# Django Channels JWT
Django Channels JWT Middleware is a secure way to handle authentication for Django Channels WebSocket connections without directly exposing JWT tokens. Instead of sending the token itself in the query parameter, this middleware uses UUID-based authentication and cache-based user retrieval for enhanced security.
## Security Benefits
- **Enhanced Security**: JWT tokens can potentially be intercepted if sent as query parameters. This middleware avoids sending tokens directly, minimizing the risk of token leakage.
- **UUID-based Authentication**: This middleware generates UUIDs as tokens for WebSocket connections. These UUIDs are short-lived and act as temporary access keys. When a user connects, they provide the UUID, which is used to retrieve the authenticated user.
- **Cache-based User Retrieval**: Upon connection, the middleware validates the UUID, retrieves the corresponding user ID from the cache, and fetches the user asynchronously. This ensures that the WebSocket connection is only established for authenticated users.
## Risks of Sending Tokens as Query Parameters
Sending tokens as query parameters can expose security vulnerabilities:
- **Token Exposure**: Tokens in query parameters can be captured in logs, browser history, or server logs, increasing the risk of unauthorized access.
- **Caching**: Some proxies or servers may cache URLs, which could lead to tokens being stored in shared caches.
## Installation
Install the package using pip:
```bash
pip install django-channels-jwt
```
## Configuration
1. Wrap your URLRouter
```python
from django_channels_jwt.middlware import JwtAuthMiddlewareStack
application = ProtocolTypeRouter({
"http": get_asgi_application(),
"websocket": JwtAuthMiddlewareStack(
URLRouter(
websocket_urlpatterns,
)
),
})
```
2. Include the provided URL for ticket generation in your project's `urls.py`:
```python
from django.urls import path, include
url_patterns = [
# ... your other URL patterns
path("api/auth/", include('django_channels_jwt.urls')
]
```
or if you want to set customized route
```python
from django.urls import path, include
from django_channels_jwt.views import AsgiValidateTokenView
url_patterns = [
# ... your other URL patterns
path("auth_for_ws_connection/", AsgiValidateTokenView.as_view())
]
```
## Usage
1. Ensure your Django app's models are configured correctly.
2. Use the included `AsgiValidateTokenView` to generate a ticket (UUID) for WebSocket connections.
3. Connect to your WebSocket with the generated UUID to authenticate the connection without exposing the token.
```
ws://localhost:8001/ws/chat/?uuid=
```
1.0.0 (2023-08-11)
------------------
* First release on PyPI.
Raw data
{
"_id": null,
"home_page": "https://github.com/usamashehab/django-channels-jwt",
"name": "django-channels-jwt",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "",
"keywords": "django,channels,jwt,auth,middleware,python,authentication",
"author": "Usama Shehab",
"author_email": "usama.mh.shehab@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/fb/6d/557f9da267e43eb1cd9589b555f1a282f5a0671b960df8a503197e6d77a9/django-channels-jwt-0.0.3.tar.gz",
"platform": null,
"description": "# Django Channels JWT \n\nDjango Channels JWT Middleware is a secure way to handle authentication for Django Channels WebSocket connections without directly exposing JWT tokens. Instead of sending the token itself in the query parameter, this middleware uses UUID-based authentication and cache-based user retrieval for enhanced security.\n\n## Security Benefits\n\n- **Enhanced Security**: JWT tokens can potentially be intercepted if sent as query parameters. This middleware avoids sending tokens directly, minimizing the risk of token leakage.\n\n- **UUID-based Authentication**: This middleware generates UUIDs as tokens for WebSocket connections. These UUIDs are short-lived and act as temporary access keys. When a user connects, they provide the UUID, which is used to retrieve the authenticated user.\n\n- **Cache-based User Retrieval**: Upon connection, the middleware validates the UUID, retrieves the corresponding user ID from the cache, and fetches the user asynchronously. This ensures that the WebSocket connection is only established for authenticated users.\n\n## Risks of Sending Tokens as Query Parameters\n\nSending tokens as query parameters can expose security vulnerabilities:\n- **Token Exposure**: Tokens in query parameters can be captured in logs, browser history, or server logs, increasing the risk of unauthorized access.\n- **Caching**: Some proxies or servers may cache URLs, which could lead to tokens being stored in shared caches.\n\n## Installation\n\nInstall the package using pip:\n\n```bash\npip install django-channels-jwt\n```\n\n## Configuration\n\n1. Wrap your URLRouter\n ```python\n from django_channels_jwt.middlware import JwtAuthMiddlewareStack\n\n application = ProtocolTypeRouter({\n \"http\": get_asgi_application(),\n \"websocket\": JwtAuthMiddlewareStack(\n URLRouter(\n websocket_urlpatterns,\n )\n ),\n })\n ```\n\n2. Include the provided URL for ticket generation in your project's `urls.py`:\n\n ```python\n from django.urls import path, include\n\n url_patterns = [\n # ... your other URL patterns\n path(\"api/auth/\", include('django_channels_jwt.urls')\n ]\n ```\nor if you want to set customized route\n\n ```python\n from django.urls import path, include\n from django_channels_jwt.views import AsgiValidateTokenView\n\n url_patterns = [\n # ... your other URL patterns\n path(\"auth_for_ws_connection/\", AsgiValidateTokenView.as_view())\n ]\n ```\n\n## Usage\n\n1. Ensure your Django app's models are configured correctly.\n2. Use the included `AsgiValidateTokenView` to generate a ticket (UUID) for WebSocket connections.\n3. Connect to your WebSocket with the generated UUID to authenticate the connection without exposing the token.\n ```\n ws://localhost:8001/ws/chat/?uuid=\n ```\n\n\n1.0.0 (2023-08-11)\n------------------\n\n* First release on PyPI.\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Secure JWT Auth Middleware for Django Channels",
"version": "0.0.3",
"project_urls": {
"Homepage": "https://github.com/usamashehab/django-channels-jwt"
},
"split_keywords": [
"django",
"channels",
"jwt",
"auth",
"middleware",
"python",
"authentication"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "369a3d9b8b5a50b65f5c5bbb65bb551d7f9defef83e41c1fac3af75264f0956d",
"md5": "2a01b5be81823c672054d1ab42f3f470",
"sha256": "ed11c1e188e69b32631418c23919dc7f69496939b82060783dd935ecd881f931"
},
"downloads": -1,
"filename": "django_channels_jwt-0.0.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "2a01b5be81823c672054d1ab42f3f470",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 5649,
"upload_time": "2023-08-15T10:15:33",
"upload_time_iso_8601": "2023-08-15T10:15:33.395609Z",
"url": "https://files.pythonhosted.org/packages/36/9a/3d9b8b5a50b65f5c5bbb65bb551d7f9defef83e41c1fac3af75264f0956d/django_channels_jwt-0.0.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "fb6d557f9da267e43eb1cd9589b555f1a282f5a0671b960df8a503197e6d77a9",
"md5": "312bffbb94462a3b5679317211cc01bb",
"sha256": "2f924633c900e1fced52312f53e3cfd5a578a0876a102cbf0131fb0f80ffdd6c"
},
"downloads": -1,
"filename": "django-channels-jwt-0.0.3.tar.gz",
"has_sig": false,
"md5_digest": "312bffbb94462a3b5679317211cc01bb",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 5397,
"upload_time": "2023-08-15T10:15:35",
"upload_time_iso_8601": "2023-08-15T10:15:35.495398Z",
"url": "https://files.pythonhosted.org/packages/fb/6d/557f9da267e43eb1cd9589b555f1a282f5a0671b960df8a503197e6d77a9/django-channels-jwt-0.0.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-08-15 10:15:35",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "usamashehab",
"github_project": "django-channels-jwt",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [],
"lcname": "django-channels-jwt"
}
JSON
