Frequent questions#
How do I understand why a token is invalid?#
Enable debug logs by setting the sesame
logger to the DEBUG
level.
import logging
logger = logging.getLogger("sesame")
logger.setLevel(logging.DEBUG)
logger.addHandler(logging.StreamHandler())
Then you should get a hint in logs.
Depending on how logging is set up in your project, there may by another way to enable this configuration.
Why does upgrading Django invalidate tokens?#
As a security measure, django-sesame invalidates tokens when users change their password.
Each release of Django increases the work factor of password hashers. After deploying a new version of Django, when a user logs in with their password, Django upgrades the password hash.
From the perspective of django-sesame, this is indistinguishable from changing their password.
Indeed, by design, django-sesame relies exclusively on data available in the
user model: pk
, password
(hashed), and last_login
. When password
changes, django-sesame cannot tell if the password was changed or if the hash
was upgraded.
That’s how tokens become invalid.
This problem occurs only when a user logs in alternatively with a long-lived token and with a password. If you’re in this situation, you should regenerate and redistribute tokens after upgrading Django.
Alternatively, you may set SESAME_INVALIDATE_ON_PASSWORD_CHANGE
to
False
to disable token invalidation on password change. Think through
security ramifications before doing this, especially if tokens are long lived.
Why do all tokens start with AAAA…?#
This is the Base64 encoding of an integer storing a small value.
By default, Django uses integers as primary keys for users, starting from 1. These primary keys are included in tokens, which are encoded with Base64.
When the primary key of the user model is an
AutoField
, as long as you have less that one million
users, all tokens start with AA.
Why do one-time tokens sent by email fail?#
Email providers may fetch links found emails to provide previews or for security purposes. If the link contains a one-time token, this will invalidate the token.
To avoid this, you can configure a short SESAME_MAX_AGE
instead of
enabling SESAME_ONE_TIME
.
Is django-sesame usable without passwords?#
Yes, it is.
You should call set_unusable_password()
when you create users.
Is django-sesame compatible with custom user models?#
Yes, it is.
It requires password
and last_login
fields. These are provided by
AbstractBaseUser
, the recommended base
class for custom user models.
Is django-sesame compatible with Django REST framework?#
Yes, it is.
However, you should favor Django REST framework’s built-in
TokenAuthentication
or recommended alternatives.