This is a re-post of my stack overflow question here
http://stackoverflow.com/questions/4939908/how-should-i-properly-impliment-https-auth-remote-auth-in-django
Hi,
I am in the planning phase a new project. I want to be able to control
multiple relays from my android powered phone over the internet. I need to
use an HTTP based server as a middleman between the phone and the relays.
Django is my preferred platform because Python is my strongest skill set.
This would not be a "web app" (with the exception of the admin interface for
managing the user and their access to the relays). Rather, the server would
simply provide an API in the form of HTTPS requests and JSON encoding.
Though, I should note that I have never done any web development in my life,
so I don't know best practices (yet). The authentication method should meet
the following criteria:
- Works over HTTPS (self-signed SSL)
- Provides multi-factor authentication (in the form of something you have
and something you know)
- Be reasonably secure (Would be very difficult to fool, guess at. or
otherwise bypass)
- Is simple in implementation for the server operator and end user on the
mobile client
-
Is lightweight in in terms of both CPU cycles and bandwidth
I plan to use the following scheme to solve this:
1. An administrator logs into the web interface, creates a user, and sets
up his/her permissions (including a username and a password chosen by the
user).
2. The user starts the client, selects add server, and enters the
server URL and his/her credentials.
3. The client attempts to authenticate the the user via HTTP auth
(over SSL). If the authentication was successful, the server will
generate
an API key in the form of a UUID and sends it to the client. The client
will
save this key and use it in all API calls over HTTPS. HTTP auth is only
used
for the initial authentication process prior to reviving a key, as a
session
scheme would not be nessessary for this application. Right? The client
will
only work if the phone is configured to automatically lock with a PIN or
pattern after a short timeout. The server will only allow one key to be
generated per user, unless an administrator resets the key. Hence,
simple,
mobile, multifactor authentication.
Is this sound from a security standpoint? Also, can anyone point me to an
example of how to use the HTTP auth that is built into Django? From a Google
search, I can find a lot of snipits witch hack the feature together. But,
none of them implement HTTP auth in the wayit was added to Django in
1.1<http://code.djangoproject.com/ticket/689>.
The official documentation for REMOTE_AUTH can be found
here<http://docs.djangoproject.com/en/1.2/howto/auth-remote-user/>,
but I am having difficulty understanding the documentation as I am very new
to Django.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
