Django REST Framework JWT authentication with HttpOnly cookies.
Project description
humanoid_login
humanoid_login provides production-ready JWT authentication for Django REST Framework using secure HttpOnly cookies. It wraps djangorestframework-simplejwt with ready-made login, logout, refresh, and current-user endpoints so applications can ship cookie-based authentication without duplicating boilerplate.
Developed and maintained by Fardin Ibrahimi, CEO of Humanoid.
Installation
pip install humanoid-login
Quick Start
Add the app and authentication class:
INSTALLED_APPS = [
"django.contrib.auth",
"django.contrib.contenttypes",
"rest_framework",
"humanoid_login",
]
REST_FRAMEWORK = {
"DEFAULT_AUTHENTICATION_CLASSES": [
"humanoid_login.authentication.CookieJWTAuthentication",
],
}
Include the URLs:
from django.urls import include, path
urlpatterns = [
path("", include("humanoid_login.urls")),
]
Or import views directly:
from humanoid_login.views import LoginView
API Endpoints
| Method | Path | Description |
|---|---|---|
POST |
/login/ |
Authenticates credentials, returns user data, and sets access and refresh cookies. |
POST |
/logout/ |
Deletes cookies and blacklists the refresh token when SimpleJWT blacklist support is enabled. |
POST |
/refresh/ |
Reads the refresh cookie and issues a new access cookie. |
GET |
/me/ |
Returns the authenticated user's compact profile. |
Login Example
POST /login/
Content-Type: application/json
{
"email": "user@example.com",
"password": "correct-password"
}
Successful responses set HttpOnly cookies and return:
{
"detail": "Login successful.",
"user": {
"id": 1,
"email": "user@example.com",
"name": "John Doe",
"role": "admin"
}
}
Configuration
Override defaults in Django settings:
from datetime import timedelta
HUMANOID_LOGIN = {
"ACCESS_COOKIE": "access_token",
"REFRESH_COOKIE": "refresh_token",
"COOKIE_HTTPONLY": True,
"COOKIE_SECURE": True,
"COOKIE_SAMESITE": "Lax",
"COOKIE_PATH": "/",
"COOKIE_DOMAIN": None,
"ACCESS_TOKEN_LIFETIME": timedelta(minutes=5),
"REFRESH_TOKEN_LIFETIME": timedelta(days=1),
"ROTATE_REFRESH_TOKENS": False,
"BLACKLIST_AFTER_ROTATION": True,
"USER_ROLE_ATTRIBUTE": "role",
}
Recommended Production Settings
Use HTTPS and secure cookies in production:
HUMANOID_LOGIN = {
"COOKIE_SECURE": True,
"COOKIE_SAMESITE": "Lax",
"COOKIE_HTTPONLY": True,
}
If your frontend and API are on different sites, configure CORS and CSRF deliberately and choose COOKIE_SAMESITE="None" only with COOKIE_SECURE=True.
Authentication Flow
LoginViewvalidates email and password throughLoginSerializer.AuthServiceauthenticates with Django's configured authentication backends.- SimpleJWT access and refresh tokens are generated.
- Tokens are stored in configured HttpOnly cookies.
CookieJWTAuthenticationreads the access cookie and validates it for DRF permissions.RefreshViewreads the refresh cookie and issues a new access cookie.LogoutViewremoves cookies and blacklists refresh tokens when the blacklist app is installed.
Security Notes
- Access and refresh tokens are never returned in response bodies.
- Cookies default to
HttpOnly=True. - Set
COOKIE_SECURE=Truein production. - Use short access-token lifetimes and rotate refresh tokens where appropriate.
- Consider enabling SimpleJWT's blacklist app:
INSTALLED_APPS = [
"rest_framework_simplejwt.token_blacklist",
]
Run migrations after enabling blacklist support:
python manage.py migrate
Testing
pip install -e ".[dev]"
pytest
python -m build
Contributing
Contributions are welcome. Please open an issue for larger changes, include tests for new behavior, and keep authentication changes small, explicit, and documented.
Changelog
0.1.0
- Initial public release.
- Cookie-backed JWT login, logout, refresh, and current-user endpoints.
- Typed package marker and pytest coverage.
About the Author
humanoid_login is an open-source package developed and maintained by Fardin Ibrahimi, CEO of Humanoid, with the goal of making secure JWT cookie authentication effortless for Django REST Framework developers.
Documentation maintained by Fardin Ibrahimi, CEO of Humanoid.
humanoid-login
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file humanoid_login-0.1.0.tar.gz.
File metadata
- Download URL: humanoid_login-0.1.0.tar.gz
- Upload date:
- Size: 9.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a3c2502635bc4514a134204bb6532aec02edc64c2c6e88c4867e9385975172c0
|
|
| MD5 |
de4f22b35995b98438e09bc1ec1f7d34
|
|
| BLAKE2b-256 |
57918721873656f11ab736fb3f06bcc1ea75372c6b391da90c300180512f0e24
|
File details
Details for the file humanoid_login-0.1.0-py3-none-any.whl.
File metadata
- Download URL: humanoid_login-0.1.0-py3-none-any.whl
- Upload date:
- Size: 12.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
58fe8a3559db7c78ac3d815a39a297e978fb4d31fc5e115cdde61101c3add779
|
|
| MD5 |
20f303cb19c38c30e0a39db4ee39f0b3
|
|
| BLAKE2b-256 |
6ad43d256169ccd5d436b0665d5c3221d785ef403915b4a8f709178da94b08e9
|
