Django security and authentication

Question

I have a few questions regarding tokens and username/pass pairs.

I have a django rest API set up which uses tokens once a user has registered. However I do not know how to return the token to the user in a safe matter? Currently I use:
```
response_data = UserSerializer(instance=new_user).data
response_data['token'] = token.key
return Response(response_data, status=status.HTTP_201_CREATED)
```

But in this way i can clearly see all of the details in my Response body in the browser? Even my password. How should I return it to the client ?

When registering a User I do it this way:

serialized = UserSerializer(data=request.DATA) if serialized.is_valid(): print(serialized.validated_data) new_user = get_user_model().objects.create(**serialized.validated_data) token = Token.objects.create(user=new_user)

Will this create my user properly ? Will the password be hashed?

Thank you

P.S. here is the whole method:

@api_view(['POST'])
def register_user(request):
    print (request)
    serialized = UserSerializer(data=request.DATA)
    if serialized.is_valid():
        print(serialized.validated_data)
        new_user = get_user_model().objects.create(**serialized.validated_data)
        token = Token.objects.create(user=new_user)

        response_data = UserSerializer(instance=new_user).data
        response_data['token'] = token.key
        return Response(response_data, status=status.HTTP_201_CREATED)
    else:
        return Response(serialized._errors, status=status.HTTP_400_BAD_REQUEST)

score 0 · Answer 1 · edited May 23 '17 at 12:23

0

I would handle #1 by setting a cookie, if that works for your use case. Relevant SO Post: How to set cookie in Django view and then render template.

For #2, I believe you should use create_user rather than create. Check the Django docs here. A quick way to check and see if your passwords are getting hashed properly is to pop open a shell, grab a user object, and see what the password looks like:

>>u = User.objects.get(id=1)
>>u.password
u'pbkdf2_sha256$12000$e30c2ea7a76f83b7c1a975ddc24286b675e714ebbbc72ccd5f0401730231ab57'

You will easily be able to tell whether or not the password has been hashed.

edited May 23 '17 at 12:23

Community

1
1

answered Feb 10 '16 at 16:29

souldeux

3,615
3
23
35

Well I am sending it to an Android application ... I can't use cookies – mp3por Feb 10 '16 at 16:51
You were correct for 2 -> Using create() does not hash the password while using create_user() does it – mp3por Feb 10 '16 at 16:55
The view you've written serializes your user data, attaches the `token` to it and returns it. If you want to leave certain data out (like the hashed password), you would want to remove that (or not include it at all) in your `response_data`. Without knowing exactly how you want your application to work, it's hard to give a more specific answer. Rendering the data you've returned is likely up to your android application logic rather than Django. – souldeux Feb 10 '16 at 17:18
No no I do not want to render it. I just want to receive it in a secure way. Basically I am wondering if I have SSL set up on the server I would not have to do anything else to send the data right ? Cause the SSL will encrypt the whole body therefore even if someone intercepts my response he/she will not be able to see the user's username/pass/token ? – mp3por Feb 10 '16 at 17:33
As long as you are serving the data over HTTPS and have your certificate & SSL settings configured properly, to my understanding your data will be secure in transit from the server to the app. – souldeux Feb 10 '16 at 17:42

Django security and authentication

1 Answers1