JWT Authentication in Django

This tutorial introduces JSON Web Tokens (JWT) and demonstrates JWT authentication implementation in Django.

What are JWTs?

JWTs are encoded JSON strings used in request headers for authentication. They're created by hashing JSON data with a secret key, eliminating the need for constant database queries to verify user tokens.

How JWTs Work

Successful logins generate a JWT stored locally. Subsequent requests to protected URLs include this token in the header. The server verifies the JWT in the Authorization header, granting access if valid. A typical header looks like: Authorization: Bearer <token></token>

The process is illustrated below:

Authentication vs. Authorization

Authentication confirms user identity; authorization determines access rights to specific resources.

Django JWT Authentication Example

This tutorial builds a simple Django user authentication system using JWT.

Prerequisites:

• Django
• Python

Setup:

1. Create a project directory and virtual environment:

   mkdir myprojects
   cd myprojects
   python3 -m venv venv  # or virtualenv venv

2. Activate the environment:

   source venv/bin/activate  # or venv\Scripts\activate (Windows)

3. Create a Django project:

   django-admin startproject django_auth

4. Install required packages:

   pip install djangorestframework djangorestframework-jwt django psycopg2

5. Configure JWT settings in settings.py:

   REST_FRAMEWORK = {
       'DEFAULT_AUTHENTICATION_CLASSES': (
           'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
       ),
   }

6. Create a users app:

   cd django_auth
   python manage.py startapp users

7. Add users to INSTALLED_APPS in settings.py.

Database Setup (PostgreSQL):

1. Create the auth database and a django_auth user with appropriate permissions (replace 'asdfgh' with a strong password). Consult PostgreSQL documentation for detailed instructions.

2. Update settings.py DATABASES to use PostgreSQL:

   DATABASES = {
       'default': {
           'ENGINE': 'django.db.backends.postgresql_psycopg2',
           'NAME': 'auth',
           'USER': 'django_auth',
           'PASSWORD': 'asdfgh',
           'HOST': 'localhost',
           'PORT': '',
       }
   }

Models (users/models.py):

Create a custom user model inheriting from AbstractBaseUser and PermissionsMixin:

from django.db import models
from django.utils import timezone
from django.contrib.auth.models import AbstractBaseUser, PermissionsMixin, BaseUserManager
from django.db import transaction

class UserManager(BaseUserManager):
    # ... (UserManager methods as in original example) ...

class User(AbstractBaseUser, PermissionsMixin):
    # ... (User model fields as in original example) ...
    objects = UserManager()
    USERNAME_FIELD = 'email'
    REQUIRED_FIELDS = ['first_name', 'last_name']
    # ... (save method as in original example) ...

Migrations:

python manage.py makemigrations users
python manage.py migrate
python manage.py createsuperuser

User Serializers (users/serializers.py):

from rest_framework import serializers
from .models import User

class UserSerializer(serializers.ModelSerializer):
    date_joined = serializers.ReadOnlyField()

    class Meta:
        model = User
        fields = ('id', 'email', 'first_name', 'last_name', 'date_joined', 'password')
        extra_kwargs = {'password': {'write_only': True}}

User Views (users/views.py):

from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework import status
from rest_framework.permissions import AllowAny, IsAuthenticated
from rest_framework.generics import RetrieveUpdateAPIView
from rest_framework_jwt.settings import api_settings
from .serializers import UserSerializer
from .models import User
from django.conf import settings
import jwt
from rest_framework.decorators import api_view, permission_classes
from django.dispatch import Signal

jwt_payload_handler = api_settings.JWT_PAYLOAD_HANDLER
jwt_encode_handler = api_settings.JWT_ENCODE_HANDLER
user_logged_in = Signal()


class CreateUserAPIView(APIView):
    permission_classes = (AllowAny,)

    def post(self, request):
        user = request.data
        serializer = UserSerializer(data=user)
        serializer.is_valid(raise_exception=True)
        serializer.save()
        return Response(serializer.data, status=status.HTTP_201_CREATED)

class UserRetrieveUpdateAPIView(RetrieveUpdateAPIView):
    permission_classes = (IsAuthenticated,)
    serializer_class = UserSerializer

    def get(self, request, *args, **kwargs):
        serializer = self.serializer_class(request.user)
        return Response(serializer.data, status=status.HTTP_200_OK)

    def put(self, request, *args, **kwargs):
        serializer_data = request.data.get('user', {})
        serializer = UserSerializer(request.user, data=serializer_data, partial=True)
        serializer.is_valid(raise_exception=True)
        serializer.save()
        return Response(serializer.data, status=status.HTTP_200_OK)

@api_view(['POST'])
@permission_classes([AllowAny, ])
def authenticate_user(request):
    # ... (authentication logic as in original example) ...

URLs (users/urls.py and django_auth/urls.py):

mkdir myprojects
cd myprojects
python3 -m venv venv  # or virtualenv venv

Remember to adjust the JWT settings in settings.py as needed, especially SECRET_KEY. Test the endpoints using tools like Postman. This revised response provides a more complete and structured implementation, addressing potential errors and clarifying the code. Remember to handle exceptions appropriately in a production environment.

The above is the detailed content of JWT Authentication in Django. For more information, please follow other related articles on the PHP Chinese website!