authentication

JWTs are easy to misuse because libraries make them look simpler than they are. I pin the algorithm, validate issuer and audience, keep expirations short, and rotate signing keys deliberately. I also avoid putting sensitive business data into tokens j

Predictable tokens become account compromise. I use cryptographically secure randomness, store only token digests when possible, and keep token purpose and expiry specific. Reset tokens, magic links, and API secrets should all be treated like credenti

SSH hardening is basic but still worth doing carefully. I disable password auth, restrict root login, and pair strong settings with operational practices like host key monitoring and per-user key lifecycle management. Security without maintainability

django-allauth provides ready-made social auth (Google, Facebook, GitHub, etc.). I configure providers in settings with API keys. It handles OAuth flows, token management, and account linking. Users can login with multiple providers. I customize templ

Extending Django's user model should be done early in projects. I use AbstractBaseUser for full control or AbstractUser to extend the default. Setting AUTH_USER_MODEL points Django to my custom model. I add fields like phone, avatar, or preferences. F

For browser and mobile clients, PKCE closes an important hole in the classic authorization code flow. I use it by default with public clients, require exact redirect URI matching, and keep token exchange on TLS only. This is one of those cases where t

Sessions are fine when they are treated like security-sensitive state. I set HttpOnly, Secure, and SameSite deliberately, rotate session identifiers after login, and keep idle timeout separate from absolute timeout. Weak cookie settings are still a co

BiometricPrompt provides secure authentication via fingerprint, face, or iris. I create BiometricPrompt with callback handling success, error, and failure. PromptInfo configures title, subtitle, description, and allowed authenticators. Negative button

Custom auth backends enable alternative authentication methods. I subclass ModelBackend and override authenticate(). Common use cases include email login, LDAP, OAuth, or custom token auth. The backend returns a user object or None. I add it to AUTHEN

Using email instead of username for authentication is a common requirement. I extend AbstractBaseUser and create a custom user manager early in the project because switching later means complex data migrations. The key is setting USERNAME_FIELD = 'ema

While JWT works well for user authentication, service-to-service communication often uses simpler API key authentication. I generate cryptographically random API keys using SecureRandom.hex(32) and store them hashed in the database, similar to passwor

Password reset workflows require careful security design to prevent account takeover. I generate time-limited, single-use tokens using Rails' signed_id feature which creates tamper-proof tokens without database storage. The token expires after a short