How should I properly impliment HTTP(S) auth (REMOTE_AUTH) in django?

Question

I am in the planning phase a new project. I want to be able to control multiple relays from my android powered phone over the internet. I need to use an HTTP based server as a middleman between the phone and the relays. Django is my preferred platform because Python is my strongest skill set. This would not be a "web app" (with the exception of the admin interface for managing the user and their access to the relays). Rather, the server would simply provide an API in the form of HTTPS requests and JSON encoding. Though, I should note that I have never done any web development in my life, so I don't know best practices (yet). The authentication method should meet the following criteria:

• Works over HTTPS (self-signed SSL)
• Provides multi-factor authentication (in the form of something you have and something you know)
• Be reasonably secure (Would be very difficult to fool, guess at. or otherwise bypass)
• Is simple in implementation for the server operator and end user on the mobile client

• Is lightweight in in terms of both CPU cycles and bandwidth

  I plan to use the following scheme to solve this:

  1. An administrator logs into the web interface, creates a user, and sets up his/her permissions (including a username and a password chosen by the user).
  2. The user starts the client, selects add server, and enters the server URL and his/her credentials.
  3. The client attempts to authenticate the the user via HTTP auth (over SSL). If the authentication was successful, the server will generate an API key in the form of a UUID and sends it to the client. The client will save this key and use it in all API calls over HTTPS. HTTP auth is only used for the initial authentication process prior to reviving a key, as a session scheme would not be nessessary for this application. Right? The client will only work if the phone is configured to automatically lock with a PIN or pattern after a short timeout. The server will only allow one key to be generated per user, unless an administrator resets the key. Hence, simple, mobile, multifactor authentication.

Is this sound from a security standpoint? Also, can anyone point me to an example of how to use the HTTP auth that is built into Django? From a Google search, I can find a lot of snipits witch hack the feature together. But, none of them implement HTTP auth in the wayit was added to Django in 1.1. The official documentation for REMOTE_AUTH can be found here, but I am having difficulty understanding the documentation as I am very new to Django.

Answer 1

I'm not entirely sure of how basic auth would work on Django, but I can take a shot.

The basic auth article on wikipedia covers a pretty standard usecase for logging in. For Android I've personally skipped the first part (401) and just pass my credentials in right away.

With your auth request you will have to just grab the user credentials from the request headers (WWW-Authenticate) and then do all the necessary work for that. With the credentials you can then just use the authentication framework provided in Django to verify that the user then generate their UUID (I guess).

As for basic auth on Android it's a little bit tricky at first and may leave you pulling your hair. I've found this article on Basic HTTP auth for android which helps explain how to do it.

As for the security part of it, I'm not too sure. It's pretty simple, which I'd say is a good thing :)