Multi-Role User Authentication in Django Rest Framework

Introduction:

User authentication is a fundamental aspect of many web applications. Django provides a powerful authentication system out-of-the-box, but sometimes you need to extend it to support multiple user roles. In this post, we'll explore how to implement multi-role user authentication using Django Rest Framework (DRF).

Setting Up the Project:

Let's start by creating a new Django project. If you don't have a Django environment set up, you can create one by following these steps:

1. Create a virtual environment: python -m venv venv
2. Activate the virtual environment: venv\Scripts\activate

Once your environment is activated, install Django and Django Rest Framework:

pip install django djangorestframework

You can follow any approach you prefer to setup environment. When your env is ready, open terminal (with env activated) and run the following commands:

django-admin startproject multi_role_auth
cd multi_role_auth

Start our authentication app:

Open terminal (with env activated) and run the following commands:

python manage.py startapp authentication

Now that we have our project structure ready, let's dive into the implementation.

Defining User Model:

In the authentication/models.py file, we'll define a custom user model that extends the AbstractUser class from Django's authentication models. This model will include a role field to assign different roles to each user.

# authentication/models.py

from django.db import models
from django.contrib.auth.models import AbstractUser
from django.conf import settings
from rest_framework.authtoken.models import Token


class User(AbstractUser):
    ROLE_CHOICES = (
        ('administrator', 'Administrator'),
        ('teacher', 'Teacher'),
        ('student', 'Student'),
        ('staff', 'Staff'),
    )

    role = models.CharField(max_length=15, choices=ROLE_CHOICES)

Feel free to customize the ROLE_CHOICES tuple to include the specific roles that are relevant to your application. Additionally, if you require more fields for the User model, you can easily add them to this model. You can refer to the documentation to explore all the default fields provided by Django's User model. This flexibility allows you to tailor the User model to meet the specific requirements of your project.

Creating Serializers:

Next, create serializers for our authentication app. Serializers help in converting complex data types into JSON, making it easy to send data over HTTP.

Create authentication/serializers.py and add the following code:

# authentication/serializers.py

from rest_framework import serializers
from .models import User

class UserSerializer(serializers.ModelSerializer):
    class Meta:
        model = User
        fields = ['username', 'email', 'role', 'password']
        extra_kwargs = {'password': {'write_only': True}}

    def create(self, validated_data):
        user = User.objects.create_user(**validated_data)
        return user

Here, we've defined a UserSerializer that inherits from the ModelSerializer provided by DRF. We specify the model as our custom User model and define the fields to include in the serialized representation. Additionally, we set the "password" field as write-only to prevent it from being exposed in responses. In the fields attribute, you can include all fields by passing fields = '__all__'.

Creating Views:

Now, let's implement the views for user registration, login, and logout.

In authentication/views.py, add the following code:

# authentication/views.py

from authentication.models import User
from authentication.serializers import UserSerializer
from django.contrib.auth import authenticate, login
from rest_framework import status
from rest_framework.response import Response
from rest_framework.views import APIView
from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.authtoken.models import Token
from rest_framework.permissions import IsAuthenticated


class UserRegistrationView(APIView):
    def post(self, request):
        serializer = UserSerializer(data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response(serializer.data, status=status.HTTP_201_CREATED)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)



class UserLoginView(ObtainAuthToken):
    def post(self, request, *args, **kwargs):
        username = request.data.get('username')
        password = request.data.get('password')

        user = authenticate(request, username=username, password=password)
        if user is not None:
            login(request, user)
            token, created = Token.objects.get_or_create(user=user)
            if created:
                token.delete()  # Delete the token if it was already created
                token = Token.objects.create(user=user)
            return Response({'token': token.key, 'username': user.username, 'role': user.role})
        else:
            return Response({'message': 'Invalid username or password'}, status=status.HTTP_401_UNAUTHORIZED)



class UserLogoutView(APIView):
    permission_classes = [IsAuthenticated]

    def post(self, request):
        print(request.headers) 
        token_key = request.auth.key
        token = Token.objects.get(key=token_key)
        token.delete()

        return Response({'detail': 'Successfully logged out.'})

In the UserRegistrationView, we handle the HTTP POST request for user registration. We validate the data using the UserSerializer and save the user if it's valid.

In the UserLoginView, we handle the user login functionality. We authenticate the user using the provided username and password, and if successful, generate a token using the Token model from DRF. We return the token along with the username and role in the response.

The UserLogoutView is responsible for logging out the authenticated user. It retrieves the token from the request's authentication header, deletes the token if it exists, and returns a success message.

Updating URLs:

Finally, we need to define the URLs for our authentication app.

In multi_role_auth/urls.py, add the following code:

# multi_role_auth/urls.py

from django.urls import path, include
from authentication.views import UserRegistrationView, UserLoginView, UserLogoutView

urlpatterns = [
    path('api/auth/register/', UserRegistrationView.as_view(), name='user-registration'),
    path('api/auth/login/', UserLoginView.as_view(), name='user-login'),
    path('api/auth/logout/', UserLogoutView.as_view(), name='user-logout'),
    # Add other URLs here
]

Here, we map
/api/auth/register/ URL to the UserRegistrationView,
/api/auth/login/ URL to the UserLoginView, and
api/auth/logout/ URL to the UserLogoutView.

Modifying settings.py:

To enable token-based authentication in DRF, we need to make some modifications to the settings.py file.

In "multi_role_auth/settings.py", add or update the following settings:

# multi_role_auth/settings.py

# ...

INSTALLED_APPS = [
    # ...
    'rest_framework',
    'rest_framework.authtoken',
    'authentication',
]

# ...

AUTH_USER_MODEL = 'authentication.User'

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.TokenAuthentication',
    ],
}

Here, we've added rest_framework and authentication to the INSTALLED_APPS list to include the necessary packages. Additionally, we've configured the DEFAULT_AUTHENTICATION_CLASSES to use the TokenAuthentication class for token-based authentication.

Remember to run migrations before testing the app:

python manage.py makemigrations
python manage.py migrate

Test:

Here I tested authentication endpoints using Postman

Register a user:
Send a POST request to http://localhost:8000/api/auth/register/ with the following payload in the request body:

{
  "username": "johndoe",
  "email": "johndoe@example.com",
  "password": "$tr0ngPa$$w0rd",
  "role": "student"
}

Login:
Send a POST request to http://localhost:8000/api/auth/login/ with the following payload in the request body:

{
  "username": "johndoe",
  "password": "$tr0ngPa$$w0rd"
}

Logout:
Send a POST request to http://localhost:8000/api/auth/logout/ with the token in the request headers. Include an Authorization header with the value Token {token} (replace {token} with the actual token value obtained during login).

Use it in user-specific class(es)

Now that we have a User with the role field, we can use it in our user-specific classes. For example:

# student/models.py  

from django.db import models
from authentication.models import User

class Student(models.Model):
    # other fields related to student ...
    student_id = models.CharField(max_length=10, unique=True)
    user = models.OneToOneField(User, on_delete=models.CASCADE, related_name="student_account")

# student/serializers.py  
# import ...
class StudentSerializer(serializers.ModelSerializer):
    user = UserSerializer(read_only=True)

    class Meta:
        model = Student
        fields = '__all__'

    def create(self, validated_data):
        user_data = validated_data.pop('user')
        user = User.objects.create_user(**user_data)
        student = Student.objects.create(user=user, **validated_data)
        return student

Update views and URLs:

# ...
class StudentRegistrationView(APIView):
    def post(self, request):
        serializer = StudentSerializer(data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response(serializer.data, status=status.HTTP_201_CREATED)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

# Update Login view
class UserLoginView(ObtainAuthToken):
    def post(self, request, *args, **kwargs):
        username = request.data.get('username')
        password = request.data.get('password')

        user = authenticate(request, username=username, password=password)
        if user is not None:
            login(request, user)
            token, created = Token.objects.get_or_create(user=user)
            if created:
                token.delete()  # Delete the token if it was already created
                token = Token.objects.create(user=user)

            response_data = {
                'token': token.key,
                'username': user.username,
                'role': user.role,
            }

            if user.role == 'student':
                student = user.student_account  # Assuming the related name is "student_account"
                if student is not None:
                    # Add student data to the response data
                    student_data = StudentSerializer(student).data
                    response_data['data'] = student_data

            return Response(response_data)
        else:
            return Response({'message': 'Invalid username or password'}, status=status.HTTP_401_UNAUTHORIZED)

# ... 
urlpatterns = [
    # ...
    path('api/auth/register/student/', StudentRegistrationView.as_view(), name='student-registration'),
    # ...
]

In case you created a new app for student, add it to INSTALLED_APPS.
Run migrations.

Here is a JSON data to register a Student:

{
    "student_id": "1234567890",
    "user": {
        "username": "john_doe@stu",
        "email": "john.doe@test.com",
        "role": "student",
        "password": "secretpassword"
    }
}

And this is the login response:

{
    "token": "bc2369f6cf4c7bf015c449773dc285e9e8c69caf",
    "username": "john_doe@stu",
    "role": "student",
    "data": {
        "id": 1,
        "user": {
            "username": "john_doe@stu",
            "email": "john.doe@test.com",
            "role": "student"
        },
        "student_id": "1234567890"
    }
}

Conclusion:

In this tutorial, we've covered the process of implementing multi-role user authentication using Django Rest Framework. We defined a custom user model, created serializers for user registration and login, implemented views for user registration, login, and logout, and updated the project's URLs and settings to support token-based authentication. Furthermore, we have explored the detailed process of utilizing our customized User model in other specific models.

By extending Django's built-in user model and utilizing the capabilities of Django Rest Framework, you can easily add role-based authentication to your Django applications. This allows you to differentiate user permissions and provide tailored experiences based on each user's role.

Feel free to explore further and add additional functionalities, such as password reset and role-based access control (RBAC), based on your application requirements.

Happy coding!

Comments

[mosesmbadi]

Great job Forhad! Moses here reading from Kenya. I have a question, using this implementation, how can we configure access per role. Imagine this, a client submits a ticket, which there is a head engineer who assigns to to service engineers and when its complete the client is notified. How can I adapt this authentication to that kind of authorization. Thanks

[Forhad Khan]

Hello Moses, you can configure access per role by defining custom permission classes in Django Rest Framework (DRF). In your case, you can create three custom permission classes to handle the different roles: IsClient, IsHeadEngineer, and IsServiceEngineer. Then, you can use these permission classes in your views to enforce role-based access control. Here's how you can do it:

Define custom permission classes for each role:

# authentication/permissions.py

from rest_framework.permissions import BasePermission

class IsClient(BasePermission):
    def has_permission(self, request, view):
        return request.user.role == 'client'

class IsHeadEngineer(BasePermission):
    def has_permission(self, request, view):
        return request.user.role == 'head_engineer'

class IsServiceEngineer(BasePermission):
    def has_permission(self, request, view):
        return request.user.role == 'service_engineer'

Use the custom permission classes in your views:

# views.py

from rest_framework.views import APIView
from authentication.permissions import IsClient, IsHeadEngineer, IsServiceEngineer

class TicketSubmissionView(APIView):
    permission_classes = [IsClient]

    def post(self, request):
        # Your ticket submission logic here
        pass

class AssignmentView(APIView):
    permission_classes = [IsHeadEngineer]

    def put(self, request, ticket_id):
        # Your assignment logic here
        pass

class CompletionView(APIView):
    permission_classes = [IsServiceEngineer]

    def put(self, request, ticket_id):
        # Your completion logic here
        pass

By using these custom permission classes, you ensure that only users with the appropriate roles can access the corresponding views. For example, TicketSubmissionView can only be accessed by users with the role client, AssignmentView can only be accessed by users with the role head_engineer, and CompletionView can only be accessed by users with the role service_engineer.

Remember that you need to set the role attribute for each user when they are created or updated, and make sure your authentication mechanism provides this information in the request.

I hope this helps you. Happy coding. Feel free to ask any question.

[Achal Pathak]

What about handling same user with multiple roles?
For e.g. a user can be a teacher as well as administrator

[Forhad Khan]

Good point Pathak. In case you want a user to have multiple roles, you can achieve that by modifying the models and serializers. Here is one approach to do it.

Modify the models - create a separate Role model and set a ManyToMany relationship to the roles field in the User class.

# authentication/models.py

from django.db import models
from django.contrib.auth.models import AbstractUser

class Role(models.Model):
    name = models.CharField(max_length=15, unique=True)

    def __str__(self):
        return self.name


class User(AbstractUser):
    roles = models.ManyToManyField(Role)

You will also need to update the UserSerializer to handle multiple roles:

from rest_framework import serializers
from .models import User, Role

class RoleSerializer(serializers.ModelSerializer):
    class Meta:
        model = Role
        fields = ['name']

class UserSerializer(serializers.ModelSerializer):
    roles = RoleSerializer(many=True)

    class Meta:
        model = User
        fields = ['username', 'email', 'roles', 'password']
        extra_kwargs = {'password': {'write_only': True}}

    def create(self, validated_data):
        roles_data = validated_data.pop('roles')
        user = User.objects.create_user(**validated_data)
        for role_data in roles_data:
            role, _ = Role.objects.get_or_create(**role_data)
            user.roles.add(role)
        return user

With these changes, you can now pass an array of roles during user registration, allowing a user to have multiple roles associated with their account.

For example, when creating a user with multiple roles, you can send a request like this:

{
    "username": "example_user",
    "email": "user@example.com",
    "password": "example_password",
    "roles": [
        {"name": "administrator"},
        {"name": "teacher"}
    ]
}

I hope this helps! Let me know if you have any further questions.