Skip to content

One Time Password/Token Generation and Validation #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
selwin opened this issue May 4, 2025 · 5 comments
Open
1 task done

One Time Password/Token Generation and Validation #22

selwin opened this issue May 4, 2025 · 5 comments
Labels
Authentication/Users

Comments

@selwin
Copy link

selwin commented May 4, 2025

Code of Conduct

  • I agree to follow Django's Code of Conduct

Feature Description

A built in way for Django to generate and validate one time tokens.

Problem

Many web apps use single-use codes for:

  • Passwordless login
  • Email/phone verification
  • 2FA

Despite being a common requirement, Django currently lacks a built-in, standardized mechanism for generating and validating one-time passwords (OTPs).

Request or proposal

proposal

Additional Details

No response

Implementation Suggestions

Proposed APIs (obviously I'm still open to suggestions):

from django.auth import otp

token = otp.create(key, ttl, length, allowed_chars)

# Passing in `delete=True` would  invalidate the token after successful validation
otp.authenticate(key, token, invalidate=False)
@github-actions GitHub Actions
Copy link

github-actions bot commented May 4, 2025

Thank you selwin for sharing your idea! We have a lot of them so please be patient. You can see the current queue here.

Community instructions

For commenters, please use the emoji reactions on the issue to express support, and/or concern easily. Please use the comments to ask questions or contribute knowledge about the idea. It is unhelpful to post comments of "I'd love this" or "What's the state of this?"

Reaction Guide

  • 👍 This is something I would use
  • 👎 This is something that would cause problems for me or Django
  • 😕 I’m indifferent to this
  • 🎉 This is an easy win

@knyghty
Copy link
Member

knyghty commented May 8, 2025

I'd rather implement WebAuthn but I also wouldn't say no to this.

@collinanderson
Copy link

WebAuthn requires javascript so otp would be nice as a simple way to not require javascript. The otp algoritm is pretty simple to implement without dependencies.

https://en.wikipedia.org/wiki/Time-based_one-time_password
https://en.wikipedia.org/wiki/HMAC-based_one-time_password

@knyghty
Copy link
Member

knyghty commented May 12, 2025

Sorry, I didn't mean to sound like I was not in favour at all if we had WebAuthn, I definitely want both. It was more a preference of what I'd rather be using. I do think we should want both, even if WebAuthn requires another dependency.

@frankwiles
Copy link
Member

While low dependency count is good for lots of reasons I'd personally lean more toward using something like https://github.com/pyauth/pyotp (as an optional dependency perhaps) rather than re-inventing the wheel here. (pun intended hehehe)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Authentication/Users
Projects
New Features
Status: Idea
Milestone
No milestone
Development

No branches or pull requests
5 participants
@collinanderson @frankwiles @selwin @LilyAcorn @knyghty