Giving users the ability to create an account they can sign into is a common function for many websites.
Users might need an account to participate in a comment thread, save their personal information, or transfer money. Whatever the use case may be, you need to build an authentication system that’s simple and safe for your users.
After reading this post, you should have a solid understanding of how Django thinks about authentication – from users, to groups, to permissions. You’ll also see how Django plays things safe where it can in order to help you avoid inadvertently contributing your users’ information to "Have I Been Pwned".
For most websites, the basic entity of authentication is a user. A user is identified by some unique string, which is almost always an email address or username.
To prove someone is who they say they are, they must provide a password when creating an account, and again at any time they want to authenticate themselves. This should be familiar: you go through this kind of workflow any time you sign up for a service like Twitter or Netflix.
Django provides a User model for creating and managing users. Django users have a username and password, but can also optionally have an email address and a first and last name:
from django.contrib.auth.models import User
rafaela = User('rafaela', password='$uper$ecretpassword')
rafaela = User(
If you prefer to identify users by their email addresses, I recommend filling the username with the email address and keeping the address in the email field as well. This will allow users to authenticate using their email address while also allowing you to continue using Django’s built-in features that deal with email.
Django provides a level of security when it comes to passwords. It has a built-in set of password validators, some of which are enabled by default in new projects. You can write your own validators to enforce any password rules you might need, but choose wisely – it’s been shown that many password rules lead to decreased security!
In addition to password validation, Django safely stores password information by default. Django salts and hashes passwords before storing them when a user is created, so their plaintext password is no longer available outside the context of the initial registration request or when they log in.
Storing passwords in plaintext is a surprisingly common oversight in the industry, so let Django be your safety rail here!
Like other models you may have used in Django, user objects can be queried and filtered and so on:
User objects have several other fields, attributes, and methods that will make sense in context as you read on about the Django features that involve users.
Read more about groups, permissions, and more in the full article!