DEV Community

Cover image for WHY YOU NEED TO SET TOKENS IN WEB APPS FOR AUTHENTICATION IN DJANGO REST AND NOT DJANGO ( π˜šπ˜π˜”π˜—π˜“π˜π˜π˜π˜Œπ˜‹ )
Frank Ezenwanne
Frank Ezenwanne

Posted on

WHY YOU NEED TO SET TOKENS IN WEB APPS FOR AUTHENTICATION IN DJANGO REST AND NOT DJANGO ( π˜šπ˜π˜”π˜—π˜“π˜π˜π˜π˜Œπ˜‹ )

ππŽπ‘πŒπ€π‹ πƒπ‰π€ππ†πŽ :
All the frontend pages are rendered by the backend, so since the backend knows that the frontend pages are rendered by it, it can easily pass a user object into the template page. The template language can allow you to test for logged in status with 'if user.is_authenticated' right inside the frontend( the html). So it’s like a piece of the backend is sent to the frontend in a format that can be accessed by a special template language e,g Jinja2, not a general format like JSON(take note) as it renders on the user’s browser.

The fact that a piece of the backend is sent with the frontend already puts in a level of security as it would be a bit difficult to tap into the data and change 'is_authenticated' to True. It’s like the frontend is β€˜pampered’ here!

πƒπ‰π€ππ†πŽ 𝐑𝐄𝐒𝐓:
Naa…No pampering here! The frontend is decoupled from the backend! By decoupled, I just mean the rendering work is handled by the frontend as in the case of Javascript frameworks like React which have the concept of 'state'(I'll talk about it someday). The frontend pages are manufactured/handled by React. The Backend just brings the raw data.

The frontend says, β€˜Yeah just drop it there, I’ll do the rendering myself. I’m old enough now!’ This attitude is why the backend cannot just trust the frontend by dropping the same 'is_authenticated' attribute. Nope! Instead, it gives a token, which is a very long alphanumeric set of characters that cannot easily be forged. This token will allow the frontend to access data in the backend. The backend can identify the user with the token, even the expiry date info is embedded. You might say, the attitude of the frontend does not deserve this strict behaviour by the backend, but remember, that the pages are no longer brought by the backend.

The 'is_authenticated' attribute if it were used, would come as JSON format as opposed to the special format in normal Django. JSON is like a format many programming languages see as a meeting point. So imagine putting in something as simple as {is_authenticated : true} . From the frontend, using a simple API tool, one can easily tap in and send as JSON, {is_authenticated : true} as an attribute back to the backend and the backend will open its doors wide if that is the pass.

Top comments (0)