Skip to main content

A Django Debug Toolbar panel that logs a configured user in or out with one click during development.

Project description

django-loginout-panel

Logging in and out from the debug toolbar panel

A Django Debug Toolbar panel that logs a configured user in or out with one click – handy during local development when you constantly need to jump between an authenticated and an anonymous session.

The panel adds a small log in / log out control to the toolbar sidebar. Each click hits a tiny JSON endpoint that calls Django's login() / logout() for a username you configure, then reloads the page.

Try it (no install)

With uv you can run a self-contained demo straight from GitHub – no clone, no virtualenv, no pip install:

uv run https://raw.githubusercontent.com/andytwoods/django-loginout-panel/master/demo/app.py

uv provisions a matching Python and all dependencies in a throwaway environment, then serves the demo at http://127.0.0.1:8000/. See demo/ for a conventional multi-file version and more detail.

Requirements

  • Python 3.12+
  • Django 5.2+
  • django-debug-toolbar 6.0+

Installation

pip install django-loginout-panel

Or straight from a git checkout:

pip install git+https://github.com/andytwoods/django-loginout-panel.git

Setup

This is a development-only tool. Add it alongside your existing debug toolbar configuration – typically in a local.py / dev.py settings module, never in production.

# settings/local.py

INSTALLED_APPS += [
    "debug_toolbar",
    "loginout_panel",
]

DEBUG_TOOLBAR_PANELS = [
    "loginout_panel.LoginOutPanel",
    # ... your other panels ...
    "debug_toolbar.panels.headers.HeadersPanel",
    "debug_toolbar.panels.sql.SQLPanel",
]

# The user to log in as when you click "log in".
LOGINOUT_USERNAME = "me@example.com"

# Optional: only allow the panel's endpoints from this client IP.
# Leave unset to rely on the toolbar's own SHOW_TOOLBAR_CALLBACK / DEBUG gate.
LOGINOUT_SERVER = "127.0.0.1"

# Optional: trust the X-Forwarded-For header when matching LOGINOUT_SERVER.
# Only enable this behind a reverse proxy that overwrites the header; otherwise
# a client can spoof the allowed IP. Defaults to False (REMOTE_ADDR is used).
LOGINOUT_TRUST_XFF = False

Make sure debug_toolbar is otherwise wired up as usual (middleware + urls.py), per the debug toolbar install docs.

Settings reference

Setting Required Purpose
LOGINOUT_USERNAME yes Username (matched against your user model's USERNAME_FIELD) to log in as. Only active users are eligible.
LOGINOUT_SERVER no If set, only requests from this client IP may use the login/logout endpoints; all others get a 404.
LOGINOUT_TRUST_XFF no Trust X-Forwarded-For when resolving the client IP for LOGINOUT_SERVER. Enable only behind a trusted reverse proxy. Defaults to False.

The login view authenticates using settings.AUTHENTICATION_BACKENDS[0] (falling back to Django's ModelBackend when the setting is unset), so make sure your first backend is the one you want.

Usage

  1. Run your dev server and open any page with the debug toolbar visible.
  2. Find the Login / out panel in the toolbar.
  3. Click log in to become LOGINOUT_USERNAME, or log out to drop to an anonymous session. The page reloads automatically.

Clicking the panel itself opens a body showing the current auth status and the configured username.

How it works

  • LoginOutPanel subclasses debug_toolbar.panels.Panel and registers two URLs under the toolbar's djdt namespace: loginout_login and loginout_logout.
  • The endpoints return JSON and are POST-only, CSRF-protected, and layered behind the toolbar's own SHOW_TOOLBAR_CALLBACK, an explicit settings.DEBUG check, and the optional on_local_server (LOGINOUT_SERVER) IP guard. Any of those failing yields a 404 (or 405/403 for wrong method / missing token).
  • No models, no migrations – it only reads settings and calls the standard auth functions.

Security note

Never enable this in production. It provides an unauthenticated way to log in as an arbitrary account. It is defended in depth so an accidental production deploy still fails closed:

  • POST + CSRF only. The endpoints reject GET and require a CSRF token, so a stray <img src>/link cannot silently log a browser in.
  • DEBUG gate. They 404 whenever settings.DEBUG is off – independent of the toolbar's callback, which a project might loosen to show the toolbar to staff in production.
  • Toolbar callback. They also honour SHOW_TOOLBAR_CALLBACK, so they are only reachable where the toolbar itself is.
  • Active users only, first backend. Only active accounts can be logged in, via AUTHENTICATION_BACKENDS[0].
  • LOGINOUT_SERVER is an extra belt-and-braces IP check. X-Forwarded-For is ignored unless you explicitly opt in with LOGINOUT_TRUST_XFF behind a trusted proxy, so the allowlist cannot be spoofed by default.

Still: keep it in a dev-only settings module and never ship it enabled.

License

MIT – see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_loginout_panel-0.1.0.tar.gz (9.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

django_loginout_panel-0.1.0-py3-none-any.whl (11.0 kB view details)

Uploaded Python 3

File details

Details for the file django_loginout_panel-0.1.0.tar.gz.

File metadata

  • Download URL: django_loginout_panel-0.1.0.tar.gz
  • Upload date:
  • Size: 9.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for django_loginout_panel-0.1.0.tar.gz
Algorithm Hash digest
SHA256 e96db332fbd466a69324f38aff6f785d091ee6a39bdfe4784cb72d01f6f32f00
MD5 7ded22bb36e8b4ab0efb81fc2e56d45a
BLAKE2b-256 d0a5c531c22f60a0cbd42a569c5a1cd658df71fc9879589de703f4c413a7a664

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_loginout_panel-0.1.0.tar.gz:

Publisher: release.yml on andytwoods/django-loginout-panel

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file django_loginout_panel-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for django_loginout_panel-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 7ead4652b55230c75f5dd73f98d42a090a9cc1d666dc75a007e18e186cbc3060
MD5 79790d372a2cc42d269b5cd9026a6a0b
BLAKE2b-256 8a58a7d3beb89923a8b12c78f94901b8d476a4e9b9bd509d9813e1052f04890f

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_loginout_panel-0.1.0-py3-none-any.whl:

Publisher: release.yml on andytwoods/django-loginout-panel

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page