Developers February 26, 2020

Django passwordless logins for admins ... ?

rab

Hi,

I'm looking to have passwordless logins for admin users on Django - i.e. where an administrator enters their email address and the system emails them a login code.

I've seen various passwordless libraries for Django (e.g. django-nopassword) but have found none so far that use the admin templates.

Would appreciate any pointers to either a solution or something that describes how to develop custom admin logins that uses all the nice templating etc.

  1. 2

    @mjalloh @dmw I've made decent progress. But as with a lot of these things it is tricky to know quite how far is left to go. I can upload to GitHub and pass link if you are interested. The end solution seems not so complex, but there's lots of potholes to fall in on the way.

    1. 1

      @rab, there will always be a lot of "potholes" to fall in, but if you persevere at it, you will get there eventually!

      Maybe you will write an article about your experience if that works and is not too sensitive down the road.

      If you send me a link, I can take a look though I can't promise if I will be of much use feedback-wise. :)

      All the best with your efforts in any case.

      1. 1

        FYI I have the flow working.

        • Users can login with a email-magic-link or switch to login with a password.
        • Password login can be configured to accept a username or an email.

        I'll post a demo link when I get there. Still a bit to sort out though.

        1. 2

          Hey @rab,

          I think for a week's worth of work (and a new dev challenge), your commitment is commendable and your milestones so far very impressive.

          Please, keep going!

          All the best.

  2. 2

    Hi,

    Did you take a look at this section of the Django admin site's docs: https://docs.djangoproject.com/en/3.0/ref/contrib/admin/#adding-a-password-reset-feature ? Maybe you can find a way to reuse it to fit your needs?

    I have done custom (email-based vs the default username-based Django default auth) but not passwordless authentication.

    A few things that might be worth considering include:

    • You may have to define a custom User model to identify your admins (by their emails?) By default, Django uses the same django.contrib.auth.User model for both its admin and non-admin users.

    • You may have to define a custom "User Manager" that works with your new custom user model.

    • Create new "login" forms, views and templates for your custom user model.

    There may be other things, but I am sure you have thought of a few areas that would need handling.

    If you want more indepth coverage, you may want to take a look at the official django guide on "Customizing Authentication in Django" at
    https://docs.djangoproject.com/en/3.0/topics/auth/customizing/

    I wish you all the best.

    Please, let us know how it worked out! :)

    1. 1

      Hi Muhammad,

      This looks very helpful! You are correct I will need to look at email-based v default name-based logins, but I am parking that can of worms for the moment. There are some examples I can find on the web somewhere but if I struggle I may be back to seek some more advice from you. I will let you know how it works out.

      Thank you!

  3. 2

    I developed a password-less login some years ago for Django 1.9. I believe I was able to use it for my admin user. Sadly the project containing it didn't get open sourced -- but I may do so if I find it in my backups.

    Just curious -- why would you want passwordless login for your admin (of all accounts)? I did a bunch of work to run my own mail server and ensure it never lost transit encryption because of the one-time links. Might want to think about that too if you're sending admin credentials over email.

    1. 1

      Hi dmw,

      Good question. Brace yourself but I am subclassing the Django admin to use it for non-staff users (a la https://tryolabs.com/blog/2012/06/18/django-administration-interface-for-non-staff-users/).

      Something purists say you shouldn't do (Django Rule #1 = The Admin Is Not Your App) but it is working for me. I want to offer those users passwordless login, so that is why I am looking for "passwordless for admins". Badged like that as I want it to have the same look and feel as the default admin logins and ultimately it will be based on/integrated with the current admin login system.

      In fact the following seems a nice signup/login flow to me:

      1. Passwordless login => User email confirmed.
      2. User optionally sets password in their profile if they want to activate password login.
      3. Login with password or passwordless.
      1. 2

        I personally like the flow, specifically the option to set a password.

        I am a member of one site that uses the email-magic-link login only and I hate it. It is the specific reason for why I visit that site so rarely.

        Good luck finding a solution you are satisfied with.

        1. 1

          So I have the flow working.

          • Users can login with a email-magic-link or switch to login with a password.
          • Password login can be configured to accept a username or an email.

          Which means from an authentication point of view there is actually no need for a username.

          I would like to convince myself the username can be dropped but not viable as applications will want to display user identity in some form and that cannot be email.

          I'll post demo link when I get there.

        2. 1

          This is a useful insight. Thank you.

      2. 1

        I see -- I remember having this debate with myself years ago when I first did that event website with the passwordless login. Ultimately I decided to fall in line and create my own user model because I didn't know what I didn't know about Django security.

        I don't remember the process too well (circa 2016) but recall it wasn't as bad as expected to migrate off of the built-in User model. I'll definitely bug you when I find that code -- I'm looking for it to see if I can jog my memory about some django internals.

        1. 1

          My terminology may be a little off. Open to any solution that makes sense. The driver is to re-use the admin interface with all the add/edit/delete etc functionality.

          I'm making some progress with this now but it's a steep climb. Wading through the docs and options takes some effort. A seemingly sensible approach is emerging though.