DEV Community

Cover image for Django notes #4 (User, Auth)
Elvin Seyidov
Elvin Seyidov

Posted on • Edited on

Django notes #4 (User, Auth)

#django

Customer User models
Model Managers
JWT
OAuth2

AbstractUser vs AbstractBaseUser
• When to use each
• How to extend AbstractUser properly
• How to implement AbstractBaseUser from scratch
• Pitfalls: forgetting USERNAME_FIELD, missing objects manager
2️⃣ User Profile & Related Models
• One-to-one user profile pattern
• Signal vs overridden create_user()
• Using get_user_model() safely
3️⃣ Custom Managers for User Queries
• Active users only, verified users, role-based filters
• Chainable custom managers
• Real-world examples (User.objects.admins().recent())
4️⃣ Authentication Backends
• Creating custom auth backends (email login, API key login, etc.)
• Combining multiple auth methods
• When to override authenticate()
5️⃣ Permissions & Groups
• Built-in User.has_perm(), is_superuser, is_staff
• Group-based permissions
• Custom permission decorators
• Best practices with RBAC (Role-Based Access Control)
6️⃣ Password Handling
• Django’s built-in hashing framework
• make_password(), check_password()
• Password validators (AUTH_PASSWORD_VALIDATORS)
• Force password change on login
7️⃣ JWT Authentication (via djangorestframework-simplejwt)
• Access vs Refresh token flow
• Custom claims (e.g. adding username, role)
• Token blacklist and rotation
• Security tips (token lifetime, HTTPS only, rotating secrets)
8️⃣ OAuth2 / Social Login
• Using django-allauth or django-oauth-toolkit
• Login with Google, GitHub, etc.
• Storing provider data (SocialAccount model)
• Connecting OAuth logins to existing Django users
9️⃣ Email-Based Auth (Advanced)
• Login with email instead of username
• Email verification flow (with expiring tokens)
• Resend link handling + anti-spam protection
🔟 Session vs Token-Based Auth
• Session-based (browser) vs token-based (API/mobile)
• Security comparison: CSRF vs JWT vulnerabilities
• When to use each, or combine both in hybrid apps
✅ Best Practices Summary
• Always use get_user_model() instead of importing User
• Use a custom user model from day one (AUTH_USER_MODEL)
• Avoid storing sensitive data in JWTs
• Use short-lived tokens + refresh flow
• Encrypt OAuth2 secrets & rotate them periodically
• Organize auth logic (views, serializers, managers) by concern
• Test login, password reset, and email verification thoroughly
💡 Bonus Ideas
• Implement "login throttling" (e.g. via django-axes)
• Add "magic link login" or passwordless auth
• Implement multi-factor authentication (MFA)
• Store user activity logs for auditing
• Add API rate limiting per user using DRF throttles

Checkly
 Promoted

Playwright CLI Flags Tutorial

5 Playwright CLI Flags That Will Transform Your Testing Workflow

  • 0:56 --last-failed
  • 2:34 --only-changed
  • 4:27 --repeat-each
  • 5:15 --forbid-only
  • 5:51 --ui --headed --workers 1

Learn how these powerful command-line options can save you time, strengthen your test suite, and streamline your Playwright testing experience. Click on any timestamp above to jump directly to that section in the tutorial!

Watch Full Video 📹️

Top comments (0)

AWS
 Promoted

AWS Q Developer image

Your AI Code Assistant

Automate your code reviews. Catch bugs before your coworkers. Fix security issues in your code. Built to handle large projects, Amazon Q Developer works alongside you from idea to production code.

Get started free in your IDE

👋 Kindness is contagious

If you found this article helpful, please give a ❤️ or share a friendly comment!

Got it