameter, this middleware uses UUID-based authentication and cache-based user retrieval for enhanced security.
Security Benefits
-
Enhanced Security: JWT tokens can potentially be intercepted if sent as query parameters. This middleware avoids sending tokens directly, minimizing the risk of token leakage.
-
UUID-based Authentication: This middleware generates UUIDs as tokens for WebSocket connections. These UUIDs are short-lived and act as temporary access keys. When a user connects, they provide the UUID, which is used to retrieve the authenticated user.
-
Cache-based User Retrieval: Upon connection, the middleware validates the UUID, retrieves the corresponding user ID from the cache, and fetches the user asynchronously. This ensures that the WebSocket connection is only established for authenticated users.
Risks of Sending Tokens as Query Parameters
Sending tokens as query parameters can expose security vulnerabilities:
- Token Exposure: Tokens in query parameters can be captured in logs, browser history, or server logs, increasing the risk of unauthorized access.
- Caching: Some proxies or servers may cache URLs, which could lead to tokens being stored in shared caches.
Installation
Install the package using pip:
pip install django-channels-jwt
Configuration
-
Wrap your URLRouter
from django_channels_jwt.middlware import JwtAuthMiddlewareStack application = ProtocolTypeRouter({ "http": get_asgi_application(), "websocket": JwtAuthMiddlewareStack( URLRouter( websocket_urlpatterns, ) ), })
-
Include the provided URL for ticket generation in your project's
urls.py:
from django.urls import path, include
url_patterns = [
# ... your other URL patterns
path("api/auth/", include('django_channels_jwt.urls')
]
or if you want to set customized route
from django.urls import path, include
from django_channels_jwt.views import AsgiValidateTokenView
url_patterns = [
# ... your other URL patterns
path("auth_for_ws_connection/", AsgiValidateTokenView.as_view())
]
Usage
- Ensure your Django app's models are configured correctly.
- Use the included
AsgiValidateTokenViewto generate a ticket (UUID) for WebSocket connections. - Connect to your WebSocket with the generated UUID to authenticate the connection without exposing the token.
ws://localhost:8001/ws/chat/?uuid=
1.0.0 (2023-08-11)
- First release on PyPI.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file django-channels-jwt-0.0.3.tar.gz.
File metadata
- Download URL: django-channels-jwt-0.0.3.tar.gz
- Upload date:
- Size: 5.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2f924633c900e1fced52312f53e3cfd5a578a0876a102cbf0131fb0f80ffdd6c
|
|
| MD5 |
312bffbb94462a3b5679317211cc01bb
|
|
| BLAKE2b-256 |
fb6d557f9da267e43eb1cd9589b555f1a282f5a0671b960df8a503197e6d77a9
|
File details
Details for the file django_channels_jwt-0.0.3-py3-none-any.whl.
File metadata
- Download URL: django_channels_jwt-0.0.3-py3-none-any.whl
- Upload date:
- Size: 5.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ed11c1e188e69b32631418c23919dc7f69496939b82060783dd935ecd881f931
|
|
| MD5 |
2a01b5be81823c672054d1ab42f3f470
|
|
| BLAKE2b-256 |
369a3d9b8b5a50b65f5c5bbb65bb551d7f9defef83e41c1fac3af75264f0956d
|
