DEV Community: sribalu The latest articles on DEV Community by sribalu (@sribalu_sribalu_2e2394502). https://dev.to/sribalu_sribalu_2e2394502 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3837706%2F8709d44d-4a2e-4e2c-8ec5-979f49d56514.png DEV Community: sribalu https://dev.to/sribalu_sribalu_2e2394502 en Django REST API with PostgreSQL — Advanced Queries & Optimization sribalu Tue, 31 Mar 2026 18:20:16 +0000 https://dev.to/sribalu_sribalu_2e2394502/django-rest-api-with-postgresql-advanced-queries-optimization-9h2 https://dev.to/sribalu_sribalu_2e2394502/django-rest-api-with-postgresql-advanced-queries-optimization-9h2 <p>Introduction<br> Building a REST API with Django REST Framework (DRF) is straightforward — but making it fast and scalable with PostgreSQL requires understanding advanced query techniques. In this guide, you'll learn how to write optimized queries, avoid common pitfalls like the N+1 problem, use PostgreSQL-specific features, and measure performance.</p> <p>Prerequisites</p> <p>Django + DRF project set up<br> PostgreSQL connected via psycopg2<br> Basic understanding of Django ORM</p> <ol> <li>Project Setup We'll use a simple blogging API with these models: python# models.py from django.db import models</li> </ol> <p>class Author(models.Model):<br> name = models.CharField(max_length=100)<br> email = models.EmailField(unique=True)<br> bio = models.TextField(blank=True)</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def __str__(self): return self.name </code></pre> </div> <p>class Tag(models.Model):<br> name = models.CharField(max_length=50, unique=True)</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def __str__(self): return self.name </code></pre> </div> <p>class Post(models.Model):<br> title = models.CharField(max_length=200)<br> content = models.TextField()<br> author = models.ForeignKey(Author, on_delete=models.CASCADE, related_name='posts')<br> tags = models.ManyToManyField(Tag, blank=True)<br> created_at = models.DateTimeField(auto_now_add=True)<br> published = models.BooleanField(default=False)<br> view_count = models.PositiveIntegerField(default=0)</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>class Meta: indexes = [ models.Index(fields=['created_at']), models.Index(fields=['author', 'published']), ] def __str__(self): return self.title </code></pre> </div> <p>Notice the Meta.indexes — we're already thinking about query performance at the model level.</p> <ol> <li>The N+1 Problem (And How to Kill It) The N+1 problem is the #1 performance killer in Django APIs. It happens when you fetch a list of objects and then make a separate database query for each one. The bad way: python# views.py — DON'T DO THIS class PostListView(generics.ListAPIView): queryset = Post.objects.all() serializer_class = PostSerializer</li> </ol> <h1> serializers.py — This triggers N+1 </h1> <p>class PostSerializer(serializers.ModelSerializer):<br> author_name = serializers.SerializerMethodField()</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def get_author_name(self, obj): return obj.author.name # 1 query per post! class Meta: model = Post fields = ['id', 'title', 'author_name'] </code></pre> </div> <p>With 100 posts, this runs 101 queries — 1 to fetch posts, then 1 per post to get the author.<br> The fix — select_related for ForeignKey:<br> python# views.py — DO THIS<br> class PostListView(generics.ListAPIView):<br> serializer_class = PostSerializer</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def get_queryset(self): return Post.objects.select_related('author').all() </code></pre> </div> <p>Now Django fetches everything in 1 SQL JOIN query.<br> Use prefetch_related for ManyToMany:<br> pythondef get_queryset(self):<br> return Post.objects.select_related('author').prefetch_related('tags').all()<br> This runs 2 queries total (posts + tags), regardless of how many rows are returned.</p> <ol> <li>Filtering with django-filter Install the package: bashpip install django-filter Add to settings: pythonINSTALLED_APPS = [..., 'django_filters']</li> </ol> <p>REST_FRAMEWORK = {<br> 'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend'],<br> }<br> Create a filter class:<br> python# filters.py<br> import django_filters<br> from .models import Post</p> <p>class PostFilter(django_filters.FilterSet):<br> author = django_filters.CharFilter(field_name='author_<em>name', lookup_expr='icontains')<br> tag = django_filters.CharFilter(field_name='tags</em>_name', lookup_expr='iexact')<br> published = django_filters.BooleanFilter()<br> created_after = django_filters.DateFilter(field_name='created_at', lookup_expr='gte')<br> created_before = django_filters.DateFilter(field_name='created_at', lookup_expr='lte')</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>class Meta: model = Post fields = ['author', 'tag', 'published', 'created_after', 'created_before'] </code></pre> </div> <p>Wire it up in the view:<br> pythonfrom .filters import PostFilter</p> <p>class PostListView(generics.ListAPIView):<br> serializer_class = PostSerializer<br> filterset_class = PostFilter</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def get_queryset(self): return Post.objects.select_related('author').prefetch_related('tags') </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Now your API supports queries like: </code></pre> </div> <p>GET /api/posts/?author=sri&amp;published=true&amp;created_after=2026-01-01</p> <ol> <li>PostgreSQL-Specific Features This is where PostgreSQL really shines over SQLite or MySQL. Full-Text Search pythonfrom django.contrib.postgres.search import SearchVector, SearchQuery, SearchRank</li> </ol> <p>class PostSearchView(generics.ListAPIView):<br> serializer_class = PostSerializer</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def get_queryset(self): query = self.request.query_params.get('q', '') if not query: return Post.objects.none() search_query = SearchQuery(query) search_vector = SearchVector('title', weight='A') + SearchVector('content', weight='B') return ( Post.objects .annotate(rank=SearchRank(search_vector, search_query)) .filter(rank__gte=0.1) .order_by('-rank') .select_related('author') ) </code></pre> </div> <p>Usage: GET /api/posts/search/?q=django+authentication<br> PostgreSQL ranks results by relevance — title matches score higher than body matches.<br> ArrayField for Tags (Alternative Approach)<br> pythonfrom django.contrib.postgres.fields import ArrayField</p> <p>class Article(models.Model):<br> title = models.CharField(max_length=200)<br> keywords = ArrayField(models.CharField(max_length=50), blank=True, default=list)<br> Query it:<br> python# Posts where keywords contain 'django'<br> Article.objects.filter(keywords__contains=['django'])</p> <h1> Posts where keywords overlap with a list </h1> <p>Article.objects.filter(keywords__overlap=['django', 'python'])<br> JSONField for Flexible Metadata<br> pythonclass Post(models.Model):<br> # ... other fields<br> metadata = models.JSONField(default=dict, blank=True)</p> <h1> Store anything </h1> <p>post.metadata = {'reading_time': 5, 'difficulty': 'intermediate', 'version': '4.2'}<br> post.save()</p> <h1> Query into JSON </h1> <p>Post.objects.filter(metadata_<em>difficulty='intermediate')<br> Post.objects.filter(metadata</em><em>reading_time</em>_gte=3)</p> <ol> <li>Aggregations &amp; Annotations Annotations let you add computed fields directly in the queryset — pushing work to the database instead of Python. pythonfrom django.db.models import Count, Avg, Sum, F, Q</li> </ol> <p>class AuthorStatsView(generics.ListAPIView):<br> serializer_class = AuthorStatsSerializer</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def get_queryset(self): return Author.objects.annotate( post_count=Count('posts'), published_count=Count('posts', filter=Q(posts__published=True)), total_views=Sum('posts__view_count'), avg_views=Avg('posts__view_count'), ).order_by('-total_views') </code></pre> </div> <p>The serializer:<br> pythonclass AuthorStatsSerializer(serializers.ModelSerializer):<br> post_count = serializers.IntegerField()<br> published_count = serializers.IntegerField()<br> total_views = serializers.IntegerField()<br> avg_views = serializers.FloatField()</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>class Meta: model = Author fields = ['id', 'name', 'post_count', 'published_count', 'total_views', 'avg_views'] </code></pre> </div> <p>This is one SQL query that returns all stats — no Python loops needed.</p> <ol> <li>Pagination for Large Datasets Never return unbounded querysets in production. DRF has three built-in strategies: python# settings.py REST_FRAMEWORK = { 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.CursorPagination', 'PAGE_SIZE': 20, } Cursor pagination is the most efficient for large tables — it uses a database cursor instead of OFFSET, which gets slow on millions of rows. Custom cursor pagination: pythonfrom rest_framework.pagination import CursorPagination</li> </ol> <p>class PostCursorPagination(CursorPagination):<br> page_size = 20<br> ordering = '-created_at'<br> cursor_query_param = 'cursor'</p> <ol> <li>Measuring Query Performance Never guess — always measure. Django Debug Toolbar (Development) bashpip install django-debug-toolbar python# settings.py INSTALLED_APPS = [..., 'debug_toolbar'] MIDDLEWARE = ['debug_toolbar.middleware.DebugToolbarMiddleware', ...] INTERNAL_IPS = ['127.0.0.1'] This shows every SQL query, its duration, and a stack trace in the browser. Query Counting in Tests python# tests.py from django.test import TestCase from django.test.utils import override_settings</li> </ol> <p>class PostListQueryTest(TestCase):<br> def setUp(self):<br> # Create test data<br> author = Author.objects.create(name='Sri', email='<a href="mailto:sri@example.com">sri@example.com</a>')<br> for i in range(10):<br> Post.objects.create(title=f'Post {i}', author=author, published=True)</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def test_post_list_query_count(self): with self.assertNumQueries(2): # 1 for posts, 1 for tags response = self.client.get('/api/posts/') self.assertEqual(response.status_code, 200) </code></pre> </div> <p>If this test fails with 12 queries instead of 2, you know you have an N+1 somewhere.<br> Explain Analyze (PostgreSQL)<br> pythonfrom django.db import connection</p> <p>queryset = Post.objects.select_related('author').filter(published=True)<br> print(queryset.query) # Raw SQL</p> <h1> Run EXPLAIN ANALYZE in psql </h1> <h1> EXPLAIN ANALYZE SELECT * FROM blog_post WHERE published = true; </h1> <p>Look for Seq Scan on large tables — that's a signal you need an index.</p> <ol> <li>Putting It All Together — Optimized ViewSet python# views.py from rest_framework import viewsets, filters from django_filters.rest_framework import DjangoFilterBackend from .models import Post from .serializers import PostSerializer from .filters import PostFilter from .pagination import PostCursorPagination</li> </ol> <p>class PostViewSet(viewsets.ReadOnlyModelViewSet):<br> serializer_class = PostSerializer<br> filterset_class = PostFilter<br> pagination_class = PostCursorPagination<br> filter_backends = [DjangoFilterBackend, filters.SearchFilter, filters.OrderingFilter]<br> search_fields = ['title', 'content']<br> ordering_fields = ['created_at', 'view_count']<br> ordering = ['-created_at']</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def get_queryset(self): return ( Post.objects .select_related('author') .prefetch_related('tags') .filter(published=True) .only('id', 'title', 'created_at', 'view_count', 'author__name') # .only() fetches just the columns you need — saves bandwidth ) </code></pre> </div> <p>The .only() call is the final optimization — it tells PostgreSQL to return only the columns your serializer actually uses, reducing data transfer.</p> <p>Key Takeaways<br> TechniqueWhen to Useselect_relatedForeignKey / OneToOne relationshipsprefetch_relatedManyToMany / reverse FK relationshipsannotate()Computed fields — push math to the DBonly() / defer()Large tables where you don't need all columnsFull-text searchSearch bars with relevance rankingCursor paginationLarge datasets (10k+ rows)assertNumQueriesCatch N+1 regressions in CI</p> <p>What's Next<br> In Part 4, we'll set up a full CI/CD pipeline for Django using GitHub Actions — automated testing, linting, and deployment on every push.</p> <p>Part of the Django Production Series. Part 1 — Authentication | Part 2 — Docker Deployment</p> django python postgres backend Django + Docker Deployment: A Complete Production Guide sribalu Sat, 21 Mar 2026 23:50:14 +0000 https://dev.to/sribalu_sribalu_2e2394502/django-docker-deployment-a-complete-production-guide-52lm https://dev.to/sribalu_sribalu_2e2394502/django-docker-deployment-a-complete-production-guide-52lm <h1> Django + Docker Deployment: A Complete Production Guide </h1> <p><strong>Level:</strong> Intermediate | <strong>Read Time:</strong> 14 min | <strong>Author:</strong> Sri Balu</p> <h2> Introduction </h2> <p>Deploying Django applications used to mean wrestling with server configurations, dependency conflicts, and "it works on my machine" nightmares. Docker changes all of that.</p> <p>In this guide, we'll containerize a Django application from scratch, wire it up with PostgreSQL and Nginx, and deploy it to a production server — the right way.</p> <p>Here's what we'll cover:</p> <ul> <li>Why Docker for Django applications</li> <li>Writing a production-ready Dockerfile</li> <li>Docker Compose for multi-container setup (Django + PostgreSQL + Nginx)</li> <li>Environment variables and secrets management</li> <li>Static files and media files handling</li> <li>Running database migrations automatically</li> <li>Deploying to a Linux server (Ubuntu)</li> <li>Common pitfalls and how to avoid them</li> </ul> <h2> 1. Why Docker for Django? </h2> <p>Before we write any code, let's understand why Docker has become the standard for Django deployments.</p> <h3> The Problem Without Docker </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer A: "It works on my machine!" Developer B: "But it crashes on mine..." DevOps: "It works in staging but not production..." </code></pre> </div> <h3> What Docker Solves </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Docker Solution</th> </tr> </thead> <tbody> <tr> <td>Dependency conflicts</td> <td>Isolated containers per service</td> </tr> <tr> <td>Environment differences</td> <td>Same image runs everywhere</td> </tr> <tr> <td>Complex setup</td> <td>One command: <code>docker compose up</code> </td> </tr> <tr> <td>Scaling</td> <td>Spin up multiple containers easily</td> </tr> <tr> <td>Rollback</td> <td>Switch back to previous image instantly</td> </tr> </tbody> </table></div> <h2> 2. Project Structure </h2> <p>Here's the structure we'll build:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>myproject/ ├── app/ │ ├── manage.py │ ├── myproject/ │ │ ├── settings/ │ │ │ ├── base.py │ │ │ ├── development.py │ │ │ └── production.py │ │ ├── urls.py │ │ └── wsgi.py │ └── requirements/ │ ├── base.txt │ └── production.txt ├── nginx/ │ └── nginx.conf ├── .env ├── .env.example ├── docker-compose.yml ├── docker-compose.prod.yml └── Dockerfile </code></pre> </div> <h2> 3. Writing a Production-Ready Dockerfile </h2> <p>A good Dockerfile uses <strong>multi-stage builds</strong> to keep the final image small and secure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Dockerfile</span> <span class="c"># ─── Stage 1: Builder ───────────────────────────────────────</span> <span class="k">FROM</span><span class="w"> </span><span class="s">python:3.12-slim</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="c"># Set environment variables</span> <span class="k">ENV</span><span class="s"> PYTHONDONTWRITEBYTECODE=1 \</span> PYTHONUNBUFFERED=1 \ PIP_NO_CACHE_DIR=1 <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Install system dependencies</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="se">\ </span> build-essential <span class="se">\ </span> libpq-dev <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># Install Python dependencies</span> <span class="k">COPY</span><span class="s"> requirements/base.txt requirements/production.txt ./requirements/</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--upgrade</span> pip <span class="se">\ </span> <span class="o">&amp;&amp;</span> pip <span class="nb">install</span> <span class="nt">-r</span> requirements/production.txt <span class="c"># ─── Stage 2: Production Image ──────────────────────────────</span> <span class="k">FROM</span><span class="w"> </span><span class="s">python:3.12-slim</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">production</span> <span class="k">ENV</span><span class="s"> PYTHONDONTWRITEBYTECODE=1 \</span> PYTHONUNBUFFERED=1 <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Install only runtime dependencies</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="se">\ </span> libpq5 <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># Copy installed packages from builder</span> <span class="k">COPY</span><span class="s"> --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages</span> <span class="k">COPY</span><span class="s"> --from=builder /usr/local/bin /usr/local/bin</span> <span class="c"># Copy project files</span> <span class="k">COPY</span><span class="s"> app/ .</span> <span class="c"># Create non-root user for security</span> <span class="k">RUN </span>addgroup <span class="nt">--system</span> django <span class="se">\ </span> <span class="o">&amp;&amp;</span> adduser <span class="nt">--system</span> <span class="nt">--ingroup</span> django django <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">chown</span> <span class="nt">-R</span> django:django /app <span class="k">USER</span><span class="s"> django</span> <span class="c"># Expose port</span> <span class="k">EXPOSE</span><span class="s"> 8000</span> <span class="c"># Start Gunicorn</span> <span class="k">CMD</span><span class="s"> ["gunicorn", "myproject.wsgi:application", \</span> "--bind", "0.0.0.0:8000", \ "--workers", "3", \ "--timeout", "120"] </code></pre> </div> <h3> Key Dockerfile Best Practices </h3> <ul> <li> <strong>Multi-stage builds</strong> — keeps final image lean (no build tools in production)</li> <li> <strong>Non-root user</strong> — runs Django as <code>django</code> user, not root (security!)</li> <li> <strong>Gunicorn</strong> — production WSGI server, never use <code>runserver</code> in production</li> <li> <strong><code>PYTHONUNBUFFERED=1</code></strong> — ensures logs appear in real time</li> </ul> <h2> 4. Requirements Files </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># requirements/base.txt Django==5.0.4 djangorestframework==3.15.1 psycopg2==2.9.9 python-decouple==3.8 whitenoise==6.6.0 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># requirements/production.txt -r base.txt gunicorn==21.2.0 </code></pre> </div> <h2> 5. Django Settings for Docker </h2> <p>Split your settings into base and production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/myproject/settings/base.py </span><span class="kn">from</span> <span class="n">decouple</span> <span class="kn">import</span> <span class="n">config</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="nf">config</span><span class="p">(</span><span class="sh">'</span><span class="s">SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="nf">config</span><span class="p">(</span><span class="sh">'</span><span class="s">DEBUG</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">cast</span><span class="o">=</span><span class="nb">bool</span><span class="p">)</span> <span class="n">ALLOWED_HOSTS</span> <span class="o">=</span> <span class="nf">config</span><span class="p">(</span><span class="sh">'</span><span class="s">ALLOWED_HOSTS</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="sh">''</span><span class="p">).</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">,</span><span class="sh">'</span><span class="p">)</span> <span class="n">DATABASES</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">ENGINE</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">django.db.backends.postgresql</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">NAME</span><span class="sh">'</span><span class="p">:</span> <span class="nf">config</span><span class="p">(</span><span class="sh">'</span><span class="s">POSTGRES_DB</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">USER</span><span class="sh">'</span><span class="p">:</span> <span class="nf">config</span><span class="p">(</span><span class="sh">'</span><span class="s">POSTGRES_USER</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">PASSWORD</span><span class="sh">'</span><span class="p">:</span> <span class="nf">config</span><span class="p">(</span><span class="sh">'</span><span class="s">POSTGRES_PASSWORD</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">HOST</span><span class="sh">'</span><span class="p">:</span> <span class="nf">config</span><span class="p">(</span><span class="sh">'</span><span class="s">POSTGRES_HOST</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="sh">'</span><span class="s">db</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">PORT</span><span class="sh">'</span><span class="p">:</span> <span class="nf">config</span><span class="p">(</span><span class="sh">'</span><span class="s">POSTGRES_PORT</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="sh">'</span><span class="s">5432</span><span class="sh">'</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Static files </span><span class="n">STATIC_URL</span> <span class="o">=</span> <span class="sh">'</span><span class="s">/static/</span><span class="sh">'</span> <span class="n">STATIC_ROOT</span> <span class="o">=</span> <span class="sh">'</span><span class="s">/app/staticfiles</span><span class="sh">'</span> <span class="n">MEDIA_URL</span> <span class="o">=</span> <span class="sh">'</span><span class="s">/media/</span><span class="sh">'</span> <span class="n">MEDIA_ROOT</span> <span class="o">=</span> <span class="sh">'</span><span class="s">/app/mediafiles</span><span class="sh">'</span> <span class="c1"># Whitenoise for static files </span><span class="n">MIDDLEWARE</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">django.middleware.security.SecurityMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">whitenoise.middleware.WhiteNoiseMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="c1"># Add this! </span> <span class="bp">...</span> <span class="p">]</span> <span class="n">STATICFILES_STORAGE</span> <span class="o">=</span> <span class="sh">'</span><span class="s">whitenoise.storage.CompressedManifestStaticFilesStorage</span><span class="sh">'</span> </code></pre> </div> <h2> 6. Environment Variables (.env) </h2> <p>Never hardcode secrets! Use a <code>.env</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .env (never commit this to git!)</span> <span class="nv">SECRET_KEY</span><span class="o">=</span>your-super-secret-key-here <span class="nv">DEBUG</span><span class="o">=</span>False <span class="nv">ALLOWED_HOSTS</span><span class="o">=</span>localhost,127.0.0.1,yourdomain.com <span class="c"># PostgreSQL</span> <span class="nv">POSTGRES_DB</span><span class="o">=</span>myproject_db <span class="nv">POSTGRES_USER</span><span class="o">=</span>myproject_user <span class="nv">POSTGRES_PASSWORD</span><span class="o">=</span>strong_password_here <span class="nv">POSTGRES_HOST</span><span class="o">=</span>db <span class="nv">POSTGRES_PORT</span><span class="o">=</span>5432 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .env.example (commit this — no real secrets)</span> <span class="nv">SECRET_KEY</span><span class="o">=</span>your-secret-key <span class="nv">DEBUG</span><span class="o">=</span>False <span class="nv">ALLOWED_HOSTS</span><span class="o">=</span>localhost <span class="nv">POSTGRES_DB</span><span class="o">=</span>myproject_db <span class="nv">POSTGRES_USER</span><span class="o">=</span>myproject_user <span class="nv">POSTGRES_PASSWORD</span><span class="o">=</span>your-password <span class="nv">POSTGRES_HOST</span><span class="o">=</span>db <span class="nv">POSTGRES_PORT</span><span class="o">=</span>5432 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .gitignore — CRITICAL!</span> .env <span class="k">*</span>.pyc __pycache__/ staticfiles/ mediafiles/ </code></pre> </div> <h2> 7. Docker Compose — Development </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># docker-compose.yml (development)</span> <span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.9'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16-alpine</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres_data:/var/lib/postgresql/data/</span> <span class="na">env_file</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.env</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">${POSTGRES_USER}</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">${POSTGRES_DB}"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">web</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">target</span><span class="pi">:</span> <span class="s">builder</span> <span class="c1"># Use builder stage for dev (has dev tools)</span> <span class="na">command</span><span class="pi">:</span> <span class="s">python manage.py runserver 0.0.0.0:8000</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./app:/app</span> <span class="c1"># Live code reloading</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8000:8000"</span> <span class="na">env_file</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.env</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">postgres_data</span><span class="pi">:</span> </code></pre> </div> <h2> 8. Docker Compose — Production </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># docker-compose.prod.yml (production)</span> <span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.9'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16-alpine</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres_data:/var/lib/postgresql/data/</span> <span class="na">env_file</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.env</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">${POSTGRES_USER}</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">${POSTGRES_DB}"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">web</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">target</span><span class="pi">:</span> <span class="s">production</span> <span class="c1"># Use production stage</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">sh -c "python manage.py migrate --noinput &amp;&amp;</span> <span class="s">python manage.py collectstatic --noinput &amp;&amp;</span> <span class="s">gunicorn myproject.wsgi:application</span> <span class="s">--bind 0.0.0.0:8000</span> <span class="s">--workers 3</span> <span class="s">--timeout 120"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">static_volume:/app/staticfiles</span> <span class="pi">-</span> <span class="s">media_volume:/app/mediafiles</span> <span class="na">env_file</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.env</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:1.25-alpine</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./nginx/nginx.conf:/etc/nginx/conf.d/default.conf</span> <span class="pi">-</span> <span class="s">static_volume:/app/staticfiles</span> <span class="pi">-</span> <span class="s">media_volume:/app/mediafiles</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">80:80"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">postgres_data</span><span class="pi">:</span> <span class="na">static_volume</span><span class="pi">:</span> <span class="na">media_volume</span><span class="pi">:</span> </code></pre> </div> <h2> 9. Nginx Configuration </h2> <p>Nginx acts as a <strong>reverse proxy</strong> — it handles static files and forwards API requests to Gunicorn:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># nginx/nginx.conf</span> <span class="k">upstream</span> <span class="s">django</span> <span class="p">{</span> <span class="kn">server</span> <span class="nf">web</span><span class="p">:</span><span class="mi">8000</span><span class="p">;</span> <span class="p">}</span> <span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">yourdomain.com</span> <span class="s">www.yourdomain.com</span><span class="p">;</span> <span class="kn">client_max_body_size</span> <span class="mi">20M</span><span class="p">;</span> <span class="c1"># Static files — served directly by Nginx (fast!)</span> <span class="kn">location</span> <span class="n">/static/</span> <span class="p">{</span> <span class="kn">alias</span> <span class="n">/app/staticfiles/</span><span class="p">;</span> <span class="kn">expires</span> <span class="s">30d</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">Cache-Control</span> <span class="s">"public,</span> <span class="s">immutable"</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># Media files</span> <span class="kn">location</span> <span class="n">/media/</span> <span class="p">{</span> <span class="kn">alias</span> <span class="n">/app/mediafiles/</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># Django app — proxy to Gunicorn</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://django</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="nv">$scheme</span><span class="p">;</span> <span class="kn">proxy_connect_timeout</span> <span class="s">60s</span><span class="p">;</span> <span class="kn">proxy_read_timeout</span> <span class="s">60s</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 10. Deploying to Ubuntu Server </h2> <h3> Step 1 — Install Docker on Server </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update system</span> <span class="nb">sudo </span>apt-get update <span class="nb">sudo </span>apt-get upgrade <span class="nt">-y</span> <span class="c"># Install Docker</span> curl <span class="nt">-fsSL</span> https://get.docker.com <span class="nt">-o</span> get-docker.sh <span class="nb">sudo </span>sh get-docker.sh <span class="c"># Install Docker Compose</span> <span class="nb">sudo </span>apt-get <span class="nb">install </span>docker-compose-plugin <span class="nt">-y</span> <span class="c"># Add your user to docker group</span> <span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker <span class="nv">$USER</span> newgrp docker <span class="c"># Verify installation</span> docker <span class="nt">--version</span> docker compose version </code></pre> </div> <h3> Step 2 — Clone Your Project </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/yourusername/myproject.git <span class="nb">cd </span>myproject </code></pre> </div> <h3> Step 3 — Set Up Environment Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp</span> .env.example .env nano .env <span class="c"># Fill in your production values</span> </code></pre> </div> <h3> Step 4 — Build and Start </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build images</span> docker compose <span class="nt">-f</span> docker-compose.prod.yml build <span class="c"># Start all services</span> docker compose <span class="nt">-f</span> docker-compose.prod.yml up <span class="nt">-d</span> <span class="c"># Check status</span> docker compose <span class="nt">-f</span> docker-compose.prod.yml ps </code></pre> </div> <h3> Step 5 — Verify Everything Works </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check logs</span> docker compose <span class="nt">-f</span> docker-compose.prod.yml logs web docker compose <span class="nt">-f</span> docker-compose.prod.yml logs nginx <span class="c"># Run a command inside the container</span> docker compose <span class="nt">-f</span> docker-compose.prod.yml <span class="nb">exec </span>web python manage.py createsuperuser </code></pre> </div> <h2> 11. Useful Docker Commands </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View running containers</span> docker compose ps <span class="c"># View logs (follow mode)</span> docker compose logs <span class="nt">-f</span> web <span class="c"># Restart a service</span> docker compose restart web <span class="c"># Stop all services</span> docker compose down <span class="c"># Stop and remove volumes (WARNING: deletes DB data!)</span> docker compose down <span class="nt">-v</span> <span class="c"># Rebuild after code changes</span> docker compose up <span class="nt">--build</span> <span class="nt">-d</span> <span class="c"># Run Django management commands</span> docker compose <span class="nb">exec </span>web python manage.py migrate docker compose <span class="nb">exec </span>web python manage.py shell docker compose <span class="nb">exec </span>web python manage.py createsuperuser <span class="c"># Access PostgreSQL directly</span> docker compose <span class="nb">exec </span>db psql <span class="nt">-U</span> myproject_user <span class="nt">-d</span> myproject_db </code></pre> </div> <h2> 12. Common Pitfalls &amp; Fixes </h2> <h3> ❌ Issue 1: Database not ready when Django starts </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Fix: Add healthcheck + depends_on condition</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> </code></pre> </div> <h3> ❌ Issue 2: Static files not showing </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Fix: Run collectstatic</span> docker compose <span class="nb">exec </span>web python manage.py collectstatic <span class="nt">--noinput</span> </code></pre> </div> <h3> ❌ Issue 3: Migrations not applied </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Fix: Run migrations manually</span> docker compose <span class="nb">exec </span>web python manage.py migrate </code></pre> </div> <h3> ❌ Issue 4: Secret key exposed in code </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Fix: Always use environment variables </span><span class="kn">from</span> <span class="n">decouple</span> <span class="kn">import</span> <span class="n">config</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="nf">config</span><span class="p">(</span><span class="sh">'</span><span class="s">SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Never hardcode! </span></code></pre> </div> <h3> ❌ Issue 5: Container runs as root </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Fix: Always create non-root user</span> <span class="k">RUN </span>adduser <span class="nt">--system</span> django <span class="k">USER</span><span class="s"> django</span> </code></pre> </div> <h2> Summary </h2> <p>Here's what we built:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Technology</th> </tr> </thead> <tbody> <tr> <td>Web server</td> <td>Gunicorn + Django</td> </tr> <tr> <td>Reverse proxy</td> <td>Nginx</td> </tr> <tr> <td>Database</td> <td>PostgreSQL 16</td> </tr> <tr> <td>Containerization</td> <td>Docker + Docker Compose</td> </tr> <tr> <td>Static files</td> <td>Whitenoise + Nginx</td> </tr> <tr> <td>Secrets</td> <td>python-decouple + .env</td> </tr> <tr> <td>Security</td> <td>Non-root user, no DEBUG in prod</td> </tr> </tbody> </table></div> <h2> What's Next? </h2> <ul> <li> <strong>Part 3:</strong> Django REST API with PostgreSQL — Advanced Queries &amp; Optimization</li> <li> <strong>Part 4:</strong> CI/CD Pipeline for Django with GitHub Actions</li> <li> <strong>Part 5:</strong> Scaling Django with Redis, Celery &amp; Background Tasks</li> </ul> <p><em>Found this helpful? Share it with your team! Questions? Drop them in the comments.</em></p> <p><strong>Tags:</strong> <code>django</code> <code>docker</code> <code>python</code> <code>devops</code> <code>postgresql</code> <code>nginx</code> <code>deployment</code> <code>backend</code></p> django docker postgres deployment Go beyond Django's built-in auth — learn JWT, custom email login, role-based permissions, and brute-force protection. sribalu Sat, 21 Mar 2026 22:41:21 +0000 https://dev.to/sribalu_sribalu_2e2394502/go-beyond-djangos-built-in-auth-learn-jwt-custom-email-login-role-based-permissions-and-28e2 https://dev.to/sribalu_sribalu_2e2394502/go-beyond-djangos-built-in-auth-learn-jwt-custom-email-login-role-based-permissions-and-28e2 <h1> Django Authentication Deep Dive: JWT, Sessions, and Custom Backends </h1> <p><strong>Go beyond Django's built-in auth — learn JWT, custom email login, role-based permissions, and brute-force protection.</strong> Intermediate | <strong>Read Time:</strong> 12 min | <strong>Author:</strong> [SRI BALU]</p> <h2> Introduction </h2> <p>Authentication is the backbone of almost every web application. Django ships with a solid built-in auth system — but in real-world projects, you'll quickly outgrow it. Whether you're building a REST API, a multi-tenant SaaS, or a social login platform, understanding Django's authentication internals gives you the power to customize it exactly how you need.</p> <p>In this deep-dive, we'll cover:</p> <ul> <li>How Django's authentication system works under the hood</li> <li>Session-based vs JWT-based authentication</li> <li>Implementing JWT authentication with <code>djangorestframework-simplejwt</code> </li> <li>Writing a custom authentication backend (e.g., login with email instead of username)</li> <li>Securing your endpoints with permissions</li> </ul> <h2> 1. How Django Authentication Works Under the Hood </h2> <p>Before writing any code, it helps to understand what happens when a user logs in.</p> <p>Django's auth system revolves around three core components:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td> <code>User</code> model</td> <td>Stores credentials (username, password hash)</td> </tr> <tr> <td><code>AuthenticationBackend</code></td> <td>Validates credentials</td> </tr> <tr> <td> <code>Session</code> / <code>Token</code> </td> <td>Maintains state after login</td> </tr> </tbody> </table></div> <p>When you call <code>authenticate(request, username=..., password=...)</code>, Django loops through all backends listed in <code>AUTHENTICATION_BACKENDS</code> and returns the first <code>User</code> object that matches — or <code>None</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># django/contrib/auth/__init__.py (simplified) </span><span class="k">def</span> <span class="nf">authenticate</span><span class="p">(</span><span class="n">request</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="o">**</span><span class="n">credentials</span><span class="p">):</span> <span class="k">for</span> <span class="n">backend_path</span> <span class="ow">in</span> <span class="n">settings</span><span class="p">.</span><span class="n">AUTHENTICATION_BACKENDS</span><span class="p">:</span> <span class="n">backend</span> <span class="o">=</span> <span class="nf">load_backend</span><span class="p">(</span><span class="n">backend_path</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">user</span> <span class="o">=</span> <span class="n">backend</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="o">**</span><span class="n">credentials</span><span class="p">)</span> <span class="k">except</span> <span class="n">PermissionDenied</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">if</span> <span class="n">user</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">continue</span> <span class="n">user</span><span class="p">.</span><span class="n">backend</span> <span class="o">=</span> <span class="n">backend_path</span> <span class="k">return</span> <span class="n">user</span> <span class="k">return</span> <span class="bp">None</span> </code></pre> </div> <p>The default backend is <code>django.contrib.auth.backends.ModelBackend</code>, which checks the database for a matching username + password hash.</p> <h2> 2. Session-Based Authentication (The Django Default) </h2> <p>Django's default auth uses <strong>server-side sessions</strong>. Here's the flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User submits login form → Django validates credentials → Creates a session in the DB (django_session table) → Sends a session cookie (sessionid) to the browser → On every request, browser sends the cookie → Django looks up the session → finds the user </code></pre> </div> <h3> Setting it up (already built-in): </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># settings.py </span><span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">django.contrib.auth</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.sessions</span><span class="sh">'</span><span class="p">,</span> <span class="bp">...</span> <span class="p">]</span> <span class="n">MIDDLEWARE</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">django.contrib.sessions.middleware.SessionMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.auth.middleware.AuthenticationMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="bp">...</span> <span class="p">]</span> </code></pre> </div> <h3> Login/Logout views: </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.contrib.auth</span> <span class="kn">import</span> <span class="n">authenticate</span><span class="p">,</span> <span class="n">login</span><span class="p">,</span> <span class="n">logout</span> <span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">render</span> <span class="k">def</span> <span class="nf">login_view</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">:</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">[</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">]</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">[</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">]</span> <span class="n">user</span> <span class="o">=</span> <span class="nf">authenticate</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="n">password</span><span class="p">)</span> <span class="k">if</span> <span class="n">user</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">login</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">user</span><span class="p">)</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="sh">'</span><span class="s">dashboard</span><span class="sh">'</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">login.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Invalid credentials</span><span class="sh">'</span><span class="p">})</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">login.html</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">logout_view</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="nf">logout</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="sh">'</span><span class="s">login</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <h3> When to use sessions: </h3> <ul> <li>Traditional Django web apps (not APIs)</li> <li>Server-rendered templates</li> <li>When you control both frontend and backend</li> </ul> <h2> 3. JWT Authentication for REST APIs </h2> <p>For <strong>Django REST Framework (DRF)</strong> APIs — especially those consumed by React, Flutter, or mobile apps — <strong>JWT (JSON Web Tokens)</strong> is the preferred approach.</p> <h3> Why JWT over sessions for APIs? </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Sessions</th> <th>JWT</th> </tr> </thead> <tbody> <tr> <td>State</td> <td>Server-side</td> <td>Stateless</td> </tr> <tr> <td>Scalability</td> <td>Requires shared DB</td> <td>Works across servers</td> </tr> <tr> <td>Mobile support</td> <td>Cookie issues</td> <td>Easy via headers</td> </tr> <tr> <td>Logout</td> <td>Simple</td> <td>Requires token blacklist</td> </tr> </tbody> </table></div> <h3> Installation: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>djangorestframework djangorestframework-simplejwt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># settings.py </span><span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="p">[</span> <span class="bp">...</span> <span class="sh">'</span><span class="s">rest_framework</span><span class="sh">'</span><span class="p">,</span> <span class="p">]</span> <span class="n">REST_FRAMEWORK</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">DEFAULT_AUTHENTICATION_CLASSES</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span> <span class="sh">'</span><span class="s">rest_framework_simplejwt.authentication.JWTAuthentication</span><span class="sh">'</span><span class="p">,</span> <span class="p">),</span> <span class="p">}</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">timedelta</span> <span class="n">SIMPLE_JWT</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">ACCESS_TOKEN_LIFETIME</span><span class="sh">'</span><span class="p">:</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">30</span><span class="p">),</span> <span class="sh">'</span><span class="s">REFRESH_TOKEN_LIFETIME</span><span class="sh">'</span><span class="p">:</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">7</span><span class="p">),</span> <span class="sh">'</span><span class="s">ROTATE_REFRESH_TOKENS</span><span class="sh">'</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">'</span><span class="s">BLACKLIST_AFTER_ROTATION</span><span class="sh">'</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">'</span><span class="s">ALGORITHM</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">AUTH_HEADER_TYPES</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span><span class="sh">'</span><span class="s">Bearer</span><span class="sh">'</span><span class="p">,),</span> <span class="p">}</span> </code></pre> </div> <h3> URL configuration: </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># urls.py </span><span class="kn">from</span> <span class="n">rest_framework_simplejwt.views</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">TokenObtainPairView</span><span class="p">,</span> <span class="n">TokenRefreshView</span><span class="p">,</span> <span class="n">TokenBlacklistView</span><span class="p">,</span> <span class="p">)</span> <span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="nf">path</span><span class="p">(</span><span class="sh">'</span><span class="s">api/auth/login/</span><span class="sh">'</span><span class="p">,</span> <span class="n">TokenObtainPairView</span><span class="p">.</span><span class="nf">as_view</span><span class="p">(),</span> <span class="n">name</span><span class="o">=</span><span class="sh">'</span><span class="s">token_obtain_pair</span><span class="sh">'</span><span class="p">),</span> <span class="nf">path</span><span class="p">(</span><span class="sh">'</span><span class="s">api/auth/refresh/</span><span class="sh">'</span><span class="p">,</span> <span class="n">TokenRefreshView</span><span class="p">.</span><span class="nf">as_view</span><span class="p">(),</span> <span class="n">name</span><span class="o">=</span><span class="sh">'</span><span class="s">token_refresh</span><span class="sh">'</span><span class="p">),</span> <span class="nf">path</span><span class="p">(</span><span class="sh">'</span><span class="s">api/auth/logout/</span><span class="sh">'</span><span class="p">,</span> <span class="n">TokenBlacklistView</span><span class="p">.</span><span class="nf">as_view</span><span class="p">(),</span> <span class="n">name</span><span class="o">=</span><span class="sh">'</span><span class="s">token_blacklist</span><span class="sh">'</span><span class="p">),</span> <span class="p">]</span> </code></pre> </div> <h3> Protecting API views: </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">rest_framework.permissions</span> <span class="kn">import</span> <span class="n">IsAuthenticated</span> <span class="kn">from</span> <span class="n">rest_framework.decorators</span> <span class="kn">import</span> <span class="n">api_view</span><span class="p">,</span> <span class="n">permission_classes</span> <span class="kn">from</span> <span class="n">rest_framework.response</span> <span class="kn">import</span> <span class="n">Response</span> <span class="nd">@api_view</span><span class="p">([</span><span class="sh">'</span><span class="s">GET</span><span class="sh">'</span><span class="p">])</span> <span class="nd">@permission_classes</span><span class="p">([</span><span class="n">IsAuthenticated</span><span class="p">])</span> <span class="k">def</span> <span class="nf">profile_view</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">user</span> <span class="k">return</span> <span class="nc">Response</span><span class="p">({</span> <span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="n">username</span><span class="p">,</span> <span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <h3> How to call the API: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Get tokens</span> curl <span class="nt">-X</span> POST http://localhost:8000/api/auth/login/ <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"username": "john", "password": "secret123"}'</span> <span class="c"># Response:</span> <span class="c"># {"access": "eyJ0eXAiOiJKV...", "refresh": "eyJ0eXAiOiJKV..."}</span> <span class="c"># Step 2: Call protected endpoint</span> curl <span class="nt">-X</span> GET http://localhost:8000/api/profile/ <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer eyJ0eXAiOiJKV..."</span> </code></pre> </div> <h2> 4. Custom Authentication Backend: Login with Email </h2> <p>By default, Django uses <code>username</code> to authenticate. In modern apps, users expect to log in with their <strong>email address</strong>. Here's how to write a custom backend:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backends.py </span><span class="kn">from</span> <span class="n">django.contrib.auth.backends</span> <span class="kn">import</span> <span class="n">ModelBackend</span> <span class="kn">from</span> <span class="n">django.contrib.auth</span> <span class="kn">import</span> <span class="n">get_user_model</span> <span class="n">User</span> <span class="o">=</span> <span class="nf">get_user_model</span><span class="p">()</span> <span class="k">class</span> <span class="nc">EmailBackend</span><span class="p">(</span><span class="n">ModelBackend</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Authenticate using email instead of username. Falls back to username if email not found. </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">authenticate</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Try to find user by email </span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">username</span><span class="p">)</span> <span class="k">except</span> <span class="n">User</span><span class="p">.</span><span class="n">DoesNotExist</span><span class="p">:</span> <span class="c1"># Fall back to username lookup </span> <span class="k">try</span><span class="p">:</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">username</span><span class="o">=</span><span class="n">username</span><span class="p">)</span> <span class="k">except</span> <span class="n">User</span><span class="p">.</span><span class="n">DoesNotExist</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">if</span> <span class="n">user</span><span class="p">.</span><span class="nf">check_password</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="ow">and</span> <span class="n">self</span><span class="p">.</span><span class="nf">user_can_authenticate</span><span class="p">(</span><span class="n">user</span><span class="p">):</span> <span class="k">return</span> <span class="n">user</span> <span class="k">return</span> <span class="bp">None</span> </code></pre> </div> <h3> Register the backend: </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># settings.py </span><span class="n">AUTHENTICATION_BACKENDS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">myapp.backends.EmailBackend</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.auth.backends.ModelBackend</span><span class="sh">'</span><span class="p">,</span> <span class="c1"># keep as fallback </span><span class="p">]</span> </code></pre> </div> <p>Now <code>authenticate(request, username="john@example.com", password="secret")</code> will work automatically — no other code changes needed!</p> <h2> 5. Custom JWT Payload (Add Extra Claims) </h2> <p>By default, JWT tokens contain only <code>user_id</code>. You can add extra data like <code>role</code>, <code>email</code>, or <code>is_staff</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># serializers.py </span><span class="kn">from</span> <span class="n">rest_framework_simplejwt.serializers</span> <span class="kn">import</span> <span class="n">TokenObtainPairSerializer</span> <span class="k">class</span> <span class="nc">CustomTokenObtainPairSerializer</span><span class="p">(</span><span class="n">TokenObtainPairSerializer</span><span class="p">):</span> <span class="nd">@classmethod</span> <span class="k">def</span> <span class="nf">get_token</span><span class="p">(</span><span class="n">cls</span><span class="p">,</span> <span class="n">user</span><span class="p">):</span> <span class="n">token</span> <span class="o">=</span> <span class="nf">super</span><span class="p">().</span><span class="nf">get_token</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="c1"># Add custom claims </span> <span class="n">token</span><span class="p">[</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">user</span><span class="p">.</span><span class="n">email</span> <span class="n">token</span><span class="p">[</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">user</span><span class="p">.</span><span class="n">username</span> <span class="n">token</span><span class="p">[</span><span class="sh">'</span><span class="s">is_staff</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">user</span><span class="p">.</span><span class="n">is_staff</span> <span class="n">token</span><span class="p">[</span><span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># if you have a role field </span> <span class="k">return</span> <span class="n">token</span> <span class="c1"># views.py </span><span class="kn">from</span> <span class="n">rest_framework_simplejwt.views</span> <span class="kn">import</span> <span class="n">TokenObtainPairView</span> <span class="k">class</span> <span class="nc">CustomTokenObtainPairView</span><span class="p">(</span><span class="n">TokenObtainPairView</span><span class="p">):</span> <span class="n">serializer_class</span> <span class="o">=</span> <span class="n">CustomTokenObtainPairSerializer</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># urls.py </span><span class="nf">path</span><span class="p">(</span><span class="sh">'</span><span class="s">api/auth/login/</span><span class="sh">'</span><span class="p">,</span> <span class="n">CustomTokenObtainPairView</span><span class="p">.</span><span class="nf">as_view</span><span class="p">(),</span> <span class="n">name</span><span class="o">=</span><span class="sh">'</span><span class="s">token_obtain_pair</span><span class="sh">'</span><span class="p">),</span> </code></pre> </div> <h2> 6. Role-Based Permissions </h2> <p>Once authentication is set up, you'll want <strong>authorization</strong> — controlling what users can do.</p> <h3> Built-in permission classes: </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">rest_framework.permissions</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">IsAuthenticated</span><span class="p">,</span> <span class="c1"># Must be logged in </span> <span class="n">IsAdminUser</span><span class="p">,</span> <span class="c1"># Must be staff/superuser </span> <span class="n">IsAuthenticatedOrReadOnly</span><span class="p">,</span> <span class="c1"># Read for all, write for authenticated </span><span class="p">)</span> </code></pre> </div> <h3> Custom permission class: </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># permissions.py </span><span class="kn">from</span> <span class="n">rest_framework.permissions</span> <span class="kn">import</span> <span class="n">BasePermission</span> <span class="k">class</span> <span class="nc">IsOwnerOrAdmin</span><span class="p">(</span><span class="n">BasePermission</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Allow access only to object owners or admin users. </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">has_object_permission</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">view</span><span class="p">,</span> <span class="n">obj</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">user</span><span class="p">.</span><span class="n">is_staff</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">return</span> <span class="n">obj</span><span class="p">.</span><span class="n">owner</span> <span class="o">==</span> <span class="n">request</span><span class="p">.</span><span class="n">user</span> <span class="c1"># views.py </span><span class="kn">from</span> <span class="n">rest_framework</span> <span class="kn">import</span> <span class="n">generics</span> <span class="kn">from</span> <span class="n">.permissions</span> <span class="kn">import</span> <span class="n">IsOwnerOrAdmin</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Post</span> <span class="kn">from</span> <span class="n">.serializers</span> <span class="kn">import</span> <span class="n">PostSerializer</span> <span class="k">class</span> <span class="nc">PostDetailView</span><span class="p">(</span><span class="n">generics</span><span class="p">.</span><span class="n">RetrieveUpdateDestroyAPIView</span><span class="p">):</span> <span class="n">queryset</span> <span class="o">=</span> <span class="n">Post</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">all</span><span class="p">()</span> <span class="n">serializer_class</span> <span class="o">=</span> <span class="n">PostSerializer</span> <span class="n">permission_classes</span> <span class="o">=</span> <span class="p">[</span><span class="n">IsAuthenticated</span><span class="p">,</span> <span class="n">IsOwnerOrAdmin</span><span class="p">]</span> </code></pre> </div> <h2> 7. Security Best Practices </h2> <h3> ✅ Always do this: </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># settings.py </span> <span class="c1"># Use HTTPS in production </span><span class="n">SESSION_COOKIE_SECURE</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">CSRF_COOKIE_SECURE</span> <span class="o">=</span> <span class="bp">True</span> <span class="c1"># Prevent XSS from stealing session cookies </span><span class="n">SESSION_COOKIE_HTTPONLY</span> <span class="o">=</span> <span class="bp">True</span> <span class="c1"># Limit session age </span><span class="n">SESSION_COOKIE_AGE</span> <span class="o">=</span> <span class="mi">1209600</span> <span class="c1"># 2 weeks in seconds </span> <span class="c1"># Password validation </span><span class="n">AUTH_PASSWORD_VALIDATORS</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span><span class="sh">'</span><span class="s">NAME</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">django.contrib.auth.password_validation.MinimumLengthValidator</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">OPTIONS</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">min_length</span><span class="sh">'</span><span class="p">:</span> <span class="mi">8</span><span class="p">}},</span> <span class="p">{</span><span class="sh">'</span><span class="s">NAME</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">django.contrib.auth.password_validation.CommonPasswordValidator</span><span class="sh">'</span><span class="p">},</span> <span class="p">{</span><span class="sh">'</span><span class="s">NAME</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">django.contrib.auth.password_validation.NumericPasswordValidator</span><span class="sh">'</span><span class="p">},</span> <span class="p">]</span> </code></pre> </div> <h3> ✅ Rate-limit login attempts: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>django-axes </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># settings.py </span><span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">axes</span><span class="sh">'</span><span class="p">,</span> <span class="p">...]</span> <span class="n">AUTHENTICATION_BACKENDS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">axes.backends.AxesStandaloneBackend</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">myapp.backends.EmailBackend</span><span class="sh">'</span><span class="p">,</span> <span class="p">]</span> <span class="n">AXES_FAILURE_LIMIT</span> <span class="o">=</span> <span class="mi">5</span> <span class="c1"># Lock after 5 failed attempts </span><span class="n">AXES_COOLOFF_TIME</span> <span class="o">=</span> <span class="mi">1</span> <span class="c1"># Unlock after 1 hour </span></code></pre> </div> <h2> Summary </h2> <p>Here's what we covered:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Topic</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td>Session auth</td> <td>Traditional Django web apps</td> </tr> <tr> <td>JWT with simplejwt</td> <td>REST APIs, mobile apps</td> </tr> <tr> <td>Custom EmailBackend</td> <td>Login with email</td> </tr> <tr> <td>Custom JWT claims</td> <td>Pass role/email in token</td> </tr> <tr> <td>Custom permissions</td> <td>Role-based access control</td> </tr> <tr> <td>django-axes</td> <td>Brute-force protection</td> </tr> </tbody> </table></div> <p>Django's auth system is designed to be extended — not replaced. By understanding how backends, sessions, and tokens work together, you can build secure, scalable authentication for any use case.</p> <h2> What's Next? </h2> <ul> <li> <strong>Part 2:</strong> OAuth2 &amp; Social Login with <code>django-allauth</code> (Google, GitHub)</li> <li> <strong>Part 3:</strong> Two-Factor Authentication (2FA) with TOTP</li> <li> <strong>Part 4:</strong> Multi-tenant authentication with row-level security</li> </ul> <p><em>Found this helpful? Share it on Twitter and tag me! Have questions? Drop them in the comments below.</em></p> <p><strong>Tags:</strong> <code>django</code> <code>python</code> <code>authentication</code> <code>jwt</code> <code>django-rest-framework</code> <code>web-development</code> <code>backend</code></p> django python security tutorial