Plain is headed towards 1.0! Subscribe for development updates →

plain.auth

Add users to your app and define which views they can access.

To log a user in, you'll want to pair this package with:

  • plain-passwords
  • plain-oauth
  • plain-passkeys (TBD)
  • plain-passlinks (TBD)

Installation

# app/settings.py
INSTALLED_PACKAGES = [
    # ...
    "plain.auth",
    "plain.sessions",
    "plain.passwords",
]

MIDDLEWARE = [
    "plain.sessions.middleware.SessionMiddleware",
    "plain.auth.middleware.AuthenticationMiddleware",
]

AUTH_USER_MODEL = "users.User"
AUTH_LOGIN_URL = "login"

Create your own user model (plain create users).

# app/users/models.py
from plain import models
from plain.passwords.models import PasswordField


class User(models.Model):
    email = models.EmailField(unique=True)
    password = PasswordField()
    is_staff = models.BooleanField(default=False)
    created_at = models.DateTimeField(auto_now_add=True)

    def __str__(self):
        return self.email

Define your URL/view where users can log in.

# app/urls.py
from plain.auth.views import LoginView, LogoutView
from plain.urls import include, path
from plain.passwords.views import PasswordLoginView


class LoginView(PasswordLoginView):
    template_name = "login.html"


urlpatterns = [
    path("logout/", LogoutView, name="logout"),
    path("login/", LoginView, name="login"),
]

Checking if a user is logged in

A request.user will either be None or point to an instance of a your AUTH_USER_MODEL.

So in templates you can do:

{% if request.user %}
    <p>Hello, {{ request.user.email }}!</p>
{% else %}
    <p>You are not logged in.</p>
{% endif %}

Or in Python:

if request.user:
    print(f"Hello, {request.user.email}!")
else:
    print("You are not logged in.")

Restricting views

Use the AuthViewMixin to restrict views to logged in users, staff users, or custom logic.

from plain.auth.views import AuthViewMixin
from plain.exceptions import PermissionDenied
from plain.views import View


class LoggedInView(AuthViewMixin, View):
    login_required = True


class StaffOnlyView(AuthViewMixin, View):
    login_required = True
    staff_required = True


class CustomPermissionView(AuthViewMixin, View):
    def check_auth(self):
        super().check_auth()
        if not self.request.user.is_special:
            raise PermissionDenied("You're not special!")
  1from plain.csrf.middleware import rotate_token
  2from plain.exceptions import ImproperlyConfigured
  3from plain.packages import packages as plain_packages
  4from plain.runtime import settings
  5from plain.utils.crypto import constant_time_compare, salted_hmac
  6
  7from .signals import user_logged_in, user_logged_out
  8
  9USER_ID_SESSION_KEY = "_auth_user_id"
 10USER_HASH_SESSION_KEY = "_auth_user_hash"
 11
 12
 13def _get_user_id_from_session(request):
 14    # This value in the session is always serialized to a string, so we need
 15    # to convert it back to Python whenever we access it.
 16    return get_user_model()._meta.pk.to_python(request.session[USER_ID_SESSION_KEY])
 17
 18
 19def get_session_auth_hash(user):
 20    """
 21    Return an HMAC of the password field.
 22    """
 23    return _get_session_auth_hash(user)
 24
 25
 26def get_session_auth_fallback_hash(user):
 27    for fallback_secret in settings.SECRET_KEY_FALLBACKS:
 28        yield _get_session_auth_hash(user, secret=fallback_secret)
 29
 30
 31def _get_session_auth_hash(user, secret=None):
 32    key_salt = "plain.auth.get_session_auth_hash"
 33    return salted_hmac(
 34        key_salt,
 35        getattr(user, settings.AUTH_USER_SESSION_HASH_FIELD),
 36        secret=secret,
 37        algorithm="sha256",
 38    ).hexdigest()
 39
 40
 41def login(request, user):
 42    """
 43    Persist a user id and a backend in the request. This way a user doesn't
 44    have to reauthenticate on every request. Note that data set during
 45    the anonymous session is retained when the user logs in.
 46    """
 47    if settings.AUTH_USER_SESSION_HASH_FIELD:
 48        session_auth_hash = get_session_auth_hash(user)
 49    else:
 50        session_auth_hash = ""
 51
 52    if USER_ID_SESSION_KEY in request.session:
 53        if _get_user_id_from_session(request) != user.pk:
 54            # To avoid reusing another user's session, create a new, empty
 55            # session if the existing session corresponds to a different
 56            # authenticated user.
 57            request.session.flush()
 58        elif session_auth_hash and not constant_time_compare(
 59            request.session.get(USER_HASH_SESSION_KEY, ""), session_auth_hash
 60        ):
 61            # If the session hash does not match the current hash, reset the
 62            # session. Most likely this means the password was changed.
 63            request.session.flush()
 64    else:
 65        # Invalidate the current session key and generate a new one to enhance security,
 66        # typically done after user login to prevent session fixation attacks.
 67        request.session.cycle_key()
 68
 69    request.session[USER_ID_SESSION_KEY] = user._meta.pk.value_to_string(user)
 70    request.session[USER_HASH_SESSION_KEY] = session_auth_hash
 71    if hasattr(request, "user"):
 72        request.user = user
 73    rotate_token(request)
 74    user_logged_in.send(sender=user.__class__, request=request, user=user)
 75
 76
 77def logout(request):
 78    """
 79    Remove the authenticated user's ID from the request and flush their session
 80    data.
 81    """
 82    # Dispatch the signal before the user is logged out so the receivers have a
 83    # chance to find out *who* logged out.
 84    user = getattr(request, "user", None)
 85    user_logged_out.send(sender=user.__class__, request=request, user=user)
 86    request.session.flush()
 87    if hasattr(request, "user"):
 88        request.user = None
 89
 90
 91def get_user_model():
 92    """
 93    Return the User model that is active in this project.
 94    """
 95    try:
 96        return plain_packages.get_model(settings.AUTH_USER_MODEL, require_ready=False)
 97    except ValueError:
 98        raise ImproperlyConfigured(
 99            "AUTH_USER_MODEL must be of the form 'package_label.model_name'"
100        )
101    except LookupError:
102        raise ImproperlyConfigured(
103            f"AUTH_USER_MODEL refers to model '{settings.AUTH_USER_MODEL}' that has not been installed"
104        )
105
106
107def get_user(request):
108    """
109    Return the user model instance associated with the given request session.
110    If no user is retrieved, return None.
111    """
112    if USER_ID_SESSION_KEY not in request.session:
113        return None
114
115    user_id = _get_user_id_from_session(request)
116
117    UserModel = get_user_model()
118    try:
119        user = UserModel._default_manager.get(pk=user_id)
120    except UserModel.DoesNotExist:
121        return None
122
123    # If the user models defines a specific field to also hash and compare
124    # (like password), then we verify that the hash of that field is still
125    # the same as when the session was created.
126    #
127    # If it has changed (i.e. password changed), then the session
128    # is no longer valid and cleared out.
129    if settings.AUTH_USER_SESSION_HASH_FIELD:
130        session_hash = request.session.get(USER_HASH_SESSION_KEY)
131        if not session_hash:
132            session_hash_verified = False
133        else:
134            session_auth_hash = get_session_auth_hash(user)
135            session_hash_verified = constant_time_compare(
136                session_hash, session_auth_hash
137            )
138        if not session_hash_verified:
139            # If the current secret does not verify the session, try
140            # with the fallback secrets and stop when a matching one is
141            # found.
142            if session_hash and any(
143                constant_time_compare(session_hash, fallback_auth_hash)
144                for fallback_auth_hash in get_session_auth_fallback_hash(user)
145            ):
146                request.session.cycle_key()
147                request.session[USER_HASH_SESSION_KEY] = session_auth_hash
148            else:
149                request.session.flush()
150                user = None
151
152    return user