Paseto authentication for Django Rest Framework
Project description
PASETO authentication for Django REST framework
Still in development, NOT READY for production.
Before using this, see https://github.com/paragonie/paseto for more information about PASETO and https://github.com/rlittlefield/pypaseto about the Python implementation.
Motivations and objectives
I needed a token authentication system for a new project and none of the available third party authentication pacakges covered my requirements completely. After some work developing my own system, I thought it would be interresting to share it and accept suggestions and contributions.
My goal is to build a token authentication system that meets the following requirements:
- Secure and simple authentication using Paseto (Platform-Agnostic SEcurity TOkens).
- Front-end agnostic (browser apps, mobile apps, etc).
- Suitable for user authentication and app integrations.
- Facilitates both reactive (blacklist tokens) and proactive (check IP, user-agent header, etc) security measures.
- Customisable token payloads, authentication conditions (transparent support for 2FA) and actions (i.e. check user login attempts).
Installation and configuration
Install using pip:
pip install django-rest-paseto-auth
Generate a 32-bytes hexadecimal secret key:
import screts
secrets.token_hex(32)
'55acd7321e85e62d0fe5ee6ea127ba4bd8ac90f6ea87f1bf2d3d5e816399d7d2'
Add it to your Django configuration and keep it as secured as the project's SECRET_KEY:
PASETO_KEY = '55acd7321e85e62d0fe5ee6ea127ba4bd8ac90f6ea87f1bf2d3d5e816399d7d2'
Add paseto_auth
to your installed applications:
INSTALLED_APPS = (
...
'paseto_auth',
)
And apply migrations:
python manage.py migrate paseto_auth
Include paseto auth URLs:
from django.urls import include, path
urlpatterns = [
path('api/auth/', include('paseto_auth.urls', namespace='paseto_auth')),
]
Finally, add the authentication scheme to the REST_FRAMEWORK
configuration or the views you want to protect:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'paseto_auth.authentication.PasetoAuthentication',
)
}
Optional configuration with default values:
PASETO_AUTH = {
'HEADER_PREFIX': 'Paseto', # Prefix for the authentication header, e.g. Bearer
'ACCESS_LIFETIME': 5*60, # Max: 10*60 seconds
'REFRESH_SHORT_LIFETIME': 12*3600, # Max: 24*3600 seconds
'REFRESH_LONG_LIFETIME': 30*24*3600, # Max: 60*24*3600 seconds
'REFRESH_PERMANENT_LIFETIME': 2*365*24*3600 # seconds
}
Usage
To get a token pair from user credentials:
$ curl \
-X POST \
-H "Content-Type: application/json" \
-d '{"username": "testuser", "password": "qwerty", "remember": true}' \
http://localhost:8000/api/auth/token/
----
{
'access_token': 'v2.local.wSpANWW6wNkQoVhqCWRkUp-wPfoc6fFsml7kmNlmuccDdLpqpVKmOZy6C1cYttzIt0OM-DL2uOWQKcahje0u1uSceG5mzXBZVMjDZnbXZMamF5X5JDTCZrAruVSGZ5EtliHJTFkHkgvp8c3Xmut9_8fWI09Qn6U0gaWPgM8hM_eRi7FXNHvE7ZeGOrE37SImnVZm-jCGBgMYjWzOowzQ6ZH6JvaC07eWyh6zsGQGM-l65sBlbJtTHA',
'refresh_token': 'v2.local.ZYSSnCB9Qc7FlABtXKq2Pl6uZ_Snd9P_iCBnxx18d1cYezN85fB40C_1YSr27lSVNdpeGX6usp8rEEnb3EHF5_B0sNfbG8HAoxqET0RDsVj9XSj5x8w-3jgHLzaHW-Zc6r9C_cY-wLRmMNL7obEq4ETwoYZTaLKcbxRH67GRCpQP1Rjil9ex9EGL6HKg26oJuxFG_hhlCzPYOMzgDDqUoQsl4AkdGq7fZzvZkBugXvVgY64s0TS2H10'
}
The remember
parameter will determine the refresh token short/long lifetime (see configuration section).
To get a new access token:
$ curl \
-X POST \
-H "Content-Type: application/json" \
-d '{"refresh_token": "v2.local.ZYSSnCB9Qc7FlABtXKq2Pl6uZ_Snd9P_iCBnxx18d1cYezN85fB40C_1YSr27lSVNdpeGX6usp8rEEnb3EHF5_B0sNfbG8HAoxqET0RDsVj9XSj5x8w-3jgHLzaHW-Zc6r9C_cY-wLRmMNL7obEq4ETwoYZTaLKcbxRH67GRCpQP1Rjil9ex9EGL6HKg26oJuxFG_hhlCzPYOMzgDDqUoQsl4AkdGq7fZzvZkBugXvVgY64s0TS2H10"}' \
http://localhost:8000/api/auth/token/refresh/
----
{
'access_token': 'v2.local.wSpANWW6wNkQoVhqCWRkUp-wPfoc6fFsml7kmNlmuccDdLpqpVKmOZy6C1cYttzIt0OM-DL2uOWQKcahje0u1uSceG5mzXBZVMjDZnbXZMamF5X5JDTCZrAruVSGZ5EtliHJTFkHkgvp8c3Xmut9_8fWI09Qn6U0gaWPgM8hM_eRi7FXNHvE7ZeGOrE37SImnVZm-jCGBgMYjWzOowzQ6ZH6JvaC07eWyh6zsGQGM-l65sBlbJtTHA',
}
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-rest-paseto-auth-0.1.0.dev1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0c5dd6113a6e1a9fc769d32e62bdbc21c504297bf07d1ce04a979cca2cf22744 |
|
MD5 | de4f1a07158c79e9b6b47071f4e5a655 |
|
BLAKE2b-256 | 2e202537fea049f1be2f11309c5ceeb473f19e472f9e128217a41dc0ab1a5e32 |
Hashes for django_rest_paseto_auth-0.1.0.dev1-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 4ef1225a3a69d3b4646fffba83760e02a03d2411595a37fd8e95ae83eb2b3e50 |
|
MD5 | 3e119ac1f1373168823aaf5d4a0b01d4 |
|
BLAKE2b-256 | 88f738d7744022fd02cd86288e22b5ae88f10fc6d1764a8dadd3ecf59909eec1 |