Django accounts management app (2), login and change password

saad4software

Saad Alkentar

Posted on November 11, 2024

Django accounts management app (2), login and change password

What can you expect from this article?

We started working on the accounts app in the previous article, this article will build on it. It will cover

  • Serializers for login, refresh token, and change password requests
  • Views for the same APIs, login, refresh token and change password
  • And of course the URLs.

I'll try to cover as many details as possible without boring you, but I still expect you to be familiar with some aspects of Python and Django.

the final version of the source code can be found at https://github.com/saad4software/alive-diary-backend

Series order

  1. AI Project from Scratch, The Idea, Alive Diary
  2. Prove it is feasible with Google AI Studio
  3. Django API Project Setup
  4. Django accounts management (1), registration and activation
  5. Django accounts management (2), login and change password (You are here 📍)
  6. Django Rest framework with Swagger
  7. Django accounts management (3), forgot password and account details

Login and Refresh APIs in a Hurry!

Well, if you are in a hurry and don't have some complicated user management and user role system, you can simply follow the instructions in SimpleJWT documentation, you won't have to create serializers or views, just edit the URLs file as follows

from django.urls import path, include
from .views import *
from rest_framework_simplejwt.views import (
    TokenObtainPairView,
    TokenRefreshView,
)

urlpatterns = [
    path('register/', AccountRegisterView.as_view()),
    path('activate/', AccountActivateView.as_view()),
    path('login/', TokenObtainPairView.as_view()),
    path('refresh/', TokenRefreshView.as_view()),
]
Enter fullscreen mode Exit fullscreen mode

app_account/urls.py

You are good to go, now running the app using

python manage.py runserver 0.0.0.0:8555
Enter fullscreen mode Exit fullscreen mode

and opening the URL http://localhost:8555/api/account/login/ will allow you to log in, and the http://localhost:8555/api/account/refresh/ will allow you to refresh the token

login API view

Nice and easy, but what if we need to customize the token response? Actually, I would like this response to follow the same response schema we built in previous article, and also to get the role field for the UI to distinguish a normal user from an Admin, how to do so?

Customize Login API

To get responses to follow our schema, we can simply create an empty serializer that inherits from TokenObtainPairSerializer

from rest_framework_simplejwt.serializers import TokenObtainPairSerializer

class LoginSerializer(TokenObtainPairSerializer):
    pass
Enter fullscreen mode Exit fullscreen mode

app_account/serializers.py

and pass it to a login view that uses our custom renderer

from rest_framework_simplejwt.views import TokenViewBase

class AccountLoginView(TokenViewBase):
    serializer_class = LoginSerializer
    renderer_classes = [CustomRenderer, BrowsableAPIRenderer]
Enter fullscreen mode Exit fullscreen mode

app_account/views.py

Logging in response should follow our schema now. just make sure to update the URLs file to point to our custom login view

from django.urls import path, include
from .views import *
from rest_framework_simplejwt.views import (
    TokenObtainPairView,
    TokenRefreshView,
)

urlpatterns = [
    path('register/', AccountRegisterView.as_view()),
    path('activate/', AccountActivateView.as_view()),
    path('login/', AccountLoginView.as_view()),
    path('refresh/', TokenRefreshView.as_view()),
]

Enter fullscreen mode Exit fullscreen mode

app_account/urls.py

Login schema for error

adding the role field is kinda tricky, easiest way would be to overwrite the validate function in the serializer, and with the help of this from simple JWT, we got

from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
from django.contrib.auth import get_user_model

class LoginSerializer(TokenObtainPairSerializer):

    def validate(self, attrs):
        username = attrs['username']
        user = get_user_model().objects.filter(username=username).first()

        if not user or not user.check_password(attrs['password']):
            raise serializers.ValidationError("invalid_credentials")

        if not user.is_active:
            raise serializers.ValidationError("not_active")

        refresh = self.get_token(user)

        data = {
            'refresh': str(refresh),
            'access': str(refresh.access_token),
            'role': user.role,
        }

        return data
Enter fullscreen mode Exit fullscreen mode

app_account/serializers.py

We started by getting the user object, if it doesn't exist or the password doesn't match, it raises an error with "invalid_credentials" message, then we make sure the user is active, and finally, we get the token and build the response. Let's try it now!

Adding field to login response

I know it looks like too much hustle for a simple goal! but it gives us control over the validation behavior and allows us to add any other fields. Let's add the user info

class UserSerializer(serializers.ModelSerializer):

    class Meta:
        model = get_user_model()
        fields = (
            'first_name', 
            'last_name', 
            'username', 
            'country_code', 
            'expiration_date',
            'hobbies',
            'job',
            'bio',
            'role',
        )
        read_only_fields = ['username', 'role',  'expiration_date']


class LoginSerializer(TokenObtainPairSerializer):

    def validate(self, attrs):
        username = attrs['username']
        user = get_user_model().objects.filter(username=username).first()

        if not user or not user.check_password(attrs['password']):
            raise serializers.ValidationError("invalid_credentials")

        if not user.is_active:
            raise serializers.ValidationError("not_active")

        refresh = self.get_token(user)

        data = {
            'refresh': str(refresh),
            'access': str(refresh.access_token),
            'user': UserSerializer(user).data,
            'role': user.role,
        }

        return data

Enter fullscreen mode Exit fullscreen mode

app_account/serializers.py

Customize Refresh token API

Do it again, do it better!

from rest_framework_simplejwt.serializers import TokenRefreshSerializer
from rest_framework_simplejwt.state import token_backend


class RefreshTokenSerializer(TokenRefreshSerializer):

    def validate(self, attrs):
        data = super().validate(attrs)
        decoded_payload = token_backend.decode(data['access'], verify=True)
        user_id = decoded_payload['user_id']
        user = User.objects.get(id=user_id)
        data['role'] = user.role
        data['user'] = UserSerializer(user).data
        return data

Enter fullscreen mode Exit fullscreen mode

app_account/serializer.py

this will give us new access and refresh tokens, and also the role and user data, if we don't need the extra fields, we can simply use an empty serializer class (with pass) that inherits from TokenRefreshSerializer
The refresh view should look like this

class AccountRefreshTokenView(TokenViewBase):
    serializer_class = RefreshTokenSerializer
    renderer_classes = [CustomRenderer, BrowsableAPIRenderer]
Enter fullscreen mode Exit fullscreen mode

app_account/views.py

It uses our new RefreshTokenSerializer and CustomRenderer, don't forget to update the URLs file

urlpatterns = [
    path('register/', AccountRegisterView.as_view()),
    path('activate/', AccountActivateView.as_view()),
    path('login/', AccountLoginView.as_view()),
    path('refresh/', AccountRefreshTokenView.as_view()),
]
Enter fullscreen mode Exit fullscreen mode

app_account/urls.py
great! testing it should return something like this

Refresh token with the custom fields

Change password API

As always. Let's start with the serializer


class ChangePasswordSerializer(serializers.Serializer):
    password = serializers.CharField(required=True)
    new_password = serializers.CharField(required=True)

Enter fullscreen mode Exit fullscreen mode

app_account/serializers.py

It is a custom serializer, with two required char fields. moving to the view

from rest_framework.permissions import IsAuthenticated

class AccountChangePasswordView(APIView):
    permission_classes = (IsAuthenticated,)
    renderer_classes = [CustomRenderer, BrowsableAPIRenderer]

    def post(self, request, *args, **kwargs):
        serializer = ChangePasswordSerializer(data=request.data)

        if not serializer.is_valid():
            raise APIException(serializer.errors)

        user = request.user
        password = serializer.validated_data.get("password")
        new_password = serializer.validated_data.get("new_password")

        if not user.check_password(password):
            raise APIException("invalid_password")

        user.set_password(new_password)
        user.save()

        return Response("success")

Enter fullscreen mode Exit fullscreen mode

app_account/views.py

This request requires an authenticated user, so we used IsAuthenticated as a permission class, of course, we used our custom renderer class. for the POST request, we start by making sure the request satisfies the serializer types, then check the password validity, if valid; we change it and save the new user model

opening http://localhost:8555/api/account/password/ in the browser would look like this

Authenticated view with BrowsableAPIRenderer

since it is an authenticated view, it requires the use of bearer token which is not supported by the BrowsableAPIRenderer.
In order to test this (and every authenticated request) we have one of two options

  • Use an IDE like postman or insomnia (personally, I prefer Insomnia since it still does not force me to log in)
  • Or to use swagger

if you choose the first path, you can ignore the next article! The next article will walk you through implementing Swagger in your Django project

Stay tuned 😎

💖 💪 🙅 🚩
saad4software
Saad Alkentar

Posted on November 11, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related