Dev Journal #4 - Django Authentication Flow



Django provides a very comprehensive authentication library that could be easily used out of the box. I organized a flow diagram which I will be referencing to build my authentication APIs.

New account

After making a POST request with a username, an email and a password to /api/auth/register/, a new account will be created and the user will receive a confirmation email. At this point, the newly created account has not been activated. If the user attempts to login at this point, they will receive a 403 Forbidden status code and will not be able to proceed further. After redirecting to the link provided in their email, the account will be activated and the user will then be able to login to their account.

Login sessions

Once the user successfully logs in to their account, they will receive a response object containing a JWT (JSON Web Tokens) which will get saved in the Android Shared Preferences. Unless the user explicitly logs out of the app, the token will remain in the shared preference. The next time the user launches the app, the client will check for the existence of the token and send it to the server. The server will then verify the validity of the token and grant authentication. This way, the user won’t have to log in again every time they close the app unless they purposefully log out or the token expires after a given period.

Change password

While the user is logged in, they can request to change their current password. They will be able to successfully change the password if they can correctly provide the current password and if the new password satisfies the password requirements.

Reset password

If the user cannot remember their current password, they can request to reset it by providing the email linked to their user account. If the server can find the associated account with that email in the database, it will send out a password reset link to that email address. Once the user opens this email and redirects to the reset link, the server will verify the token in the link to make sure it is valid and hasn’t expired. The user will then be able to input a new password into the UI and request the server to update.

Previous Post Next Post