This is a re-post of my stack overflow question here http://stackoverflow.com/questions/4939908/how-should-i-properly-impliment-https-auth-remote-auth-in-django
Hi, I am in the planning phase a new project. I want to be able to control multiple relays from my android powered phone over the internet. I need to use an HTTP based server as a middleman between the phone and the relays. Django is my preferred platform because Python is my strongest skill set. This would not be a "web app" (with the exception of the admin interface for managing the user and their access to the relays). Rather, the server would simply provide an API in the form of HTTPS requests and JSON encoding. Though, I should note that I have never done any web development in my life, so I don't know best practices (yet). The authentication method should meet the following criteria: - Works over HTTPS (self-signed SSL) - Provides multi-factor authentication (in the form of something you have and something you know) - Be reasonably secure (Would be very difficult to fool, guess at. or otherwise bypass) - Is simple in implementation for the server operator and end user on the mobile client - Is lightweight in in terms of both CPU cycles and bandwidth I plan to use the following scheme to solve this: 1. An administrator logs into the web interface, creates a user, and sets up his/her permissions (including a username and a password chosen by the user). 2. The user starts the client, selects add server, and enters the server URL and his/her credentials. 3. The client attempts to authenticate the the user via HTTP auth (over SSL). If the authentication was successful, the server will generate an API key in the form of a UUID and sends it to the client. The client will save this key and use it in all API calls over HTTPS. HTTP auth is only used for the initial authentication process prior to reviving a key, as a session scheme would not be nessessary for this application. Right? The client will only work if the phone is configured to automatically lock with a PIN or pattern after a short timeout. The server will only allow one key to be generated per user, unless an administrator resets the key. Hence, simple, mobile, multifactor authentication. Is this sound from a security standpoint? Also, can anyone point me to an example of how to use the HTTP auth that is built into Django? From a Google search, I can find a lot of snipits witch hack the feature together. But, none of them implement HTTP auth in the wayit was added to Django in 1.1<http://code.djangoproject.com/ticket/689>. The official documentation for REMOTE_AUTH can be found here<http://docs.djangoproject.com/en/1.2/howto/auth-remote-user/>, but I am having difficulty understanding the documentation as I am very new to Django. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.