This project provides a robust session-based authentication backend using Django and Django REST Framework. It includes endpoints for user registration, login (to establish a session), logout (to invalidate a session), and a protected example endpoint that requires authentication.
- User Registration (
/api/register/) - User Login (
/api/login/) – Establishes a session and returns a CSRF token - User Logout (
/api/logout/) – Invalidates the session - Protected API Endpoint (
/api/protected/) – Accessible only with an active session - CORS Protection for secure session management
Follow these steps to get the Django backend up and running on your local machine.
git clone <your-repository-url>
cd django_session_auth_backendpython -m venv venvmacOS/Linux:
source venv/bin/activateWindows (Command Prompt):
venv\Scripts\activate.batWindows (PowerShell):
venv\Scripts\Activate.ps1pip install -r requirements.txtEnsure your project files are set up as follows:
- Allow CORS from your frontend:
CORS_ALLOWED_ORIGINS = [
"http://localhost:3000",
]python manage.py makemigrations
python manage.py migratepython manage.py createsuperuserpython manage.py runserverBackend will be available at: http://127.0.0.1:8000/
All endpoints are prefixed with /api/.
Description: Register a new user.
Request Body:
{
"username": "newuser",
"email": "[email protected]",
"password": "strongpassword123",
"password2": "strongpassword123"
}Success Response:
{
"id": 1,
"username": "newuser",
"email": "[email protected]"
}Description: Authenticate user and obtain session cookie and CSRF token.
Request Body:
{
"username": "existinguser",
"password": "theirpassword"
}Success Response:
{
"message": "Login successful",
"user": {
"id": 1,
"username": "existinguser",
"email": "[email protected]"
},
"csrf_token": "your_generated_csrf_token"
}Description: Logout user and invalidate session.
Headers:
X-CSRFToken: <your_csrf_token>(Requires a valid session cookie to be sent automatically by the client)
Success Response:
{
"message": "Logout successful"
}Description: Access a protected endpoint to get current user details.
Headers: (Requires a valid session cookie to be sent automatically by the client)
Success Response:
{
"id": 1,
"username": "logged_in_user",
"email": "[email protected]"
}Unauthorized Response:
{
"detail": "Authentication credentials were not provided."
}Use tools like curl, Postman, or Insomnia.
curl -X POST -H "Content-Type: application/json" \
-d '{"username": "testuser", "email": "[email protected]", "password": "password123", "password2": "password123"}' \
http://127.0.0.1:8000/api/register/# This command will save the session cookie to cookies.txt
curl -X POST -H "Content-Type: application/json" -c cookies.txt \
-d '{"username": "testuser", "password": "password123"}' \
http://127.0.0.1:8000/api/login/
# You'll need to manually extract the csrf_token from the JSON response for subsequent POST/PUT/DELETE requests.# Use the saved session cookie
curl -X GET -b cookies.txt \
http://127.0.0.1:8000/api/user/
# You need to extract the CSRF token from the login response or the browsable API.
# Example with placeholder CSRF_TOKEN:
curl -X POST -H "Content-Type: application/json" -H "X-CSRFToken: YOUR_CSRF_TOKEN_HERE" -b cookies.txt \
http://127.0.0.1:8000/api/logout/This project is open-source and free to use.
Feel free to fork the repository and submit pull requests to improve functionality or documentation.