payton / django-siwe-auth Goto Github PK
View Code? Open in Web Editor NEWA complete Django authentication system overhall for Web3 utilizing Sign-In with Ethereum.
License: MIT License
A complete Django authentication system overhall for Web3 utilizing Sign-In with Ethereum.
License: MIT License
In order to minimize the lift for new users to adopt the project, move documentation over to an external vendor.
Options:
I'm getting an error when I point at the goerli test network, which uses POA.
It's the same error as in this SO: https://stackoverflow.com/questions/70812529/the-field-extradata-is-97-bytes-but-should-be-32-it-is-quite-likely-that-you-a
And I think the fix would be the same, but I don't know (and haven't extensively tested) if geth_poa_middleware
still works with the proof of work networks
Excuse me, after the authentication is switched to django-siwe-auth, what should I do for the django admin login?
Currently, the Django admin login page defaults to password authentication. This is no longer plausible for key-pair authentication.
Issue identified in #15
Add to the utils package.
Create a customer decorator that allows for initialization of a new GroupManager instance with its own configuration.
Example:
from siwe_auth.custom_groups.erc721 import ERC20OwnerManager
@GroupManagerRestricted(ERC20OwnerManager(config={'contract': '0x1234'}))
def example_restricted_view(request):
pass
When I'm logged in as a non-admin account, I get the message:
However, the non-admin user doesn't have the option to logout. (I had to manually delete the sessionid cookie in my browser.)
So, we should add the ability to log out on the admin page. I'm surprised that it didn't come along with the login.html
form we modified?
Add configurable rate limiting on authentication endpoints to deter bad actors.
Django Ratelimit seems to be a good OOTB solution: https://django-ratelimit.readthedocs.io/en/stable/
Want to add this option, so that admins can also make users both admins and superusers. (Superusers have access to edit all table rows that have been configured in a project's admin.py
s.)
python3 manage.py createsuperuser
currently fails after inputting an Ethereum address with:
TypeError: __init__() missing 1 required positional argument: 'message'
In an ideal world, we no longer store passwords on the server side.
However, Django is a feature-full framework with plenty of valuable 3rd party applications. Many of these will depend on the base user model.
In order to maximize adoption, we should consider building an alternative user model that extends the base user. This would abstract the username/password fields such that:
username -> ethereum address
password -> non-usable password
This would not be the 'default', but it would be configurable.
Currently, GroupManager implementations require the is_member function to accept a string (ethereum_address) as input. This should be replaced with the Wallet user model.
This change will allow users to use the user_passes_test decorator and related mixin. Additionally, users will be able to implement GroupManager instances to take advantage of all core user model attributes along with any project-specific models that are one-to-one with users.
IPFS is slow. Cloudflare is fast(er). https://developers.cloudflare.com/web3/ipfs-gateway/reference/updating-for-ipfs/
Refactor existing time-based tests with FreezeGun for more consistent testing: https://github.com/spulec/freezegun
Create a new AdminSite instance that overrides the admin login view (linked below). This will allow the administrator view to also Sing-In with Ethereum instead of expecting a password (which is already set to a non-usable value).
https://docs.djangoproject.com/en/dev/ref/contrib/admin/#root-and-login-templates
Create a second example application with much simpler implementation.
This should just be a login screen and success screen.
The feature to detect an ENS name (as well as ERC721 membership) is great, but it'd be cool to have an option for disable ENS-checking so that the settings.PROVIDER
settings can be optional. After all, the authentication doesn't need it! I think this'd help speed up users playing with the library too.
Currently, the GroupManager has implementations that go "one layer deep".
These OwnerManager implementations do the following:
I'd like to build out a second layer that instead takes a lambda as input to generalize step 2. This would then make the hierarchy look something like this:
This expression layer won't be advertised. It will allow new users to void any complexities by using the leaf layer while supporting experienced users who want to use all features this app provides.
The title says it all.
I noticed that when running yarn dev
in examples/notepad/frontend
it doesn't run, because the ../siwe
directory is missing. I also noticed that siwe
isn't added to packages.
Is this intentional? I was guessing that you have a local copy of siwe
in examples/notepad/siwe
.
So, in other django plugins the migrations are generated and included in the source code.
such as:
https://github.com/django/django/tree/main/django/contrib/auth/migrations
Not having it means that when I deploy, I need to run ./manage.py makemigrations
and then ./manage.py migrate
. The migration files I make in makemigrations
are also transient, since they're just for an installed dependency.
ethereum/web3.py does not yet support the get_text function for ENS.
Pending ethereum/web3.py#2286
SIWE was initially included as a submodule to repurpose the frontend. Since then, we have diverged a lot. It would make more sense to remove the submodule, any backend references, and credit the SIWE repository in the example's README.
This will make the example much more understandable and remove unneeded code while still giving credit to the original repository.
Write unit tests for...
django-siwe-auth/siwe_auth/backend.py
Lines 28 to 39 in 12c6d95
django-siwe-auth/siwe_auth/models.py
Lines 74 to 79 in 12c6d95
django-siwe-auth/siwe_auth/views.py
Lines 53 to 68 in 12c6d95
This should redirect to the configured login endpoint, which is set at settings.LOGIN_URL
.
Hiya, I don't know much about Django, but I think instead of managing nonces explicitly, they could be incorporated in sessions.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.