.. _hmac-workflow:
.. module:: registration.backends.hmac
The HMAC activation workflow
============================
The HMAC workflow, found in ``registration.backends.hmac``, implements
a two-step registration process (signup, followed by activation), but
unlike the older :ref:`model-based activation workflow
<model-workflow>` uses no models and does not store its activation
key; instead, the activation key sent to the user is a timestamped,
`HMAC
<https://en.wikipedia.org/wiki/Hash-based_message_authentication_code>`_-verified
value.
Unless you need to maintain compatibility in an existing install of
``django-registration`` which used the model-based workflow, it's
recommended you use the HMAC activation workflow for two-step signup
processes.
Behavior and configuration
--------------------------
Since this workflow does not make use of any additional models beyond
the user model (either Django's default
``django.contrib.auth.models.User``, or :ref:`a custom user model
<custom-user>`), *do not* add ``registration`` to your
``INSTALLED_APPS`` setting.
You will need to configure URLs, however. A default URLconf is
provided, which you can ``include()`` in your URL configuration; that
URLconf is ``registration.backends.hmac.urls``. For example, to place
user registration under the URL prefix ``/accounts/``, you could place
the following in your root URLconf:
.. code-block:: python
from django.conf.urls import include, url
urlpatterns = [
# Other URL patterns ...
url(r'^accounts/', include('registration.backends.hmac.urls')),
# More URL patterns ...
]
That URLconf also sets up the views from ``django.contrib.auth``
(login, logout, password reset, etc.), though if you want those views
at a different location, you can ``include()`` the URLconf
``registration.auth_urls`` to place only the ``django.contrib.auth``
views at a specific location in your URL hierarchy.
.. note:: **URL patterns for activation**
Although the actual value used in the activation key is the new
user account's username, the URL pattern for
:class:`~registration.views.backends.hmac.ActivationView` does not
need to match all possible legal characters in a username. The
activation key that will be sent to the user (and thus matched in
the URL) is produced by ``django.core.signing.dumps()``, which
base64-encodes its output. Thus, the only characters this pattern
needs to match are those from `the URL-safe base64 alphabet
<http://tools.ietf.org/html/rfc4648#section-5>`_, plus the colon
("``:``") which is used as a separator.
The default URL pattern for the activation view in
``registration.backends.hmac.urls`` handles this for you.
This workflow makes use of up to three settings:
* :data:`~django.conf.settings.ACCOUNT_ACTIVATION_DAYS`
* :data:`~django.conf.settings.REGISTRATION_OPEN`
* :data:`~django.conf.settings.REGISTRATION_SALT`
By default, this workflow uses
:class:`registration.forms.RegistrationForm` as its form class for
user registration; this can be overridden by passing the keyword
argument ``form_class`` to the registration view.
Views
-----
.. currentmodule:: registration.backends.hmac.views
Two views are provided to implement the signup/activation
process. These subclass :ref:`the base views of django-registration
<views>`, so anything that can be overridden/customized there can
equally be overridden/customized here. There are some additional
customization points specific to the HMAC implementation, which are
listed below.
For an overview of the templates used by these views (other than those
specified below), and their context variables, see :ref:`the quick
start guide <quickstart>`.
.. class:: RegistrationView
A subclass of :class:`registration.views.RegistrationView`
implementing the signup portion of this workflow.
Important customization points unique to this class are:
.. method:: create_inactive_user(form)
Creates and returns an inactive user account, and calls
:meth:`send_activation_email()` to send the email with the
activation key. The argument ``form`` is a valid registration
form instance passed from
:meth:`~registration.views.RegistrationView.register()`.
.. method:: get_activation_key(user)
Given an instance of the user model, generates and returns an
activation key (a string) for that user account.
.. method:: get_email_context(activation_key)
Returns a dictionary of values to be used as template context
when generating the activation email.
.. method:: send_activation_email(user)
Given an inactive user account, generates and sends the
activation email for that account.
.. attribute:: email_body_template
A string specifying the template to use for the body of the
activation email. Default is
``"registration/activation_email.txt"``.
.. attribute:: email_subject_template
A string specifying the template to use for the subject of the
activation email. Default is
``"registration/activation_email_subject.txt"``. Note that, to
avoid header-injection vulnerabilities, the result of rendering
this template will be forced into a single line of text,
stripping newline characters.
.. class:: ActivationView
A subclass of :class:`registration.views.ActivationView`
implementing the activation portion of this workflow.
Important customization points unique to this class are:
.. method:: get_user(username)
Given a username (determined by the activation key), look up and
return the corresponding instance of the user model. Returns
``None`` if no such instance exists. In the base implementation,
will include ``is_active=False`` in the query to avoid
re-activation of already-active accounts.
.. method:: validate_key(activation_key)
Given the activation key, verifies that it carries a valid
signature and a timestamp no older than the number of days
specified in the setting ``ACCOUNT_ACTIVATION_DAYS``, and
returns the username from the activation key. Returns ``None``
if the activation key has an invalid signature or if the
timestamp is too old.
How it works
------------
When a user signs up, the HMAC workflow creates a new ``User``
instance to represent the account, and sets the ``is_active`` field to
``False``. It then sends an email to the address provided during
signup, containing a link to activate the account. When the user
clicks the link, the activation view sets ``is_active`` to ``True``,
after which the user can log in.
The activation key is simply the username of the new account, signed
using `Django's cryptographic signing tools
<https://docs.djangoproject.com/en/stable/topics/signing/>`_
(specifically, ``signing.dumps()`` is used, to produce a
guaranteed-URL-safe value). The activation process includes
verification of the signature prior to activation, as well as
verifying that the user is activating within the permitted window (as
specified in the setting ``ACCOUNT_ACTIVATION_DAYS``, mentioned
above), through use of Django's ``TimestampSigner``.
Comparison to the model-activation workflow
-------------------------------------------
The primary advantage of the HMAC activation workflow is that it
requires no persistent storage of the activation key. However, this
means there is no longer an automated way to differentiate accounts
which have been purposefully deactivated (for example, as a way to ban
a user) from accounts which failed to activate within a specified
window. Additionally, it is possible a user could, if manually
deactivated, re-activate their account if still within the activation
window; for this reason, when using the ``is_active`` field to "ban" a
user, it is best to also set the user's password to an unusable value
(i.e., by calling `set_unusable_password()
<https://docs.djangoproject.com/en/stable/ref/contrib/auth/#django.contrib.auth.models.User.set_unusable_password>`_
for that user). Calling ``set_unusable_password()`` will also make it
easier to query for manually-deactivated users, as their passwords
will (when using Django's default ``User`` implementation) begin with
the exclamation mark (``!``) character.
Since the HMAC activation workflow does not use any models, it also
does not make use of the admin interface and thus does not offer a
convenient way to re-send an activation email. Users who have
difficulty receiving the activation email can simply be manually
activated by a site administrator.
However, the reduced overhead of not needing to store the activation
key makes this generally preferable to :ref:`the model-based workflow
<model-workflow>`.
Security considerations
-----------------------
The activation key emailed to the user in the HMAC activation workflow
is a value obtained by using Django's cryptographic signing tools.
In particular, the activation key is of the form::
encoded_username:timestamp:signature
Where ``encoded_username`` is the username of the new account,
(URL-safe) base64-encoded, ``timestamp`` is a base62-encoded timestamp
of the time the user registered, and ``signature`` is a (URL-safe)
base64-encoded HMAC of the username and timestamp.
Django's implementation uses the value of the ``SECRET_KEY`` setting
as the key for HMAC; additionally, it permits the specification of a
salt value which can be used to "namespace" different uses of HMAC
across a Django-powered site.
The HMAC activation workflow will use the value (a string) of the
setting :data:`~django.conf.settings.REGISTRATION_SALT` as the salt,
defaulting to the string ``"registration"`` if that setting is not
specified. This value does *not* need to be kept secret (only
``SECRET_KEY`` does); it serves only to ensure that other parts of a
site which also produce signed values from user input could not be
used as a way to generate activation keys for arbitrary usernames (and
vice-versa).
distrib
>
Mageia
>
7
>
armv7hl
>
media
>
core-release
>
by-pkgid
>
8dbf2600b2b2ab33f8e9cef1714346be
>
files
>
206
