Simple JWT-based authentication using Django and Django-ninja
Project description
django-ninja-simple-jwt
Provides simple JWT based stateless authentication for Django-ninja
Quick start
Install package:
pip install django-ninja-simple-jwt
add ninja_simple_jwt
to list of INSTALLED_APPS
in Django settings:
# settings.py
INSTALLED_APPS = [
...,
"ninja_simple_jwt"
]
Expose Django-ninja
's API and add ninja_simple_jwt
's auth API endpoint router to the API, ie:
# urls.py
from ninja import NinjaAPI
from ninja_simple_jwt.auth.views.api import mobile_auth_router, web_auth_router
from django.urls import path
api = NinjaAPI()
api.add_router("/auth/mobile/", mobile_auth_router)
api.add_router("/auth/web/", web_auth_router)
urlpatterns = [path("api/", api.urls)]
This would provide 4 available auth API endpoints for mobile and web sign in and token refresh:
- {{server_url}}/api/auth/mobile/sign-in
- {{server_url}}/api/auth/mobile/token-refresh
- {{server_url}}/api/auth/web/sign-in
- {{server_url}}/api/auth/web/token-refresh
If you are not exposing the API and routers at the exact path as the example above,
see WEB_REFRESH_COOKIE_PATH
setting regarding web auth token refresh path.
To protect a resource API, you can use the HttpJwtAuth
as the auth argument when instantiating a Router, ie:
# views.py
from ninja_simple_jwt.auth.ninja_auth import HttpJwtAuth
from ninja import Router
some_resource_router = Router(auth=HttpJwtAuth())
@some_resource_router.get("/hello")
def hello(request):
return "Hello world"
Finally, before starting up the server, create a key pair to be used by the server for signing and verifying JWT:
python manage.py make_rsa
You should see two files created in the root of project repository:
- jwt-signing.pem # this is the private key used to sign a JWT, keep this secret, store appropriately
- jwt-signing.pub # this is the public key used to verify a JWT
Documentation
Customizing JWT key storage
By default, the management command make_rsa
will create and store the JWT key pairs in the root of your project
directory, this is only intended for development.
Here is an example how you can store the keys in a S3 bucket somewhere only your application has access to, assuming
you are using django-storages
to access AWS S3.
# some_project_dir/my_jwt_key_storage.py
from storages.backends.s3boto3 import S3Boto3Storage
aws_s3_private_key_storage = S3Boto3Storage(bucket_name="MySecretJwtKeysStorage")
aws_s3_public_key_storage = S3Boto3Storage(bucket_name="MyPublicJwtKeysStorage")
and provide the above storage instances in Django settings:
# settings.py
NINJA_SIMPLE_JWT = {
"JWT_PRIVATE_KEY_STORAGE": "some_project_dir.my_jwt_key_storage.aws_s3_private_key_storage",
"JWT_PUBLIC_KEY_STORAGE": "some_project_dir.my_jwt_key_storage.aws_s3_public_key_storage",
...
}
You can provide any custom storage implementation in this setting provided that they follow Django's Storage API.
You should make sure that the private key storage is only accessible by the auth service application. The public key storage may be made accessible by other services that need to verify the JWT issued by the auth service.
Enabling auth API endpoints
Mobile
You can enable the mobile auth end points by adding a provided router to the ninja API class:
# urls.py
from ninja import NinjaAPI
from ninja_simple_jwt.auth.views.api import mobile_auth_router
from django.urls import path
api = NinjaAPI()
api.add_router("/auth/mobile/", mobile_auth_router)
urlpatterns = [path("api/", api.urls)]
In the above example with the mobile_auth_router
, you would gain the following endpoints:
- /api/auth/mobile/sign-in
curl --location 'http://127.0.0.1:8000/api/auth/mobile/sign-in' \
--header 'Content-Type: application/json' \
--data '{
"username": "my-username",
"password": "my-password"
}'
The response would contain refresh and access JWT in the body:
{
"refresh": "...",
"access": "..."
}
- /api/auth/mobile/token-refresh
curl --location 'http://127.0.0.1:8000/api/auth/mobile/token-refresh' \
--header 'Content-Type: application/json' \
--data '{
"refresh": "..."
}'
The response would contain an access JWT in the body:
{
"access": "..."
}
Web
See also: web auth endpoint design.
Similarly to the Mobile auth end point example above, you can enable the web auth endpoints by adding it to the ninja API class:
# urls.py
from ninja import NinjaAPI
from ninja_simple_jwt.auth.views.api import web_auth_router
from django.urls import path
api = NinjaAPI()
api.add_router("/auth/web/", web_auth_router)
urlpatterns = [path("api/", api.urls)]
You would gain the following endpoints:
- /api/auth/web/sign-in
curl --location 'http://127.0.0.1:8000/api/auth/web/sign-in' \
--header 'Content-Type: application/json' \
--data '{
"username": "my-username",
"password": "my-password"
}'
The response would contain the access JWT in the body, however the refresh JWT is only in a cookie:
refresh=...; expires=Fri, 09 Feb 2024 03:49:33 GMT; HttpOnly; Max-Age=2591999; Path=/api/auth/web/token-refresh; SameSite=Strict
By default, this refresh cookie is only used when calling the token refresh endpoint (below).
- /api/auth/web/token-refresh
curl --location --request POST 'http://127.0.0.1:8000/api/auth/web/token-refresh' \
--header 'Cookie: refresh=...'
The response would contain an access token in the body.
- /api/auth/web/sign-out
curl --location --request POST 'http://127.0.0.1:8000/api/auth/web/sign-out' \
This will respond with a 204 status code and clear the refresh cookie from client. Note that this does not invalidate the token, it only removes the refresh token from the client.
Customizing token claims for user
You can specify a claim on the JWT and what User model attribute to get the claim value from using the
setting TOKEN_CLAIM_USER_ATTRIBUTE_MAP
.
By default, this setting has the following value:
{
# claim: model attribute
"user_id": "id",
"username": "username",
"last_login": "last_login",
}
The mapping can also take a function as the value, ie:
{
"full_name": lambda user: user.first_name + " " + user.last_name,
}
Serializing user attribute into JWT claim
If the model attribute is not by default serializeable, you can specify how to serialize it by providing a custom implementation of json encoder class. Ie:
# some_directory/custom_encoders.py
from ninja_simple_jwt.jwt.json_encode import TokenUserEncoder
class CustomTokenUserEncoder(TokenUserEncoder):
def default(self, o: Any) -> Any:
if isinstance(o, SomeCustomClass):
return self.serialize_some_custom_class(o)
return super().default(o)
def serialize_some_custom_class(self, o: SomeCustomClass) -> str:
# custom serialization implementation here
return "serialized value"
And then provide the import string for this class in Django setting:
# settings.py
NINJA_SIMPLE_JWT = {
...,
"TOKEN_USER_ENCODER_CLS": "some_directory.custom_encoders.CustomTokenUserEncoder"
}
Settings
All settings specific for this library are stored as key-value pairs under Django setting NINJA_SIMPLE_JWT
, ie:
# settings.py
NINJA_SIMPLE_JWT = {
...
}
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file django_ninja_simple_jwt-0.6.1.tar.gz
.
File metadata
- Download URL: django_ninja_simple_jwt-0.6.1.tar.gz
- Upload date:
- Size: 13.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.10.13
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9719d0a4b1ad210b3493363a84ca50f41856a770985e8788d94b2cbf4f05d0ea |
|
MD5 | 439a7e368e5aaa863922e964fb979d6a |
|
BLAKE2b-256 | 79ab5e93468022f9bf156cf9990a76cdf51bc5b243e9651c36b187cfcd708746 |
File details
Details for the file django_ninja_simple_jwt-0.6.1-py3-none-any.whl
.
File metadata
- Download URL: django_ninja_simple_jwt-0.6.1-py3-none-any.whl
- Upload date:
- Size: 19.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.10.13
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | f30e201035b99a40f7f9cc572782400a86b8545e9c8455e57febc3fd328220f7 |
|
MD5 | b53d7a71e811bbb6c49d4a90bc3e819a |
|
BLAKE2b-256 | 64d2f0a451a3ced019c7e87c2b0fbc9c8fb934bbedfa2319f9da27a4b2eba656 |