Lesson 19 - Users

Transcript

1. Lesson 19 Users Dana Spiegel [email protected] 1

2. Quick Review • FormSets • Adding query parameters to change

   user workflow and pre-fill fields 2

3. User Management • Web applications utilize the 3 A’s when

   deciding if a request for a resource by a client should be honored: • Authentication - verify a client’s identity • Authorization - validate a client’s permission to access resource • Access control - deciding to grant access to resource based on state of the system • Most well know architecture implementation is the Apache Web Server • http://docs.oracle.com/cd/E12839_01/web.1111/e10144/security.htm • Implementing AAA correctly is one of the most important aspects of building a secure application • Without Authentication, no effective security decisions can be made since the application won’t know who is accessing it • Without Authorization, even know entities would have access to restricted or private resources (including other user’s accounts) • Without Access Control, building protection wouldn’t be possible 3

4. Functionality of User Management • The uses of AAA in

   a web application usually consists of: • Sign-up/account creation • Account activation • Login and logout • Password management • Account management • Object association • Permission control • Each component requires careful consideration and implementation to ensure that an application is secure 4

5. Django User Management • Django provides django.contrib.auth as an application

   to provide some aspects of User Management • Account creation mechanisms (but no sign-up) • Login and logout • Password management • Account management (through ModelForms) • Object association (through Model relationships) • Permission control (through a highly functional permissioning system • Provides a few different classes: • User, AnonymousUser • Group • Permission • Views 5

6. Django User Model • Fields provided: • username • first_name

   • last_name • email • password • is_staff • is_active • is_superuser • last_login • date_joined • Has methods for determining if User instance has authenticated • Can manage setting/resetting/changing user password • Provides access to permissions assigned to the User 6

7. Django User Model • Provides an easy way to email

   a User • UserManager can create a user • To install Django User management: • Put 'django.contrib.auth' and 'django.contrib.contenttypes' in INSTALLED_APPS in settings.py • Run manage.py syncdb • Create a User using the Django shell: • Change a User’s Password: 7 >>> from django.contrib.auth.models import User >>> user = User.objects.create_user(username='bob', email='[email protected]', password='happytrees') >>> from django.contrib.auth.models import User >>> u = User.objects.get(username__exact='bob') >>> u.set_password('lakes') >>> u.save()

8. Passwords in Web Applications • Never, ever store passwords in

   plain text • Never, ever store passwords in plain text • Passwords should be stored using a secure hash and a salt: • This is how *NIX does it! • A hash function is any algorithm or subroutine that maps large data sets of variable length, called keys, to smaller data sets of a fixed length. The values returned by a hash function are called hash values, hash codes, hash sums, checksums or simply hashes.1 • A salt is a string of random bits of data that is appended systematically to a password before hashing and storage remove the ability to use a dictionary attack to break into an account • The salt should be kept private! Not even in GitHub! • The hash function is 1-way, meaning that it is cryptographically secure but cannot be used to get the password from the hashed password 8 hashed_password = hash_function(salt + password) 1. http://en.wikipedia.org/wiki/Hash_function

9. Passwords in Django • Django stores passwords securely by default

   • Look at the auth_users table in the database • Configure the hashing methods using the PASSWORD_HASHERS setting • Default is sufficiently secure, but be sure to watch for password hacking security fixes on the Django site 9 PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', # Insecure Hashes 'django.contrib.auth.hashers.MD5PasswordHasher', # Insecure Hashes 'django.contrib.auth.hashers.CryptPasswordHasher', # Insecure Hashes )

10. Django User Authentication • Django provides views that can be

    used to easily provide login/logout and password management • Views: • login • logout, logout_then_login • password_change, password_change_done • password_reset, password_reset_done, password_reset_confirm, password_reset_complete • To use built in forms, install auth urls and implement templates 10 url(r'^accounts/', include('django.contrib.auth.urls')),

11. Django User Authentication (cont’d.) • For login.html and *_form.html templates,

    context will have a form variable that must be rendered • login.html • Template allows user to enter username and password to log in • Special next variable in context must be explicitly included in template form • password_reset_form.html • Template allows non-logged in user to generate a password reset email • Requires SMTP API configuration and sites application • password_reset_done.html • Template shown after password reset email is sent • password_reset_confirm.html • Template shown when user clicks on password reset link from email • password_reset_complete.html • Template shown after password is successfully changed after a reset 11

12. Django User Authentication (cont’d.) • password_change_form.html • Template allows user

    to change password • password_change_done.html • Template shown when user has successfully changed their password • logged_out.html • Template shown when user has explicitly logged out of application 12

13. login.html 13 {% extends "base.html" %} {% block title %}Login{%

    endblock %} {% block body %} <form action="" method="post" class="form-horizontal"> <input type="hidden" name="next" value="{{ next }}" /> <div class="row-fluid"> <div class="span12"> {% include "include_form.html" %} <div class="control-group {% if form.password.errors %}error{% endif %}"> <div class="controls"> <span class="help-inline"><a href="{% url password_reset %}">Forgot Password?</a></span> </div> </div> <div class="form-actions"> <button type="submit" class="btn btn-primary" value="login">Login</button> </div> </div> </div> </form> {% endblock %}

14. logged_out.html 14 {% extends "base.html" %} {% load url from

    future %} {% block title %}Logout{% endblock %} {% block body %} <div class="row-fluid"> <div class="span12"> <h1>You have been logged out</h1> <a href="{% url 'login' %}">Login again</a> </div> </div> {% endblock %}

15. Configuring Django to Send Email 15 • Core functionality for

    sending email is via SMTP • Simple “API” for generating and delivering email on the internet • Easiest and most secure configuration is to send SMTP email via email service - Mandrill • Configure server and login information in settings.py • Configure “email backend” to send email via SMTP server • TLS is a secure email protocol, which usually is configured to run over port 587 • Can re-use MANDRILL_API_KEY for email password EMAIL_HOST = 'smtp.mandrillapp.com' EMAIL_PORT = '587' EMAIL_HOST_USER = '[email protected]' EMAIL_HOST_PASSWORD = MANDRILL_API_KEY EMAIL_USE_TLS = True EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend' DEFAULT_FROM_EMAIL = '[email protected]'

16. Django Sites Application • To inform Django and Django applications

    about the URL for the web application, use the built-in sites application • Sites allow Django to find out the URL of the web application, and use that information in views and templates • Usually, Django just uses relative URLs • For links in sent emails, the URL must include a fully qualified domain name • To use the sites application, add django.contrib.sites to installed applications • Configure a SITE_ID, which will be used as the default ID for the web application • Since so many applications depend on the sites application, it is configured by default • Make sure to change the site URL in the Django admin to point to the actual URL or links in emails won’t work! • dev.hatcherydevshop.com 16

17. password_reset_form.html 17 {% extends "base.html" %} {% block title %}Reset

    Password{% endblock %} {% block body %} <form action="" method="post" class="form-horizontal"> <div class="row-fluid"> <div class="span12"> {% include "include_form.html" %} <div class="form-actions"> <button type="submit" class="btn btn-primary" value="login">Reset Password</button> </div> </div> </div> </form> {% endblock %}

18. password_reset_done.html 18 {% extends "base.html" %} {% block title %}Password

    Reset Email Sent{% endblock %} {% block body %} <div class="row-fluid"> <div class="span12"> <p>Password reset email sent.</p> </div> </div> {% endblock %}

19. password_reset_confirm.html 19 {% extends "base.html" %} {% block title %}Change

    Password{% endblock %} {% block body %} <form action="" method="post" class="form-horizontal"> <div class="row-fluid"> <div class="span12"> {% include "include_form.html" %} <div class="form-actions"> <button type="submit" class="btn btn-primary" value="login">Save Password</ button> </div> </div> </div> </form> {% endblock %}

20. password_reset_complete.html 20 {% extends "base.html" %} {% block title %}Password

    Reset Complete{% endblock %} {% block body %} <div class="row-fluid"> <div class="span12"> <p>Your password has been saved.</p> <p><a href="{% url login %}">Login</a></p> </div> </div> {% endblock %}

21. password_change_form.html 21 {% extends "base.html" %} {% block title %}Change

    Password{% endblock %} {% block body %} <form action="" method="post" class="form-horizontal"> <div class="row-fluid"> <div class="span12"> {% include "include_form.html" %} <div class="form-actions"> <button type="submit" class="btn btn-primary" value="login">Save Password</ button> </div> </div> </div> </form> {% endblock %}

22. password_change_done.html 22 {% extends "base.html" %} {% block title %}Password

    Changed{% endblock %} {% block body %} <div class="row-fluid"> <div class="span12"> <p>Your password has been saved.</p> </div> </div> {% endblock %}