Skip to main content

SuperTokens session management solution

Project description

SuperTokens banner

License: MIT chat on Discord

Master CircleCI Dev CircleCI

This library implements user session management for websites that run on Django. This is meant to be used with your backend code. If you do not use Django, please checkout our website to find the right library for you..

The protocol SuperTokens uses is described in detail in this article

The library has the following features:

  • It uses short-lived access tokens (JWT) and long-lived refresh tokens (Opaque).
  • Protects against: XSS, Brute force, Session fixation, JWT signing key compromise, Data theft from database, CSRF and session hijacking.
  • Token theft detection: SuperTokens is able to detect token theft in a robust manner. Please see the article mentioned above for details on how this works.
  • Complete auth token management - It only stores the hashed version of refresh tokens in the database, so even if someone (an attacker or an employee) gets access to the table containing them, they would not be able to hijack any session.
  • Automatic JWT signing key generation (if you don't provide one), management and rotation - Periodic changing of this key enables maximum security as you don't have to worry much in the event that this key is compromised. Also note that doing this change will not log any user out :grinning:
  • Complete cookie management - Takes care of making them secure and HttpOnly. Also removes, adds and edits them whenever needed. You do not have to worry about cookies and its security anymore!
  • Efficient in terms of space complexity - Needs to store just one row in the table per logged in user per device.
  • Efficient in terms of time complexity - Minimises the number of DB lookups (most requests do not need a database call to authenticate at all if blacklisting is false - which is the default)
  • Built-in support for handling multiple devices per user.
  • Built-in synchronisation in case you are running multiple django processes.
  • Easy to use (see auth-demo), with well documented, modularised code and helpful error messages!
  • Using this library, you can keep a user logged in for however long you want - without worrying about any security consequences.

Index

Documentation:

Coming Soon.

Making changes

Please see our Contributing guide

Tests

make dev-install
make test

See our Contributing guide for more information.

Support, questions and bugs

We are most accessible via team@supertokens.io, via the GitHub issues feature and our Discord server.

Click here to see more information.

Authors

Created with :heart: by the folks at SuperTokens. We are a startup passionate about security and solving software challenges in a way that's helpful for everyone! Please feel free to give us feedback at team@supertokens.io, until our website is ready :grinning:

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

supertokens_jwt_ref-0.0.7.tar.gz (14.3 kB view hashes)

Uploaded Source

Built Distribution

supertokens_jwt_ref-0.0.7-py3-none-any.whl (17.4 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page