A complete Django authentication system with user registration, login, logout, and password reset functionality using session-based authentication.
- User Registration with validation
- User Login/Logout
- Password Reset via Email
- Session-based authentication
- Form validation and error handling
- Secure password reset with expiration links
- Python 3.x
- Django 4.x or higher
- Email backend configuration for password reset functionality
-
Clone the repository
git clone <your-repository-url> cd <project-directory>
-
Install dependencies
pip install django
-
Add the PasswordReset model to your
models.pyfrom django.db import models from django.contrib.auth.models import User import uuid class PasswordReset(models.Model): user = models.ForeignKey(User, on_delete=models.CASCADE) reset_id = models.UUIDField(default=uuid.uuid4, unique=True, editable=False) created_when = models.DateTimeField(auto_now_add=True) def __str__(self): return f"Password reset for {self.user.username} at {self.created_when}"
-
Configure email settings in
settings.pyEMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend' EMAIL_HOST = "smtp.gmail.com" EMAIL_PORT = 465 EMAIL_USE_SSL = True EMAIL_HOST_USER = "email@gmail.com" EMAIL_HOST_PASSWORD = "google app password"
-
Create and run migrations
python manage.py makemigrations python manage.py migrate
-
Start the development server
python manage.py runserver
your_app/
├── models.py # PasswordReset model
├── views.py # Authentication views
├── urls.py # URL patterns
└── templates/
├── index.html # Home page
├── register.html # Registration form
├── login.html # Login form
├── forgot_password.html # Forgot password form
├── password_reset_sent.html # Reset email sent confirmation
└── reset_password.html # Password reset form
class PasswordReset(models.Model): user = models.ForeignKey(User, on_delete=models.CASCADE) reset_id = models.UUIDField(default=uuid.uuid4, unique=True, editable=False) created_when = models.DateTimeField(auto_now_add=True)
- Links to Django's built-in User model
- Uses UUID for secure reset tokens
- Tracks creation time for expiration validation
urlpatterns = [ path('', views.home, name='home'), path('register/', views.registerView, name='register'), path('login/', views.loginView, name='login'), path('logout/', views.logoutView, name='logout'), path('forgot-password/', views.forgotPassword, name='forgot-password'), path('password-reset-sent/<str:reset_id>/', views.passwordResetSent, name='password-reset-sent'), path('reset-password/<str:reset_id>/', views.resetPassword, name='reset-password'), ]
@login_required def home(request): return render(request, 'index.html')
This view requires user authentication and serves as the main dashboard after login.
Process:
-
User fills out registration form with:
- First name
- Last name
- Username
- Password
- Confirm password
-
Server-side validation:
- Checks if username already exists
- Checks if email already exists
- Validates password length (minimum 8 characters)
- Confirms password match
-
On success:
- Creates new user account
- Redirects to login page with success message
-
On error:
- Displays appropriate error messages
- Redirects back to registration form
Code Implementation:
def registerView(request): if request.method == "POST": first_name = request.POST.get('first_name') last_name = request.POST.get('last_name') username = request.POST.get('username') email = request.POST.get('email') password = request.POST.get('password') confirm_password = request.POST.get('confirm_password') user_data_has_error = False # checking whether email and username are not being used if User.objects.filter(username=username).exists(): user_data_has_error = True messages.error(request, 'Username already exists') if User.objects.filter(email=email).exists(): user_data_has_error = True messages.error(request, 'Email already exists') if len(password) < 8: user_data_has_error = True messages.error(request, 'Password must be at least 8 characters') if (password != confirm_password): user_data_has_error = True messages.error(request, 'Passwords do not match') if not user_data_has_error: new_user = User.objects.create_user( first_name = first_name, last_name = last_name, email = email, username = username, password = password ) messages.success(request, 'Account created. Login now') return redirect('login') return redirect('register') return render(request, 'register.html')
Process:
- User enters username and password
- Django authenticates credentials using
authenticate() - On success:
- User session is created using
login() - Redirects to home page
- User session is created using
- On failure:
- Displays "Invalid username or password" error
- Redirects back to login form
Code Implementation:
def loginView(request): if request.method == "POST": # getting user inputs from frontend username = request.POST.get('username') password = request.POST.get('password') # authenticate credentials user = authenticate(request, username=username, password=password) if user is not None: login(request, user) return redirect('home') messages.error(request, 'Invalid username or password') return redirect('login') return render(request, 'login.html')
Process:
- Calls Django's
logout()function - Destroys user session
- Redirects to login page
Code Implementation:
def logoutView(request): logout(request) return redirect('login')
Process:
- User enters email address
- System checks if email exists in database
- If email exists:
- Creates new
PasswordResetinstance with unique UUID - Generates password reset URL
- Sends email with reset link
- Redirects to confirmation page
- Creates new
- If email doesn't exist:
- Shows error message
- Redirects back to forgot password form
Code Implementation:
def forgotPassword(request): if request.method == "POST": email = request.POST.get('email') # verify if email exists try: user = User.objects.get(email=email) # create a new reset id new_password_reset = PasswordReset(user=user) new_password_reset.save() # creating password reset url; password_reset_url = reverse('reset-password', kwargs={'reset_id': new_password_reset.reset_id}) full_password_reset_url = f'{request.scheme}://{request.get_host()}{password_reset_url}' # email content email_body = f'Reset your password using the link below:\n\n\n{full_password_reset_url}' email_message = EmailMessage( 'Reset your password', # email subject email_body, settings.EMAIL_HOST_USER, # email sender [email] # email receiver ) email_message.fail_silently = True email_message.send() return redirect('password-reset-sent', reset_id=new_password_reset.reset_id) except User.DoesNotExist: messages.error(request, f"No user with email '{email}' found") return redirect('forgot-password') return render(request, 'forgot_password.html')
Process:
- Validates that reset ID exists in database
- If valid: Shows confirmation page
- If invalid: Redirects to forgot password with error
Code Implementation:
def passwordResetSent(request, reset_id): if PasswordReset.objects.filter(reset_id=reset_id).exists(): return render(request, 'password_reset_sent.html') else: # redirect to forgot password page if code does not exist messages.error(request, 'Invalid reset id') return redirect('forgot-password')
Process:
- Validates reset ID exists
- User enters new password and confirmation
- Validation checks:
- Passwords match
- Password minimum length (8 characters)
- Reset link hasn't expired (10-minute window)
- On success:
- Updates user password using
set_password() - Deletes used reset token
- Redirects to login with success message
- Updates user password using
- On error:
- Shows appropriate error messages
- For expired links: deletes token and redirects to forgot password
Code Implementation:
def resetPassword(request, reset_id): try: password_reset_id = PasswordReset.objects.get(reset_id=reset_id) if request.method == 'POST': password = request.POST.get('password') confirm_password = request.POST.get('confirm_password') passwords_have_error = False if password != confirm_password: passwords_have_error = True messages.error(request, 'Passwords do not match') if len(password) < 8: passwords_have_error = True messages.error(request, 'Password must be at least 8 characters long') # check to make sure link has not expired expiration_time = password_reset_id.created_when + timezone.timedelta(minutes=10) if timezone.now() > expiration_time: passwords_have_error = True messages.error(request, 'Reset link has expired') # delete reset id since it has expired password_reset_id.delete() # reset password if not passwords_have_error: user = password_reset_id.user user.set_password(password) user.save() # delete reset id after use password_reset_id.delete() # redirect to login messages.success(request, 'Password reset. Proceed to login') return redirect('login') else: # redirect back to password reset page and display errors return redirect('reset-password', reset_id=reset_id) except PasswordReset.DoesNotExist: # redirect to forgot password page if code does not exist messages.error(request, 'Invalid reset id') return redirect('forgot-password') return render(request, 'reset_password.html')
- Unique UUID tokens: Each reset request generates a unique, non-guessable token
- Time-based expiration: Reset links expire after 10 minutes
- One-time use: Tokens are automatically deleted after successful password reset or when expired
- Email validation: Only registered email addresses can request resets
- Username uniqueness: Prevents duplicate usernames
- Email uniqueness: Prevents duplicate email addresses
- Password strength: Minimum 8-character requirement
- Password confirmation: Ensures passwords match
- Uses Django's built-in session framework
- Login required decorator protects authenticated routes
- Proper logout destroys sessions
Your templates should include the following forms:
<form method="POST"> {% csrf_token %} <input type="text" name="first_name" required> <input type="text" name="last_name" required> <input type="text" name="username" required> <input type="email" name="email" required> <input type="password" name="password" required> <input type="password" name="confirm_password" required> <button type="submit">Register</button> </form>
<form method="POST"> {% csrf_token %} <input type="text" name="username" required> <input type="password" name="password" required> <button type="submit">Login</button> </form>
<form method="POST"> {% csrf_token %} <input type="email" name="email" required> <button type="submit">Send Reset Link</button> </form>
<form method="POST"> {% csrf_token %} <input type="password" name="password" required> <input type="password" name="confirm_password" required> <button type="submit">Reset Password</button> </form>
The system includes comprehensive error handling:
- Form validation errors are displayed using Django messages framework
- Invalid reset tokens redirect to appropriate error pages
- Expired reset links are automatically cleaned up
- User-friendly error messages for all failure scenarios
from django.contrib.auth.decorators import login_required @login_required def protected_view(request): return render(request, 'protected.html')
{% if messages %}
{% for message in messages %}
<div class="alert alert-{{ message.tags }}">{{ message }}</div>
{% endfor %}
{% endif %}- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
If you encounter any issues or have questions, please open an issue on GitHub.