Signing Up and Signing In: Users in Django with Django-AllAuth

View Slide

Have you met Ted?
 Technical founder of SittingAround.com
 Full stack developer
 except the adobe products
 Using Django since 1.0.2
 ~4.5 years
 @tedtieken (not very active)

View Slide

Problem
We have an app that lets audience members of a django
meetup submit and vote on questions they’d like the
speaker to answer.
Anyone can upvote any question as many times as they
want, so it is being trolled

View Slide

View Slide

Problem
We have an app that lets audience members of a Django
meetup talk submit and vote on questions
Anyone can upvote any question as many times as they
want, so it is being trolled
If we added user accounts, we could restrict people to only
voting on each question once.

View Slide

Problem
http://q4ts.herokuapp.com/
Turn Kevin Harvey’s Torquemada app from January testing
meetup into user-enabled clone QuestionsForTheSpeaker

View Slide

1. Overview of Users & Auth
2. Community Packages
3. Example FB Integration
Signing Up and Signing In
User Registration, Authentication, and Social
Authentication with Django

View Slide

Why Accounts?
 Anonymous users are particularly poorly behaved
 You need them to build the next socialbookspace
 Users expect customization & interaction
 Most interesting things you’re going to want to do with
a webapp are going to require tying things to users
 $$$
 Active users is an easy valuation metric
 Done well, sign up and sign in can drive a lot of value

View Slide

User Stack: Base
User Model
Password Security
Standard User anchor point
django.contrib.auth
django.contrib.auth:
 Basic user fields (email, name, password
hash)
 Password hashing
 Standard user model used throughout
your app and other apps (e.g. admin)
 …

View Slide

User Stack: Authentication
User Model
Password Security
django.contrib.auth
User Registration & Login
Authentication
Authentication:
 Who is it?
 Verify identity using a
username/password combo

View Slide

User Stack: Authorization
User Permissions
Authorization
Authorization:
 Is this user allowed to do that?
 Is this user logged in or anonymous?
User Model
Password Security
django.contrib.auth

View Slide

User Stack: Profiles
User Model
Password Security
django.contrib.auth
Profile:
 What is your favorite color?
 What is your quest?
 Both “facebook style” and “hidden”
 Pre 1.5, your user_profile model
 Post 1.5, user_profile model or
extended User model
Extended User Attributes
Profile

View Slide

User Permissions
Authorization
The User Stack with Django
Authentication Profile
User Model
Password Security
django.contrib.auth

View Slide

Your Responsibility
django.contrib.auth
Division of Labor
Authorization

View Slide

What Django handles
 Salts & hashes user passwords
 Standard User model
 Handles sessions, setting cookies
 View logic for common user operations:
 Login, logout, password reset, lost-password recovery
 But not the templates
django.contrib.auth library comes bundled with Django

View Slide

What Django handles
 Utilities for customizing experience for logged in users vs
anonymous site visitors
 @login_required view decorator with redirect
 request.user.is_authenticated()
 User model integrated into admin for both staff access
and end-user searching
 Salts & hashes user passwords
django.contrib.auth library comes bundled with Django

View Slide

This is important:
Salting and Hashing

View Slide

Salting and Hashing
Django does the right thing with user passwords, so you
can’t shoot yourself in the foot
 Salting is: adding characters to the user’s password
 Salting is: Important for user security
 Hashing is: using one-way math to obfuscate stored pw
 Hashing is: Important for user security
 Django does this for you, so you can’t it would be hard
for you to shoot yourself in the foot.
 Not every framework does this.

View Slide

View Slide

Back to our regularly
scheduled programming

View Slide

What Django almost handles
 Permissions Model: Handles basic binary permissions,
but not object permissions
 It does do: User can create news stories
 It does do: User can edit news stories
 It doesn’t do: User can edit own news stories
 Group Model: Provides a grouping model
 Useful in providing grouped permissions to staff
 Not a very good fit for end-user groupings
Built in perms & groups work well for staff, but little else.

View Slide

What Django leaves to you
Auth module is focused on doing a few critical things very
well, leaves out a lot of common use cases
 Password strength checking
 Throttling of login attempts
 i.e. locking an account after 5 failed passwords
 Two-Factor authentication
 Email verification

View Slide

What Django leaves to you
You have to roll your own or use community libraries to
actually sign up end users
 Registration is up to you
 Authentication against third-parties
 e.g. Facebook Connect or Oath
 Some people try to hack admin to do end-user
Registration and Login
 Don’t try to use admin for end-user stuff
 It’s built for staff use
 Opens up security holes
 It only takes a few minutes to do it the right way

View Slide


View Slide

Back to our problem
We need to implement user accounts, and would like to
integrate with FB
Should we roll our own or use a community library?
If library, which one should we use?

View Slide

Our Focus Today
e.g. Favorite color
User Permissions
User Model
django.contrib.auth
Authorization

View Slide

Our Focus Today
e.g. Favorite color
User Permissions
3rd Party / Social
User Model
django.contrib.auth
Internal to your App
Authorization

View Slide

DjangoPackages.com
First stop when evaluating community packages

View Slide

DjangoPackages.com
 Thematic groupings
 Authentication, Auth, Payments, Pagination, etc.
 Well formatted, easily digestible grid
 Popularity Indicators (# Repo Watchers)
 Feature comparisons (in some groups)
 Last updated & Activity indicators
First stop when evaluating community packages

View Slide

Authentication Packages
 50 packages!
 Lets try to process that and make the decision a little
easier

View Slide

Survey Says
 Survey trying to find out: what are people actually using
 93 starts, 85 complete responses
 Sample drawn from
 Boston Django Meetup
 django-users mailing list
 r/django reddit
 Collected over two months: February thru March ‘13

View Slide

Experience level
31.20%
36.60%
32.30%
3+ years
1 or 2ish years (6-32 months)
Just Started (<6 months)
How long have you been using Django?

View Slide

Past Use & Awareness
0 50 100 150
Other
Roll your own
django-allauth
django-userena
Larger framework*
django-social-auth
django-registration
Have used this package
Would Use
Have evaluated this
package
Aware of this package
* e.g. Pinax, Mezzanine
Which packages have you considered, evaluated, or used?

View Slide

Future Use
If you were starting a new project, what would you use?
0.00% 10.00% 20.00% 30.00% 40.00% 50.00%
Other
Roll your own
django-allauth
django-userena
Larger framework*
django-social-auth
django-registration

View Slide

What’s gaining?
Would use in new project / Have used in past
0% 25% 50% 75% 100% 125% 150%
Other
Roll your own
django-allauth
django-userena
Larger framework*
django-social-auth
django-registration

View Slide

http://tinyurl.com/djangoauth
View the results yourself

View Slide

Lets take a look at some
libraries

View Slide

Stack map shorthand
Extended User
Attributes
e.g. Favorite color
User Permissions
3rd Party / Social
Internal to your
App
Authorization
User Model
django.contrib.auth
django-registration
The django-registration package handles local user account creation and
sign-in only. It doesn’t touch the Authorization, Profile, or Social
Authentication parts of the problem.

View Slide

Where do they specialize?
Package Specialty Stack
django-registration  Local user accounts
 Email activation

View Slide

django-social-auth  3rd Party/social accounts
 Multiple 3rd party accounts

View Slide

django-allauth  Local and/or social accounts
 Multiple emails
 Require email even w/ social

View Slide

django-userena  Local user accounts
 (semi)public user profiles
 User-to-user messaging

View Slide

django-registration  Local user accounts
django-social-auth  3rd Party/social accounts
django-allauth  Local and/or social accounts
 Multiple emails
 Require email even w/ social
django-userena  Local user accounts
 (semi)public user profiles
 User-to-user messaging

View Slide

Recommendation
django-allauth
Pro
 It.Just.Works
 Templates included
 Social w/ verified email
 Multiple emails
 Handles full authentication problem
 Without creep into other areas
 Rapidly gaining traction, maturing
 Well tested
 Easily add new backends
Con
 Puts site-tokens in the database
 Documentation has a few gaps
 More “magic”

View Slide

Second Place
django-registration
+
django-social-auth
Pro
 Most popular combo
 Established
 Well tested
 Lots of existing social-auth-backends
 Djangopackages has grid for them
 Easily add new backends
 Social-auth pipeline = customization
Con
 Have to roll your own templates
 Hard for newcomers
 Will take longer
 Glue work needed
 On your own for corner cases
 i.e. need email for social
accounts verified
 Documentation is complained
about in both

View Slide

Beware
django-social-auth
django-socialauth
We’ve been talking about this one

View Slide


View Slide

Back to our Problem
We’re going to add user accounts, and signup via facebook.
We’ve decided that AllAuth looks like a good package, so
we’re going to go with that
We’ve already got our non-user enabled app, which we
downloaded from github.com/kcharvey/testing-in-django

View Slide

Getting Started with AllAuth
1. pip install django_allauth
2. Goto https://github.com/pennersr/django-allauth
3. Follow the instructions
4. Grab a beer

View Slide

Getting Started with AllAuth
1. pip install django_allauth
2. Goto https://github.com/pennersr/django-allauth
3. Follow the instructions
4. Grab a beer
It is almost this easy

View Slide

Mature
Rapidly Maturing

View Slide

Mature
Rapidly Maturing
Even with the remaining bumps,
it’s the easiest social auth package to use

View Slide

Configuring AllAuth: Settings.py
TEMPLATE_CONTEXT_PROCESSORS = (
...
"django.core.context_processors.request",
...
"allauth.account.context_processors.account",
"allauth.socialaccount.context_processors.socialaccount",
...
)
AUTHENTICATION_BACKENDS = (
...
"django.contrib.auth.backends.ModelBackend",
#allauth authentication methods (i.e. login by e-mail)
"allauth.account.auth_backends.AuthenticationBackend",
...
)

View Slide

Configuring AllAuth: Settings.py
INSTALLED_APPS = (
…
'allauth',
'allauth.account',
'allauth.socialaccount',
'allauth.socialaccount.providers.facebook',
#Other providers as you want
)
SOCIALACCOUNT_PROVIDERS = \
{ 'facebook':
{ 'SCOPE': ['email'],
'AUTH_PARAMS': { 'auth_type': 'reauthenticate'},
'METHOD': 'oauth2' ,
'LOCALE_FUNC': lambda request: return ‘en_US’},
}

View Slide

Decide what flow you want
Settings.py
ACCOUNT_AUTHENTICATION_METHOD = "username"
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_EMAIL_VERIFICATION = "optional"
ACCOUNT_EMAIL_SUBJECT_PREFIX = "[q4ts]"
ACCOUNT_PASSWORD_MIN_LENGTH = 6
 This step is optional, ships with reasonable defaults
 Most common flows are configurable by default
 Full list at https://github.com/pennersr/django-allauth

View Slide

Configuring AllAuth: Urls.py
urlpatterns = patterns('',
...
(r'^accounts/', include('allauth.urls')),
...
#The profile isn’t free with allauth
#This is a good thing
(r'^accounts/profile/', YOUR_OWN_PROFILE_VIEW),
...
)

View Slide

This gets the following URLS

View Slide

Configuring AllAuth Templates

View Slide

Configuring AllAuth Templates
 Optional
 Override if you want/need to
 But you don’t have to: It.just.works out of the box

View Slide

Register your app w/ Facebook

View Slide

 https://developers.facebook.com/apps/
 Create an app
 Record your keys in the database
 Secrets in db. Doh!
 Biggest complaint with allauth

View Slide


View Slide

Record keys in the database

View Slide

Make it work locally: two apps

View Slide

Remember to turn off sandbox

View Slide

Add links to to base.html
{% load url from future %}
{% load socialaccount %}
Sign Up
Log in

Sign Up / Login with Facebook

View Slide

http://q4ts.herokuapp.com/accounts/facebook/login/?method=oauth2
http://q4ts.herokuapp.com/accounts/facebook/login/callback/?code=##&state=##

View Slide

Show apt links for user state
{% if user.is_authenticated %}
Log out
My Account
{% else %}
Sign Up
Log in
Facebook Connect
{% endif %}

View Slide

Profile view & templates
 Sorry, you’re still on your own for this one.
 But, the hard work has already been done
 Short on time?
 My Account
 ul > li
 username
 email + manage email link
 linked social accounts + manage social accounts link
 password change links
 logout link

View Slide

New Decorator
from django.contrib.auth.decorators import login_required
@login_required
Def authenticated_users_only_view(request):
...
from allauth.account.decorators import verified_email_required
@verified_email_required
def verified_users_only_view(request):
...

View Slide

Go do interesting things

View Slide

Appendix

View Slide

# of packages tracked
57
9 11
28
0
10
20
30
40
50
60

View Slide

What’s gaining (alt metric)?
Would use in future / Have used in past
0% 25% 50% 75% 100% 125% 150%
Roll your own
django-allauth
django-userena
Larger framework*
django-social-auth
django-registration

View Slide

Signing Up and Signing In: Users in Django with Django-AllAuth

Signing Up and Signing In: Users in Django with Django-AllAuth

tedtieken

More Decks by tedtieken

Other Decks in Technology

Featured

Transcript