Skip to main content

Overview

Bar Galileo uses django-allauth for authentication, providing both traditional username/password login and Google OAuth integration.

Authentication Backend

AUTHENTICATION_BACKENDS = [
    'django.contrib.auth.backends.ModelBackend',
    'allauth.account.auth_backends.AuthenticationBackend',
]

Login Endpoints

Standard Login

POST /accounts/login/

Authenticate with username and password
Endpoint: POST /accounts/login/
login
string
required
Username or email address
password
string
required
User password
remember
boolean
Remember this device (extends session)
csrfmiddlewaretoken
string
required
CSRF token from the login form

Example Request

curl -X POST https://your-domain.com/accounts/login/ \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "[email protected]" \
  -d "password=securepass123" \
  -d "remember=on" \
  -d "csrfmiddlewaretoken=TOKEN"

Response

On successful login, redirects to LOGIN_REDIRECT_URL (default: /) 
{
  "redirect": "/"
}

Google OAuth Login

GET /accounts/google/login/

Authenticate using Google OAuth
Endpoint: GET /accounts/google/login/ Initiates OAuth flow with Google. Configuration in bar_galileo/settings.py:215: 
SOCIALACCOUNT_PROVIDERS = {
    'google': {
        'SCOPE': ['profile', 'email'],
        'AUTH_PARAMS': {'access_type': 'online'},
        'OAUTH_PKCE_ENABLED': True,
    }
}

OAuth Flow

  1. User clicks “Login with Google”
  2. Redirected to Google consent screen
  3. Google redirects back to /accounts/google/login/callback/
  4. Session created, user logged in
Requires Google OAuth credentials configured in Django admin under Social Applications.

Logout

POST /accounts/logout/

End the current user session
Endpoint: POST /accounts/logout/ 
curl -X POST https://your-domain.com/accounts/logout/ \
  -H "Cookie: sessionid=YOUR_SESSION_ID" \
  -H "X-CSRFToken: YOUR_CSRF_TOKEN"

Session Management

Login Configuration

LOGIN_URL = '/accounts/login/'  # Redirect destination for @login_required
LOGIN_REDIRECT_URL = '/'        # Redirect after successful login

Session Cookies

Bar Galileo uses Django’s session framework:
CookieDescription
sessionidSession identifier (httponly)
csrftokenCSRF protection token

Production Security Settings

if not DEBUG:
    SECURE_SSL_REDIRECT = True
    SESSION_COOKIE_SECURE = True
    CSRF_COOKIE_SECURE = True
    SECURE_HSTS_SECONDS = 31536000

Email Management

Add Email Address

POST /accounts/email/

Add or manage email addresses for the account
Endpoint: POST /accounts/email/
action
string
required
Action to perform: add, remove, or primary
email
string
required
Email address
captcha_0
string
required
CAPTCHA challenge ID
captcha_1
string
required
CAPTCHA answer (math problem solution)
Implemented in accounts/views.py:4 as CustomEmailView.

Example Request

curl -X POST https://your-domain.com/accounts/email/ \
  -H "Cookie: sessionid=SESSION_ID" \
  -H "X-CSRFToken: CSRF_TOKEN" \
  -d "action=add" \
  -d "[email protected]" \
  -d "captcha_0=abc123" \
  -d "captcha_1=42"

Protected Routes

Login Required Decorator

Many views require authentication using Django’s LoginRequiredMixin: 
from django.contrib.auth.mixins import LoginRequiredMixin

class UploadDocumentView(LoginRequiredMixin, View):
    def post(self, request):
        # User must be authenticated
        ...

User Object

Authenticated requests have access to request.user: 
if request.user.is_authenticated:
    user_id = request.user.id
    username = request.user.username
    email = request.user.email

CAPTCHA Protection

Certain endpoints (email changes, registration) require CAPTCHA validation using django-simple-captcha.
Configuration in bar_galileo/settings.py:275: 
CAPTCHA_LENGTH = 1  # Simple math problem
CAPTCHA_IMAGE_SIZE = (225, 75)
CAPTCHA_FONT_SIZE = 40
CAPTCHA Endpoints:
  • GET /captcha/image/<key>/ - Retrieve CAPTCHA image
  • GET /captcha/audio/<key>/ - Audio CAPTCHA (requires Flite)

Custom Forms

Bar Galileo uses custom authentication forms: 
ACCOUNT_FORMS = {
    'login': 'accounts.forms.CustomLoginForm',
    'add_email': 'accounts.forms.CustomAddEmailForm',
}
See accounts/forms.py for implementation details.

Permission Middleware

Custom permission checking via roles.middleware.PermissionMiddleware at bar_galileo/settings.py:94. This middleware validates user permissions based on their assigned roles before processing requests.

Error Responses

Unauthorized (401)

{
  "detail": "Authentication credentials were not provided."
}

Forbidden (403)

{
  "detail": "You do not have permission to perform this action."
}

Best Practices

  • Always use HTTPS in production
  • Store session cookies securely
  • Implement rate limiting for login attempts
  • Use strong password policies
  • Enable two-factor authentication (not currently implemented)

Next Steps

RAG Chat API

Explore authenticated RAG endpoints

API Overview

Return to API overview

Build docs developers (and LLMs) love

Get started for freeTalk to us