Plain is headed towards 1.0! Subscribe for development updates →

plain.auth

Add users to your app and define which views they can access.

To log a user in, you'll want to pair this package with:

  • plain-passwords
  • plain-oauth
  • plain-passkeys (TBD)
  • plain-passlinks (TBD)

Installation

# app/settings.py
INSTALLED_PACKAGES = [
    # ...
    "plain.auth",
    "plain.sessions",
    "plain.passwords",
]

MIDDLEWARE = [
    "plain.middleware.security.SecurityMiddleware",
    "plain.sessions.middleware.SessionMiddleware",  # <--
    "plain.middleware.common.CommonMiddleware",
    "plain.csrf.middleware.CsrfViewMiddleware",
    "plain.auth.middleware.AuthenticationMiddleware",  # <--
]

AUTH_USER_MODEL = "users.User"
AUTH_LOGIN_URL = "login"

Create your own user model (plain create users).

# app/users/models.py
from plain import models
from plain.passwords.models import PasswordField


class User(models.Model):
    email = models.EmailField(unique=True)
    password = PasswordField()
    is_staff = models.BooleanField(default=False)
    created_at = models.DateTimeField(auto_now_add=True)

    def __str__(self):
        return self.email

Define your URL/view where users can log in.

# app/urls.py
from plain.auth.views import LoginView, LogoutView
from plain.urls import include, path
from plain.passwords.views import PasswordLoginView


class LoginView(PasswordLoginView):
    template_name = "login.html"


urlpatterns = [
    path("logout/", LogoutView, name="logout"),
    path("login/", LoginView, name="login"),
]

Checking if a user is logged in

A request.user will either be None or point to an instance of a your AUTH_USER_MODEL.

So in templates you can do:

{% if request.user %}
    <p>Hello, {{ request.user.email }}!</p>
{% else %}
    <p>You are not logged in.</p>
{% endif %}

Or in Python:

if request.user:
    print(f"Hello, {request.user.email}!")
else:
    print("You are not logged in.")

Restricting views

Use the AuthViewMixin to restrict views to logged in users, staff users, or custom logic.

from plain.auth.views import AuthViewMixin
from plain.exceptions import PermissionDenied
from plain.views import View


class LoggedInView(AuthViewMixin, View):
    login_required = True


class StaffOnlyView(AuthViewMixin, View):
    login_required = True
    staff_required = True


class CustomPermissionView(AuthViewMixin, View):
    def check_auth(self):
        super().check_auth()
        if not self.request.user.is_special:
            raise PermissionDenied("You're not special!")
 1from importlib.util import find_spec
 2
 3AUTH_USER_MODEL: str
 4AUTH_LOGIN_URL: str
 5
 6if find_spec("plain.passwords"):
 7    # Automatically invalidate sessions on password field change,
 8    # if the plain-passwords is installed. You can change this value
 9    # if your password field is named differently, or you want
10    # to use a different field to invalidate sessions.
11    AUTH_USER_SESSION_HASH_FIELD: str = "password"
12else:
13    AUTH_USER_SESSION_HASH_FIELD: str = ""