# Django API Development & Deployment

## Session 5: User Authentication & Role-Based Access Control
* Django Authentication System
* Creating and managing user accounts
* Implementing login, logout, and password reset
* Role-Based Access Control
* User permissions & groups
* Restricting access using login_required and permission_required

### **Session-Based Authentication vs JWT-Based Authentication**

#### **Session-Based Authentication**

In session-based authentication, user login information is stored on the server side, and the client is given a **Session ID** as a reference to that stored data.

**Analogy:**  
Think of it like receiving only a **Ticket ID** for your flight — all your details are securely stored in the airline’s database.

**How it Works:**
1. The user logs in by sending credentials to the backend.
2. The backend verifies the credentials and creates a session, storing it in the server-side session store.
3. A unique **Session ID** is sent to the client as a cookie.
4. For every request, the browser sends this Session ID back to the server.
5. The server looks up the session to authenticate the user.

**Pros:**
- Easy to implement and widely supported.
- Session data is kept secure on the server.

**Cons:**
- Requires server-side storage (not ideal for large-scale systems).
- Doesn’t scale easily across distributed systems unless session sharing is configured.

#### **JWT-Based Authentication (JSON Web Tokens)**

JWTs are **stateless** and **self-contained** tokens that carry all necessary information about the user.

**Analogy:**  
It’s like receiving a **flight ticket with all your details printed and encoded on it** — no need to look it up in a database.

**How it Works:**
1. The user sends a login request.
2. The server verifies the credentials and issues a **JWT**, signed with a secret key.
3. The client receives the JWT and stores it (usually in a cookie or local storage).
4. For every request, the JWT is sent to the server.
5. The server verifies the signature and decodes the token to extract user data.

**Pros:**
- Stateless: no need for session storage, which simplifies horizontal scaling.
- Portable and widely used in modern APIs and microservices.

**Cons:**
- Cannot be easily invalidated before expiration (e.g., logout).
- Risk of **stale data** if user information changes after the token is issued.
- Larger payload size compared to session IDs, which may impact performance.

#### **So, which one is better?**

It depends on the needs of your application:

- Choose **Session-Based Authentication** for simpler, server-rendered apps or apps with centralized servers.
- Choose **JWT-Based Authentication** for **stateless APIs**, **mobile apps**, or **microservices** where scalability and portability are key.

**Pro Tip:**  
For many modern web applications, JWTs are preferred for APIs due to their stateless nature, but session-based auth can still be a solid choice when simplicity and tighter control over sessions are needed.


<img src="https://pbs.twimg.com/tweet_video_thumb/GNizd5KXkAAUkS8.jpg:large" width="750" align="center">

### Libraries installations

**pip install crispy-bootstrap5**

### Start a new project

**django-admin startproject auth_project**

**cd auth_project**

### Create new app

**python manage.py startapp accounts**

### Update settings.py

### Create Custom User Model (accounts/models.py)

### Create Initial Migration

**python manage.py makemigrations**

**python manage.py migrate**

### Update admin.py for User Management

### Create Forms (accounts/forms.py)

### Create Views (accounts/views.py)

### Create URLs (auth_project/urls.py)

### Create URLs (accounts/urls.py)

### Create Templates
#### Base Template (accounts/templates/accounts/base.html)

#### Home Page (accounts/templates/accounts/home.html)

#### Login Page (accounts/templates/registration/login.html)

#### Signup Page (accounts/templates/accounts/signup.html)

#### Profile Page (accounts/templates/accounts/profile.html)

#### Create Post Page (accounts/templates/accounts/create_post.html)

### Create the Migration File

**python manage.py makemigrations --empty accounts --name add_post_permission**

### Edit the Migration File

Open the newly created migration file (accounts/migrations/0002_add_post_permission.py) and modify it:

### Apply the migration

**python manage.py migrate**

### Create a Superuser

**python manage.py createsuperuser**

### Run the Project

**python manage.py runserver**

### Verification Steps

* Check in Admin Panel:
    * Go to /admin/auth/group/
        * Create a new group (e.g., "Editors")
            * You should see the "Can add post" permission available to assign

### Check in Shell:

**python manage.py shell**


**from django.contrib.auth.models import Permission**

**Permission.objects.filter(codename='add_post').exists()**  # Should return True

### Create test users

**from accounts.models import CustomUser**

**user1 = CustomUser.objects.create_user('staff_user', 'staff@test.com', 'testpass123', is_staff=True)**

**user2 = CustomUser.objects.create_user('regular_user', 'regular@test.com', 'testpass123')**

**user3 = CustomUser.objects.create_user('banned_user', 'banned@test.com', 'testpass123', is_banned=True)**