tags:

views:

94

answers:

1
Q: 

Custom authentication with django?

Because I didn't want to use Django's in-build authentication system (maybe I should do, please tell me if this is the case), I created a simple little auth class:

import random
import hashlib
from myapp import models

class CustomerAuth:
    key = 'customer'

    def __init__(self, session):
        self.session = session

    def attempt(self, email_address, password):
        password_hash = hashlib.sha1(password).hexdigest()
        try:
            return models.Customer.objects.get(
                email_address=email_address,
                password_hash=password_hash)
        except models.Customer.DoesNotExist:
            return None

    def login(self, customer):
        self.session[self.key] = customer

    def logout(self):
        if self.session.has_key(self.key):
            self.session[self.key] = None

    def is_logged_in(self):
        return self.session.has_key(self.key)
            and self.session[self.key] != None

    def get_active(self):
        if self.is_logged_in():
            return self.session[self.key]
        else:
            raise Exception('No user is logged in.')

    def redirect_to_login(self):
        return HttpResponseRedirect('/login/')

    def redirect_from_login(self):
        return HttpResponseRedirect('/account/')

The problem is, that when I want to use it to stop unauthorized access, I have to use this code snippet in every single view method:

def example(req):
    auth = CustomerAuth(req.session)
    if not auth.is_logged_in():
        return auth.redirect_to_login()

As you can imagine, this yields fairly ugly and repetitive code. What is a better way of doing this? Should I be using Django's auth framework?

+4  A: 

Firstly, yes you should use Django's authentication framework, and build your own custom auth backend.

Secondly, however you do it, you'll need to have something in the views that you want to restrict access to. The best way to do that is via a decorator on the view. Again, Django's built-in framework gives you access to the @login_required decorator, which does exactly what you want.

Daniel Roseman  2009-11-23 11:07:53
Thanks - just implemented it now. It's actually very easy to do surprisingly. Plus, I don't need to use the username attribute even through it's "required" (since I want to do authentication with email addresses).
nbolton  2009-11-24 21:18:41

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication