django-trench: Merixstudio’s open-source library for MFA

Multi-factor Authentication for safer apps

Let’s illustrate the idea. Simply speaking Multi-factor Authentication (MFA) is a method of confirming user’s identity in order to grant access after at least two sources of evidence being presented and verified successfully. 

Most broadly implemented form of MFA is a two-factor authentication (2FA). A core of this solution is a parallel implementation of two different factors. Three most common factors are categorized as something you know, something you have and something you are.

Let’s have a look at popular Google’s email service. Occasionally the platform would send you a short One Time Password (OTP) to your registered mobile number or email in order to process additional verification. In that case scenario, your Gmail credentials are something you know, while your mobile is something that you have. 

Software development with django-trench

Most of the Merixstudio ’s projects are powered with Django. The framework is known for taking security very seriously. We went one step further and spent last months developing an open-source library that enhances Django bulletproofing with easily pluggable multi-factor authentication features. 

An idea behind the project is to deliver a widely available application, which can be quickly installed into any Django app to provide out of a box two-step authentication functionality. django-trench is a result of the commitment of a team of six experienced Django developers. 

The core functionality of the library is sending out and verifying Time-based One-time Password, which can be delivered through one of three built-in backends or custom one added by any developer. Straight after installation, you can use email, SMS or one of third-party mobile apps available on the market (Google Authenticator, Authy etc.). In the recent release, we also added support for YubiKey. Installation is straightforward and simple and won’t be a challenge even for a developer taking first steps with Django. Default SMS backend uses Twilio services.

Bulletproof your Django app

A configuration scheme of the package allows a developer to define authentication backends which will be available for users in an application, but it’s user’s choice to set up and activate a specific method. A wide range of settings is available in order to fully customize the app. 

django-trench is fully compatible with the Django REST Framework (DRF) and comes with a set of endpoints which allows painless REST communication with a frontend app. It supports DRF built-in Token Authentication as well as well-accepted JSON Web Tokens. Being compatible with djoser package it provides a full set of endpoints to manage user accounts. 

Package’s architecture is based on pluggable backends and customizable handlers, so you can fairly easily add new features and channels of communication. 

Adding own authentication method step by step

To have a better understanding of the package functionalities you can play with an online demo of django-trench. For a quick overview check out provided url or register your own account for a better experience:

curl -X POST \
http://django-trench-backend.herokuapp.com/djoser/users/create/ \
-H 'Content-Type: application/json' \
-d '{
"email": "your email",
"username": "your username",
"password": "your password"
}'

The whole project, including the frontend wrapper, can be also run locally. Follow these steps to get the app deployed in your local environment.

Now, let me show you quickly how new authentication backend can be added. Make sure that you have checked off all the steps from installation guide and familiarize yourself with settings.

TRENCH_AUTH = {
...
'MFA_METHODS': {
'email': {
'VERBOSE_NAME': 'email',
'VALIDITY_PERIOD': 60 * 10,
'HANDLER': 'trench.backends.basic_mail.SendMailBackend',
'SOURCE_FIELD': 'email',
},
...,
},
}

MFA_METHODS field stores a list of authentication modules and its settings. HANDLER points out location of a necessary module. In the method specific field, you can add own setting, which will be accessible through conf parameter.

Let’s simply write a new backend, I’ll use SMS service as an example. Considering that we’re working on existing testproject, add a new module named backends inside testapp and create a file to place your code.

All that needs to be done is to write a class, which handles message dispatching. There is a built-in dispatcher, so we’re going to inherit from it.

from trench.backends import AbstractMessageDispatcher
from trench.settings import api_settings


class SMSBackend(AbstractMessageDispatcher):
def dispatch_message(self, *args, **kwargs):
...
return {'message', 'SMS with MFA code has been sent'}

To generate OTP code call a built-in function create_code, add SMS dispatching logic, and we’re almost there.

class SMSBackend(AbstractMessageDispatcher):
def dispatch_message(self, *args, **kwargs):
code = self.create_code()
self.send_sms(self.to, code)
return {'message', 'SMS with MFA code has been sent'}

def send_sms(self, recipient, code):
sms_gateway_token = self.conf.get('SMS_TOKEN')
# put your SMS dispatching logic here

 Last step is to review your Django project settings.

TRENCH_AUTH = {
'MFA_METHODS': {
'email': {
...
},
'sms': {
'VERBOSE_NAME': 'sms',
'VALIDITY_PERIOD': 60 * 10,
'HANDLER': 'testapp.backends.basic_sms.SMSBackend',
'SOURCE_FIELD': 'phone_number',
'SMS_TOKEN': 'token',
},
}
}

That’s it! Dive deeper into documentation to discover the full potential of the package. We’re still in early stage of development and would appreciate your feedback and contribution. Feel free to fork the repository and share your ideas with us. 

Like what our developers do? Join them and take part in awesome projects like this one!. We’re looking for software developers - check our job offers!