# Lab 9 

**Overview:** **In this lab we will be implementing our user authentication front and backend. This means allowing users to login and logout. We will also ensure that only logged in users can complete particular tasks.** 

**Problem:** Currently there is no login logic except for our admin page. Also currently any user can post a article. We need to ensure that only logged in users can post articles. 

**Solution:** Once again django comes to the rescue with an inbuilt authentication solution. We will be exploring this solution and modifying it to fit our needs.

## Step 1 Default Login Views 

**Overview:** As previously implemented with our register page, django has some pre-set views which we can access for our webpage. We will be accessing the views required for our authentication system and generate the required route. 

**A)** Go to your django project urls.py file. Do you remember what this file houses? 

Inside this file add the following import: 

In [None]:
from django.contrib.auth import views as auth_views 

**A)** Can anyone remember the significance of the 'as' keyword? 

**B)** Now add the following route's inside the array of paths. 

In [None]:
path('login/', auth_views.LoginView.as_view(), name='login'),
path('logout/', auth_views.LogoutView.as_view(), name='logout'),

**B)** Have you got any questions regarding this code? There should be at least 1. 

Note: This is the first time we encounter class based views. We will be using them more later down the line. For now refer the documentation for 2 mins to gather a quick understanding. 

https://docs.djangoproject.com/en/3.2/topics/class-based-views/

**C)** These class based views do not handle the templates. They must be created by us. If you query the login endpoint what can you spot (There are 2 key points which you should be able to spot)?   

**D)** Lets now pass the templates we want the endpoint to look at by passing the following code as an argument inside the as_view function. 

In [None]:
template_name = 'users/login.html'
template_name = 'users/logout.html' # These templates do not exit yet. We will be creating them in the next step. 

**D)** Now reload the webpage on the same endpoint. What do you notice has changed? 

## Step 2 Templates 

**Overview:** Now we must create the templates for out the login and logout page.

**A)** Based on what we have just discussed in the last step create the required files in the correct directory.

**B)** Copy and paste the following code inside the appropriate file.

In [None]:
{% extends "blog/base.html" %}
{% load crispy_forms_tags %}
{% block content %}
    <div class="content-section">
        <form method="POST">
            {% csrf_token %}
            <fieldset class="form-group">
                <legend class="border-bottom mb-4">Log In</legend>
                {{ form|crispy }}
            </fieldset>
            <div class="form-group">
                <button class="btn btn-outline-info" type="submit">Login</button>
            </div>
        </form>
        <div class="border-top pt-3">
            <small class="text-muted">
                Need An Account? <a class="ml-2" href="{% url 'register' %}">Sign Up Now</a>
            </small>
        </div>
    </div>
{% endblock content %}

**C)** Go through this code. What changes have been made from the register.html file. There are 5 key changes which you should be able to spot. Now explain why changing them was necessary. 

**D)** What do you think should now be changed in our register.html page based on what we just looked at? 

**E)** Do the same process (part b and C) above with this block of code. 

In [None]:
{% extends "blog/base.html" %}
{% block content %}
    <h2>You have been logged out</h2>
    <div class="border-top pt-3">
        <small class="text-muted">
            <a href="{% url 'login' %}">Log In Again</a>
        </small>
    </div>
{% endblock content %}

**F)** Now run your server and check test your login page. Test with users which do not exist and users which do. 

**G)** What happens when we signin using a user which exists? Why does this happen? How do you think we can solve this issue (Solving this issue is actually tricky I would not have been able to think of the solution if it wasn't for the videos. But give it a think anyway.)? 

**G)** The answer of solving this step will be under the Solutions tab. Refer to the appropriate index. **DO NOT LOOK AT ANSWERS BEFORE TELLING ME.** 

**H)** Now login using a user which has been registered. What do you notice now? 

**I)** Currently when a user successfully registers they are redirected to the home page. We want them to be redirected to the login page. Which file must be edited for this to occur? How must this file be edited? Is there a way to better tell the user what is happening? Which code needs to be changed to allow this to happen?  

**NOTE:** Once again the solution to this will be under the solutions tab. But i want you to think about these things first before just looking at the answers. **DO NOT LOOK AT ANSWERS BEFORE TELLING ME.** 

**J)** Now test the logout endpoint. 

## Step 3: Adapting NavBar

**Overview:** Currently our navbar stays the same even if someone is already logged in. We want to change the prompt to where if someone is logged in they will be prompted to log out instead. 

**A)** Inside your base.html page fill the missing urls for login and register. 

**B)** Underneath your div class='navbar-nav'. Replace the code with the following. 

**NOTE:** If they are logged in they don't need to login or make an account 
Django has a user variable called 'is authenticated' that allows us to check if a user is logged in or not. 

In [None]:
              {% if user.is_authenticated %}
                <a class="nav-item nav-link" href="{% url 'logout' %}">Logout</a>
              {% else %}
                <a class="nav-item nav-link" href="{% url 'login' %}">Login</a>
                <a class="nav-item nav-link" href="{% url 'register' %}">Register</a>
              {% endif %}

**C)** What do you think this code does? Lets test and see if it has worked. 

## Step 4: Restrictions  

**Overview:** Now we want to restrict users from accessing certain endpoint. For example only a logged in user can access the profiles endpoint (yet to be created). 

**A)** Inside your users/views.py insert the following code. 

In [None]:
def profile(request): 
  return render(request, 'users/profile.html')

**B)** Now create a profile.html file inside your users templates directory. 

**C)** Now create the route endpoint. 

**D)** Now add a link to this page on the navigation bar. 
NOTE: This link should only show IF the user is logged in.  

**E)** Now check what happens if you access the profile page while the user is not logged in. 

**F)** Django comes to the rescue once again with the auth.decorators libary. Go to your views.py and insert the following import.  




In [None]:
from django.contrib.auth.decorators import login_required

**G)** Now add the following decorator above the profile function:  

@login_required 

You are probably wondering what are decorators are. Watch the following link below: 

https://www.youtube.com/watch?v=MYAEv3JoenI

**G)** In this case django has created some logic that will ensure that the user can only access this endpoint if they are logged in. 

**H)** At the bottom of your settings page insert the following. 


In [None]:
LOGIN_URL = 'login' 

## Solutions: 

**Step 2 - Part D**: Let the href point to the login url by adding the following code inside the href tag. "{% url 'login' %}"

**Step 2 - Part G**: At the bottom of your settings file include the following code:  LOGIN_REDIRECT_URL = 'blog-home'

**Step 2 - Part I**: Replace your current users/views.py with this code. There will be comments highlighting the changes. 

In [None]:
def register(request):
    if request.method == 'POST':
        form = UserRegisterForm(request.POST)
        if form.is_valid():
            form.save()
            username = form.cleaned_data.get('username')
            messages.success(request, f'Your account has been created! You are now able to log in') #New message telling the user whats happening. 
            return redirect('login') #Redirect to the login page. 
    else:
        form = UserRegisterForm()
    return render(request, 'users/register.html', {'form': form})