Skip to content

Authentication

Overview

SpeedPy uses django-allauth for authentication. It's configured for email-based login (no usernames) with mandatory email verification.

Configuration

Key settings in project/settings.py:

ACCOUNT_LOGIN_METHODS = {"email"}
ACCOUNT_SIGNUP_FIELDS = ["email*", "password1*"]
ACCOUNT_USER_MODEL_USERNAME_FIELD = None
ACCOUNT_EMAIL_VERIFICATION = "mandatory"
ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = False
ACCOUNT_ADAPTER = "usermodel.adapters.CustomAccountAdapter"
LOGIN_REDIRECT_URL = reverse_lazy("dashboard")

Authentication backends:

AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",       # Django admin
    "allauth.account.auth_backends.AuthenticationBackend",  # allauth
]

Social Authentication

SpeedPy comes with three social auth providers pre-installed:

  • GitHuballauth.socialaccount.providers.github
  • Googleallauth.socialaccount.providers.google
  • GitLaballauth.socialaccount.providers.gitlab

To enable a provider, add its credentials in the Django admin under Social Applications.

To add more providers, install the relevant allauth provider package and add it to INSTALLED_APPS.

Custom Forms

All auth forms are customized with Crispy Forms + Tailwind styling. They're registered in ACCOUNT_FORMS:

ACCOUNT_FORMS = {
    "signup": "usermodel.forms.UsermodelSignupForm",
    "login": "usermodel.forms.UsermodelLoginForm",
    "reset_password": "usermodel.forms.UsermodelResetPasswordForm",
    "reset_password_from_key": "usermodel.forms.UsermodelResetPasswordKeyForm",
    "change_password": "usermodel.forms.UsermodelChangePasswordForm",
    "add_email": "usermodel.forms.UsermodelAddEmailForm",
}

Each form uses FormHelper with a Layout for consistent Tailwind styling.

Signup with TOS & Privacy Policy

The signup form includes optional Terms of Service and Privacy Policy checkboxes, controlled by settings:

REQUIRE_TOS_ACCEPTANCE = True
REQUIRE_DPA_ACCEPTANCE = True
TOS_LINK = env("TOS_LINK", default="/")
DPA_LINK = env("DPA_LINK", default="/")

When enabled, users must check these boxes to complete registration.

Custom Account Adapter

The CustomAccountAdapter in usermodel/adapters.py adds two features:

  1. Suppresses "account already exists" emails — a common anti-pattern that leaks information about registered users.
  2. OTP integration — if a user has two-factor authentication enabled, the adapter redirects to the OTP verification page instead of completing login immediately. This works for both email/password and social logins.

Personal Access Token (PAT) Creation

PAT creation at /accounts/tokens/create/ enforces two security gates:

  1. Verified email — the user must have a verified primary email address. If not, they are redirected to the email management page.
  2. Recent reauthentication — the user must have authenticated recently (within allauth's ACCOUNT_REAUTHENTICATION_TIMEOUT, default 300 seconds). If not, they are redirected to /accounts/reauthenticate/ and returned after completing the challenge. When MFA is enabled, the reauthentication flow requires the stronger factor (TOTP).

Both gates can be disabled via settings — see Security for details.

User Profile

A profile edit view is available at /accounts/profile/ using UserProfileForm, which allows editing first_name and last_name.