I’m building an Android app and associated set of web services for uploading/downloading data. I need a basic (no frills) solution for account management (register, login, logout, verify credentials/token).
What open source / third party solutions exist for this scenario?
I need:
- create a new account db based on a salt
- simple web service to create a new account
- simple web service to authenticate supplied credentials and return some sort of token
That’s it, I can get by without ‘fancy’ email activation or password reset for the time being.
And then moving beyond simple account management, I will need some sort of ‘token’ based authentication for a web service.
Are there off-the-shelf components for this? Should I just use a ‘blank’ django or rails app to get this done? Seems crazy for everyone to be doing CREATE TABLE user_accounts …
Thoughts?
Thank you.
1
Here is where I’ve landed after two days of hacking. I welcome any feedback or criticism. If you identify a fundamental functional or security flaw with this approach, I’ll paypal you enough cash for a pound of coffee or six-pack of beer.
I have selected Django as my ‘modern web stack’ for a foundational platform. I’ll be leveraging it for security, account, session, and password management. I eagerly defer security-sensitive functionality to Django (i.e. following convention wherever possible). I do not shirk responsibility for security, but I believe informed consumption of an industry-vetted framework is inherently more secure than rolling your own. I selected Django primarily based on familiarity with and preference for Python, plus the framework’s maturity.
Out of the box, Django has great support for account management and authentication. Of particular value is the great Django admin interface which lets a superuser reset passwords, disable accounts, etc. This is a huge value imho.
To support registration and account lifecycle management (password reset, etc), I went with the django-registration module:
https://bitbucket.org/ubernostrum/django-registration
This appears to be a very mature and vetted library with great documentation. It does not include basic form templates but I found a good set here which I customized:
https://github.com/yourcelf/django-registration-defaults
This got me up and running with a full account management solution for web-usage, but (as mentioned above) I need an API-based solution for a mobile app. I don’t want to persist the user password locally on the phone and I’d prefer to avoid managing session cookies in my API calls (a token approach is superior imho). I discovered this module:
https://github.com/jpulgarin/django-tokenapi
Which works great. The only thing missing at this point was an API for programmatically registering new accounts from the native mobile application. I coded this myself.
So long story short, I have the following working (as vanilla-Django as possible):
- full account auth and lifecycle management from Django Auth
- full account web registration from django-registration
- some primitive, but functional, account UI templates from django-registration-defaults
- token-based security for mobile API calls via django-tokenapi
- a special one-off API for registering new accounts inside the mobile app
Seems to be working…
1
For lack of more specific requirements, I would start by picking a modern web stack you had some familiarity with and riding it’s built-in authentication back-end. You might need to roll a few services in front of it to manage some angles but you should be able to avoid crafting a real secured user management system.
Also keep in mind that while http basic auth isn’t the perfect answer, http basic auth over ssl is a reasonable alternative until you’ve got something worth stealing.
1