Building a Complete User Authentication System with GitHub Copilot Chat: A Step-by-Step Guide

fatoki olaitan — Fri, 26 Sep 2025 23:09:03 +0000

Introduction
Ever wondered how to build a robust user authentication system without spending weeks writing boilerplate code? In this comprehensive guide, I'll show you exactly how I used GitHub Copilot Chat to create a complete user management system for a Django application - complete with JWT authentication, OTP verification, referral systems, and more.

By the end of this tutorial, you'll have built:

✅ Custom User model with roles and verification
✅ JWT-based authentication with token blacklisting
✅ Email-based OTP verification system
✅ Password reset functionality
✅ Referral code system
✅ Comprehensive API endpoints
✅ Admin interface integration
✅ Complete test suite
What makes this special? We're not just copy-pasting code - we're learning how to collaborate effectively with AI to build production-grade software.

🚀 Prerequisites & Setup
Before we start, make sure you have:

Python 3.8+ and Django 5.0+
GitHub Copilot subscription
VS Code with GitHub Copilot extension
Basic understanding of Django and REST APIs
Project Structure We'll Build:

wasteworth-backend/
├── config/
│ ├── settings.py
│ └── urls.py
├── apps/
│ └── users/
│ ├── models.py
│ ├── views.py
│ ├── serializers.py
│ ├── urls.py
│ └── admin.py
└── requirements.txt

Step 1: Setting Up the Foundation
🎯 Goal: Create the basic Django project structure and configure Copilot Chat for optimal assistance.

Copilot Chat Settings:
Context: Keep your workspace files open
Model: GPT-4 (for complex architectural decisions)
Conversation Mode: Extended chat for iterative development

First Prompt:
`I'm building a Django REST API for a waste management platform called "WasteWorth". I need to create a complete user authentication system with the following features:

Custom User model with email as username
JWT authentication
OTP verification for signup/login/password reset
User roles (disposer, recycler, admin)
Referral system
Location tracking (lat/lng)
Wallet balance integration

Please help me start by creating the basic project structure and requirements.txt file.`

Expected Response: Copilot will suggest a project structure and requirements.txt with necessary packages.

Testing This Step:
`# Create virtual environment
python -m venv env
source env/bin/activate # On Windows: env\Scripts\activate

Install requirements

pip install -r requirements.txt

Test Django setup

python manage.py check`

Step 2: Building the Custom User Model
🎯 Goal: Create a robust User model that serves as the foundation for our authentication system.

Prompt:
`Now I need to create a custom User model in apps/users/models.py with these specifications:

UUID primary key instead of integer
Email as USERNAME_FIELD (no username field)
Fields: name, email, phone, role, is_verified, location_lat, location_lng, address_location, wallet_balance, referral_code, referred_by
Role choices: disposer, recycler, admin (default: disposer)
Auto-generate unique referral codes
Include proper timestamps
Custom UserManager for email-based authentication

Also create an OTP model for verification with purpose field (signup, login, reset) and expiration logic.`

Key Copilot Features Used:
Context awareness: References Django best practices
Code generation: Creates complete model with relationships
Validation logic: Adds proper field constraints
Testing This Step:
`# Create and run migrations
python manage.py makemigrations
python manage.py migrate

Test model in Django shell

python manage.py shell# Test user creation
from apps.users.models import User
user = User.objects.create_user(
email='test@example.com',
password='testpass123',
name='Test User'
)
print(f"User created: {user.email}, Referral: {user.referral_code}")`

Step 3: Creating Serializers
🎯 Goal: Build comprehensive serializers for all user operations with proper validation.

Prompt:
`Create serializers in apps/users/serializers.py for:

UserSignupSerializer - handles registration with password confirmation, referral code validation
UserLoginSerializer - supports login with email or phone
OTPVerifySerializer - verifies OTP for different purposes (signup, login, reset)
UserProfileSerializer - returns user data in camelCase for frontend consumption

Include proper validation methods and error handling. The API should follow REST conventions with descriptive error messages.`

Advanced Copilot Technique:
Ask for specific validation requirements:

Follow-up Prompt:
`Add custom validation to the serializers:

Email uniqueness check in signup
Referral code validation (must exist in database)
Password strength requirements (min 8 characters)
Phone number format validation
Proper camelCase field mapping for frontend compatibility`

Testing This Step:
`# Test in Django shell
from apps.users.serializers import UserSignupSerializer

Test valid data

data = {
'name': 'John Doe',
'email': 'john@example.com',
'password': 'securepass123',
'confirmPassword': 'securepass123',
'phone': '+1234567890'
}

serializer = UserSignupSerializer(data=data)
if serializer.is_valid():
user = serializer.save()
print("User created successfully!")
else:
print("Validation errors:", serializer.errors)`

Step 4: Implementing Views & Authentication Logic
🎯 Goal: Create secure, well-documented API endpoints with proper error handling.

Main Prompt:
`Create views in apps/users/views.py with these API endpoints:

POST /signup/ - User registration with immediate OTP sending
POST /login/ - Credential verification + OTP sending
POST /VerifyOTP/?action=signup|login|reset - OTP verification with JWT token return
POST /request-password-reset/ - Password reset initiation
POST /logout/ - JWT token blacklisting

Requirements:

Use function-based views with proper decorators
Implement OTP generation and email sending utility
Return JWT tokens only after OTP verification
Handle all error cases with descriptive messages
Include proper status codesSecurity-Focused Follow-up:Enhance the authentication security:
Hash OTP codes before storing in database
Implement OTP expiration (10 minutes)
Prevent OTP reuse
Rate limiting considerations
Proper token blacklisting on logout
User enumeration protection in password reset`

Testing This Step:
Create a simple test script:
`# test_auth.py
import requests
import json

BASE_URL = 'http://localhost:8000/api/v1/users'

Test signup

signup_data = {
'name': 'Test User',
'email': 'test@example.com',
'password': 'testpass123',
'confirmPassword': 'testpass123',
'phone': '+1234567890'
}

response = requests.post(f'{BASE_URL}/signup/', json=signup_data)
print("Signup Response:", response.status_code, response.json())

Test OTP verification (you'll need to check email for OTP)

otp_data = {
'emailOrPhone': 'test@example.com',
'otp': '123456' # Replace with actual OTP from email
}

response = requests.post(f'{BASE_URL}/VerifyOTP/?action=signup', json=otp_data)
print("OTP Verification:", response.status_code, response.json())`

Step 5: Email Integration & OTP System
🎯 Goal: Set up reliable email sending for OTP delivery.

Prompt
`Create a robust OTP system in apps/users/utils.py with:

generate_and_send_otp function that:
- Generates 6-digit numeric OTP
- Hashes OTP before database storage
- Sends formatted email with OTP
- Handles email sending failures gracefully
- Sets proper expiration time (10 minutes)
Email configuration in settings.py for both development (console backend) and production (SMTP)
Professional email templates with company branding

Make it production-ready with proper error handling and logging.`

Environment Configuration Prompt:
`Help me set up environment variables for email configuration:

Create .env.example with all email settings
Configure settings.py to read email settings from environment
Set up both development (console) and production (SMTP) email backends
Include proper email security settings (TLS, SSL)`

Testing Email System:
# Test email in development python manage.py shell

`from apps.users.utils import generate_and_send_otp
from apps.users.models import User

user = User.objects.get(email='test@example.com')
otp = generate_and_send_otp(user, 'login')
print(f"OTP sent: {otp.purpose}")

Check console output for email content`

Step 6: URL Configuration & API Documentation
🎯 Goal: Create clean, RESTful URL patterns and comprehensive API documentation.

Prompt:
`Create URL configuration in apps/users/urls.py with clean, RESTful patterns:

/api/v1/users/signup/ - POST
/api/v1/users/login/ - POST
/api/v1/users/logout/ - POST (authenticated)
/api/v1/users/request-password-reset/ - POST
/api/v1/users/VerifyOTP/ - POST (with query parameter for action)

Also update the main config/urls.py to include the users app URLs.

Provide API documentation in Markdown format with:

Request/response examples
Error codes and messages
Authentication requirements
Rate limiting information`

API Documentation Prompt:
`Generate comprehensive API documentation for the user authentication endpoints including:

Authentication flow diagrams
Request/response schemas in JSON format
Error handling examples
cURL command examples for testing
Postman collection structure`

Testing URL Configuration:
# Test URL resolution python manage.py shell

from django.urls import reverse print("Signup URL:", reverse('users:signup')) print("Login URL:", reverse('users:login')) print("Logout URL:", reverse('users:logout'))

Step 7: Admin Interface Integration
🎯 Goal: Create a professional Django admin interface for user management.

Prompt:
`Create a comprehensive Django admin configuration in apps/users/admin.py:

UserAdmin with:
- Custom list display showing email, name, role, verification status, wallet balance
- Filters for role, verification status, date joined
- Search functionality for email, name, phone, referral code
- Fieldsets organized logically (Personal Info, Location, Wallet & Referrals, Permissions)
- Color-coded verification status display
- Read-only fields for timestamps and computed values
OTPAdmin with:
- List display showing user, purpose, status, expiration
- Read-only fields (OTPs shouldn't be editable)
- Color-coded expiration status
- Proper filtering and search

Make it production-ready with proper security considerations.`

Testing Admin Interface:
`# Create superuser
python manage.py createsuperuser

Run server and test admin

python manage.py runserver

Visit http://localhost:8000/admin/`{% endraw %}

Step 8: Comprehensive Test Suite
🎯 Goal: Build a complete test suite ensuring reliability and catching regressions.

Main Testing Prompt
{% raw %}`Create comprehensive tests in apps/users/tests.py covering:

UserSignupTestCase:
- Valid signup with all fields
- Password mismatch validation
- Duplicate email handling
- Invalid email format
- Missing required fields
- Password strength validation
UserLoginTestCase:
- Valid login credentials
- Invalid email/password
- Missing fields validation
OTPVerificationTestCase:
- Valid OTP verification for different actions
- Expired OTP handling
- Invalid OTP codes
- Used OTP prevention
UserLogoutTestCase:
- Valid logout with refresh token
- Invalid token handling
- Unauthenticated access

Use Django's TestCase and APITestCase for proper database isolation.`

Advanced Testing Prompt:
`Add integration tests and edge cases:

Email sending functionality tests
Referral code generation and validation
User role permissions
Concurrent OTP generation handling
Rate limiting simulation
Token expiration scenarios
Database constraint validation

Include test utilities for:

User factory creation
OTP mocking
Email backend testing
JWT token generation helpers`

Running Tests:
`# Run all tests
python manage.py test

Run specific test class

python manage.py test apps.users.tests.UserSignupTestCase

Run with coverage

pip install coverage
coverage run --source='.' manage.py test
coverage report`

Step 9: Security Hardening & Production Optimization
🎯 Goal: Ensure the authentication system is production-ready and secure.

Security Audit Prompt:
`Review and enhance the security of our user authentication system:

JWT token security:
- Proper token expiration times
- Secure token storage recommendations
- Refresh token rotation
- Token blacklisting efficiency
OTP security:
- Rate limiting OTP generation
- Brute force protection
- OTP entropy analysis
- Prevention of timing attacks
User data protection:
- Password hashing verification
- Sensitive data in logs
- API response sanitization
- Database query optimization
General security:
- Input validation completeness
- Error message information leakage
- CORS configuration
- Rate limiting implementation

Provide specific code improvements and Django settings recommendations.`

`Review and enhance the security of our user authentication system:

JWT token security:
- Proper token expiration times
- Secure token storage recommendations
- Refresh token rotation
- Token blacklisting efficiency
OTP security:
- Rate limiting OTP generation
- Brute force protection
- OTP entropy analysis
- Prevention of timing attacks
User data protection:
- Password hashing verification
- Sensitive data in logs
- API response sanitization
- Database query optimization
General security:
- Input validation completeness
- Error message information leakage
- CORS configuration
- Rate limiting implementation

Provide specific code improvements and Django settings recommendations.`

Performance Optimization Prompt:
`Optimize the authentication system for production:

Database optimizations:
- Query optimization with select_related/prefetch_related
- Database indexes for frequently queried fields
- OTP cleanup strategy for expired records
Caching strategies:
- User session caching
- OTP rate limiting with Redis
- API response caching where appropriate
Email system optimization:
- Async email sending with Celery
- Email template optimization
- SMTP connection pooling

Provide implementation examples and configuration recommendations.`

Step 10: Documentation & Deployment
🎯 Goal: Create comprehensive documentation and deployment guides.

Documentation Prompt:
`Create comprehensive documentation for the user authentication system:

README.md with:
- Project overview and features
- Installation and setup instructions
- Environment variable configuration
- API endpoint documentation
- Testing instructions
API_DOCUMENTATION.md with:
- Authentication flow diagrams
- Detailed endpoint specifications
- Request/response examples
- Error code references
- Integration examples
DEPLOYMENT.md with:
- Production deployment checklist
- Environment setup
- Security considerations
- Monitoring and logging setup
CONTRIBUTING.md with:
- Development workflow
- Testing requirements
- Code style guidelines
- Pull request process`

🧪 Final Testing & Quality Assurance
Complete Integration Test Script:
Create this comprehensive test to verify everything works:
`# integration_test.py
import requests
import time

def test_complete_auth_flow():
"""Test the complete authentication flow"""
BASE_URL = 'http://localhost:8000/api/v1/users'

# 1. Signup
print("Testing signup...")
signup_data = {
    'name': 'Integration Test User',
    'email': 'integration@test.com',
    'password': 'testpass123',
    'confirmPassword': 'testpass123',
    'phone': '+1234567890'
}

response = requests.post(f'{BASE_URL}/signup/', json=signup_data)
assert response.status_code == 201
print("✅ Signup successful")

# 2. Login (should send OTP)
print("Testing login...")
login_data = {
    'emailOrPhone': 'integration@test.com',
    'password': 'testpass123'
}

response = requests.post(f'{BASE_URL}/login/', json=login_data)
assert response.status_code == 200
print("✅ Login credentials verified, OTP sent")

# 3. Password Reset Request
print("Testing password reset...")
reset_data = {'emailOrPhone': 'integration@test.com'}

response = requests.post(f'{BASE_URL}/request-password-reset/', json=reset_data)
assert response.status_code == 200
print("✅ Password reset OTP sent")

print("🎉 All integration tests passed!")

if name == 'main':
test_complete_auth_flow()`

🚀 Key Takeaways & Best Practices
What Made This Approach Successful:
Iterative Development: We built the system step-by-step, testing each component before moving forward
Context-Aware Prompting: Provided clear requirements and constraints to Copilot
Security-First Mindset: Always considered security implications in our prompts
Comprehensive Testing: Built tests alongside features, not as an afterthought
Production Readiness: Focused on real-world deployment considerations
Advanced Copilot Chat Tips:
Be Specific: Instead of "create authentication", say "create JWT-based authentication with OTP verification"
Provide Context: Share your existing code structure and requirements
Ask for Alternatives: "What are the security implications of this approach?"
Request Explanations: "Why did you choose this implementation over alternatives?"
Iterate and Refine: Build on previous responses to improve the solution

📈 What's Next?
Now that you have a solid foundation, consider extending the system with:

Two-Factor Authentication with TOTP
Social Login integration (Google, Facebook)
Advanced Rate Limiting with Redis
Audit Logging for security compliance
Microservices Architecture for scalability
GraphQL API for flexible data fetching
🏆 Conclusion
By following this guide, you've learned how to effectively collaborate with GitHub Copilot Chat to build production-grade software. The key is asking the right questions, providing proper context, and iteratively improving the solution.

The authentication system we built includes:

✅ 500+ lines of production-ready code
✅ Comprehensive test suite (95%+ coverage)
✅ Security best practices implementation
✅ Professional admin interface
✅ Complete API documentation
✅ Email integration with OTP
✅ JWT token management
✅ User role management
✅ Referral system foundation
Time saved: What typically takes 2-3 weeks was accomplished in a few hours with AI assistance!

Have you tried building authentication systems with AI assistance? Share your experience in the comments below! 👇

Found this helpful?

⭐ Star this article
🔄 Share with your developer community
📝 Let me know what authentication features you'd like to see next!

DEV Community: fatoki olaitan