Authentication
Overview¶
SpeedPy uses django-allauth for authentication. It's configured for email-based login (no usernames) with mandatory email verification.
Configuration¶
Key settings in project/settings.py:
ACCOUNT_LOGIN_METHODS = {"email"}
ACCOUNT_SIGNUP_FIELDS = ["email*", "password1*"]
ACCOUNT_USER_MODEL_USERNAME_FIELD = None
ACCOUNT_EMAIL_VERIFICATION = "mandatory"
ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = False
ACCOUNT_ADAPTER = "usermodel.adapters.CustomAccountAdapter"
LOGIN_REDIRECT_URL = reverse_lazy("dashboard")
Authentication backends:
AUTHENTICATION_BACKENDS = [
"django.contrib.auth.backends.ModelBackend", # Django admin
"allauth.account.auth_backends.AuthenticationBackend", # allauth
]
Social Authentication¶
SpeedPy comes with three social auth providers pre-installed:
- GitHub —
allauth.socialaccount.providers.github - Google —
allauth.socialaccount.providers.google - GitLab —
allauth.socialaccount.providers.gitlab
To enable a provider, add its credentials in the Django admin under Social Applications.
To add more providers, install the relevant allauth provider package and add it to INSTALLED_APPS.
Custom Forms¶
All auth forms are customized with Crispy Forms + Tailwind styling. They're registered in ACCOUNT_FORMS:
ACCOUNT_FORMS = {
"signup": "usermodel.forms.UsermodelSignupForm",
"login": "usermodel.forms.UsermodelLoginForm",
"reset_password": "usermodel.forms.UsermodelResetPasswordForm",
"reset_password_from_key": "usermodel.forms.UsermodelResetPasswordKeyForm",
"change_password": "usermodel.forms.UsermodelChangePasswordForm",
"add_email": "usermodel.forms.UsermodelAddEmailForm",
}
Each form uses FormHelper with a Layout for consistent Tailwind styling.
Signup with TOS & Privacy Policy¶
The signup form includes optional Terms of Service and Privacy Policy checkboxes, controlled by settings:
REQUIRE_TOS_ACCEPTANCE = True
REQUIRE_DPA_ACCEPTANCE = True
TOS_LINK = env("TOS_LINK", default="/")
DPA_LINK = env("DPA_LINK", default="/")
When enabled, users must check these boxes to complete registration.
Custom Account Adapter¶
The CustomAccountAdapter in usermodel/adapters.py adds two features:
- Suppresses "account already exists" emails — a common anti-pattern that leaks information about registered users.
- OTP integration — if a user has two-factor authentication enabled, the adapter redirects to the OTP verification page instead of completing login immediately. This works for both email/password and social logins.
Personal Access Token (PAT) Creation¶
PAT creation at /accounts/tokens/create/ enforces two security gates:
- Verified email — the user must have a verified primary email address. If not, they are redirected to the email management page.
- Recent reauthentication — the user must have authenticated recently (within allauth's
ACCOUNT_REAUTHENTICATION_TIMEOUT, default 300 seconds). If not, they are redirected to/accounts/reauthenticate/and returned after completing the challenge. When MFA is enabled, the reauthentication flow requires the stronger factor (TOTP).
Both gates can be disabled via settings — see Security for details.
User Profile¶
A profile edit view is available at /accounts/profile/ using UserProfileForm, which allows editing first_name and last_name.