Authentication for a web and mobile app over a RESTfull web service built on django

Question

I'm developing a solution for my company with the following architecture: a RESTfull Web Service built on django which provide authentication and persistence layer to both a web client app and a mobile client app (which is written using phonegap).

We have been looking a lot all over the internet about authentication methods on client side, providing support for both web and mobile client app, and from what we have found (which is very poor) we are thinking about generating an API key for each user logged in from a mobile client app, and saving this API key in the local storage of the device; and, in the web client, using the traditional cookie session management, including a CSRF token in POST, PUT, and DELETE requests.

We'd like to know what are the best practices on the authentication methods and, is this approach good enough? Are there any other methods to deal with authentication? which one is the best one?

We are trying to void using oAuth, since it add complexity to our development.

We have already checked this question but its answers have not been of much help to us, since we are using phonegap, and have the mentioned architecture.

Thanks for your help!

Answer 1

If you really really really want to create own solution. It's my old bad solution before oAuth times.

1. Create view which return some key after successful login with username/pass and add generated access_key to db

2. Check key in request => if exist in db => login

   #pseudo code
   #view  
   from django.contrib.auth import authenticate, login
   
   def get_my_token(request, username, password):
       user = authenticate(username, password)
       if user is not None:
           login(request,user)
           #first  should check has access_key 
           try:
               return  UserAuth.objects.filter(user=user).access_key
           except:
              pass
           access_key = 'somecrazy_random_unique_number' 
   
           user_auth = UserAuth()
           user_auth.user = user
           user_auth.access_key = access_key
           user_auth.save()
           return access_key
   

Now you can save access_key somewhere and add as header 'access_key_or_any_other_name' to every call to rest resources. Create authentication middleware, not auth backend.

    #auth_middelware 
    class StupidNoAuthMid(object):
        def process_request(self, request):  
            access_key = reuest.META['access_key_or_any_other_name']:
            try:
                user = UserAuth.objects.filter(access_key=acces_key).user
                auth.login(request, user) 
            except:
                pass

You don't want to reinvent the wheel. Use oAauth, you can save access_token for the future.