Django token authentication with hashed, salted tokens
- Django model with token id and token protected with hash and salt
- Authentication class using protected api tokens.
https://github.com/harisankar-krishna-swamy/django_salted_api_tokens
pip install django_salted_api_tokens
- Add
DSAT_TOKEN_LENGTH
insettings.py
Default:80
Max length:256
- Add
DSAT_MAX_TOKENS_PER_USER
insettings.py
. Maximum number of tokens allowed per user. Subsequent requests for tokens will be rejected.
Default:10
- Add
DSAT_HASHLIB_ALGO
insettings.py
. A string representing the hash algorithm from hashlib.
Supported values are 'sha512', 'sha256', 'sha384' Default:sha512
Example
DSAT_TOKEN_LENGTH = 80
DSAT_MAX_TOKENS_PER_USER = 10
DSAT_HASHLIB_ALGO = 'sha512'
- Add
django_salted_api_tokens
to installed apps along withrest_framework
.
Example
INSTALLED_APPS = [
...
'rest_framework',
'django_salted_api_tokens',
...
]
- Add salted tokens authentication class to
REST_FRAMEWORK
insettings.py
.
Example
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
'django_salted_api_tokens.authentication.TokenAuthentication',
],
}
- Add url to obtain token in your project
urls.py
.
Example
urlpatterns = [
...
path('dsat/', include('django_salted_api_tokens.urls')),
...
]
Run python manage.py migrate
to create model tables.
The url to obtain token will be available at dsat/create-dsat/
.
Example local url http://127.0.0.1:8000/dsat/create-dsat/
Create a user with password in your Django project.
# obtain token for user
curl -X POST -H "Content-Type: application/json" -d '{"username":"bob", "password":"bobspassword"}' http://127.0.0.1:8000/dsat/create-dsat/
{"token_id":"10bac501884e35723d7f28a63ddf845c656bd857",
"token":"9ec12fad574c0d6580e78f9f104f485ebad2eceea06cc9505c290bc0abce4d6ec1e85f1e25b8b04f",
"message":"These credentials will be lost forever if not stored now"}
# use token in a rest view using Authorization header
# Header format is token token_id token
curl -H "Authorization: token 10bac501884e35723d7f28a63ddf845c656bd857 9ec12fad574c0d6580e78f9f104f485ebad2eceea06cc9505c290bc0abce4d6ec1e85f1e25b8b04f" http:/127.0.0.1:8000/accounts/an-authenticated-view/
{"message":"Hello, World!"}
See example_django_project in source
python manage.py create_dsat_for_user username
Apache2 License
DSAT provides a basic protection of tokens Vs clear tokens. Read Python docs at
https://docs.python.org/3/library/hashlib.html