Saad Alkentar
Posted on November 11, 2024
What can you expect from this article?
We started working on the accounts app in the previous article, this article will build on it. It will cover
- Serializers for login, refresh token, and change password requests
- Views for the same APIs, login, refresh token and change password
- And of course the URLs.
I'll try to cover as many details as possible without boring you, but I still expect you to be familiar with some aspects of Python and Django.
the final version of the source code can be found at https://github.com/saad4software/alive-diary-backend
Series order
- AI Project from Scratch, The Idea, Alive Diary
- Prove it is feasible with Google AI Studio
- Django API Project Setup
- Django accounts management (1), registration and activation
- Django accounts management (2), login and change password (You are here 📍)
- Django Rest framework with Swagger
- Django accounts management (3), forgot password and account details
Login and Refresh APIs in a Hurry!
Well, if you are in a hurry and don't have some complicated user management and user role system, you can simply follow the instructions in SimpleJWT documentation, you won't have to create serializers or views, just edit the URLs file as follows
from django.urls import path, include
from .views import *
from rest_framework_simplejwt.views import (
TokenObtainPairView,
TokenRefreshView,
)
urlpatterns = [
path('register/', AccountRegisterView.as_view()),
path('activate/', AccountActivateView.as_view()),
path('login/', TokenObtainPairView.as_view()),
path('refresh/', TokenRefreshView.as_view()),
]
app_account/urls.py
You are good to go, now running the app using
python manage.py runserver 0.0.0.0:8555
and opening the URL http://localhost:8555/api/account/login/
will allow you to log in, and the http://localhost:8555/api/account/refresh/
will allow you to refresh the token
Nice and easy, but what if we need to customize the token response? Actually, I would like this response to follow the same response schema we built in previous article, and also to get the role field for the UI to distinguish a normal user from an Admin, how to do so?
Customize Login API
To get responses to follow our schema, we can simply create an empty serializer that inherits from TokenObtainPairSerializer
from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
class LoginSerializer(TokenObtainPairSerializer):
pass
app_account/serializers.py
and pass it to a login view that uses our custom renderer
from rest_framework_simplejwt.views import TokenViewBase
class AccountLoginView(TokenViewBase):
serializer_class = LoginSerializer
renderer_classes = [CustomRenderer, BrowsableAPIRenderer]
app_account/views.py
Logging in response should follow our schema now. just make sure to update the URLs file to point to our custom login view
from django.urls import path, include
from .views import *
from rest_framework_simplejwt.views import (
TokenObtainPairView,
TokenRefreshView,
)
urlpatterns = [
path('register/', AccountRegisterView.as_view()),
path('activate/', AccountActivateView.as_view()),
path('login/', AccountLoginView.as_view()),
path('refresh/', TokenRefreshView.as_view()),
]
app_account/urls.py
adding the role
field is kinda tricky, easiest way would be to overwrite the validate
function in the serializer, and with the help of this from simple JWT, we got
from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
from django.contrib.auth import get_user_model
class LoginSerializer(TokenObtainPairSerializer):
def validate(self, attrs):
username = attrs['username']
user = get_user_model().objects.filter(username=username).first()
if not user or not user.check_password(attrs['password']):
raise serializers.ValidationError("invalid_credentials")
if not user.is_active:
raise serializers.ValidationError("not_active")
refresh = self.get_token(user)
data = {
'refresh': str(refresh),
'access': str(refresh.access_token),
'role': user.role,
}
return data
app_account/serializers.py
We started by getting the user object, if it doesn't exist or the password doesn't match, it raises an error with "invalid_credentials" message, then we make sure the user is active, and finally, we get the token and build the response. Let's try it now!
I know it looks like too much hustle for a simple goal! but it gives us control over the validation behavior and allows us to add any other fields. Let's add the user info
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = get_user_model()
fields = (
'first_name',
'last_name',
'username',
'country_code',
'expiration_date',
'hobbies',
'job',
'bio',
'role',
)
read_only_fields = ['username', 'role', 'expiration_date']
class LoginSerializer(TokenObtainPairSerializer):
def validate(self, attrs):
username = attrs['username']
user = get_user_model().objects.filter(username=username).first()
if not user or not user.check_password(attrs['password']):
raise serializers.ValidationError("invalid_credentials")
if not user.is_active:
raise serializers.ValidationError("not_active")
refresh = self.get_token(user)
data = {
'refresh': str(refresh),
'access': str(refresh.access_token),
'user': UserSerializer(user).data,
'role': user.role,
}
return data
app_account/serializers.py
Customize Refresh token API
Do it again, do it better!
from rest_framework_simplejwt.serializers import TokenRefreshSerializer
from rest_framework_simplejwt.state import token_backend
class RefreshTokenSerializer(TokenRefreshSerializer):
def validate(self, attrs):
data = super().validate(attrs)
decoded_payload = token_backend.decode(data['access'], verify=True)
user_id = decoded_payload['user_id']
user = User.objects.get(id=user_id)
data['role'] = user.role
data['user'] = UserSerializer(user).data
return data
app_account/serializer.py
this will give us new access and refresh tokens, and also the role and user data, if we don't need the extra fields, we can simply use an empty serializer class (with pass
) that inherits from TokenRefreshSerializer
The refresh view should look like this
class AccountRefreshTokenView(TokenViewBase):
serializer_class = RefreshTokenSerializer
renderer_classes = [CustomRenderer, BrowsableAPIRenderer]
app_account/views.py
It uses our new RefreshTokenSerializer
and CustomRenderer
, don't forget to update the URLs file
urlpatterns = [
path('register/', AccountRegisterView.as_view()),
path('activate/', AccountActivateView.as_view()),
path('login/', AccountLoginView.as_view()),
path('refresh/', AccountRefreshTokenView.as_view()),
]
app_account/urls.py
great! testing it should return something like this
Change password API
As always. Let's start with the serializer
class ChangePasswordSerializer(serializers.Serializer):
password = serializers.CharField(required=True)
new_password = serializers.CharField(required=True)
app_account/serializers.py
It is a custom serializer, with two required char fields. moving to the view
from rest_framework.permissions import IsAuthenticated
class AccountChangePasswordView(APIView):
permission_classes = (IsAuthenticated,)
renderer_classes = [CustomRenderer, BrowsableAPIRenderer]
def post(self, request, *args, **kwargs):
serializer = ChangePasswordSerializer(data=request.data)
if not serializer.is_valid():
raise APIException(serializer.errors)
user = request.user
password = serializer.validated_data.get("password")
new_password = serializer.validated_data.get("new_password")
if not user.check_password(password):
raise APIException("invalid_password")
user.set_password(new_password)
user.save()
return Response("success")
app_account/views.py
This request requires an authenticated user, so we used IsAuthenticated
as a permission class, of course, we used our custom renderer class. for the POST request, we start by making sure the request satisfies the serializer types, then check the password validity, if valid; we change it and save the new user model
opening http://localhost:8555/api/account/password/
in the browser would look like this
since it is an authenticated view, it requires the use of bearer token which is not supported by the BrowsableAPIRenderer.
In order to test this (and every authenticated request) we have one of two options
- Use an IDE like postman or insomnia (personally, I prefer Insomnia since it still does not force me to log in)
- Or to use
swagger
if you choose the first path, you can ignore the next article! The next article will walk you through implementing Swagger in your Django project
Stay tuned 😎
Posted on November 11, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.