Best way to implement a more complex user registration/auth flow?

[Alexander Joseph]

I'm currently using django.contrib.auth for my user authentication which works well for simple authentication/authorization but I'd like to expand the registration/auth flow a little. 

Right now with the default flow users go to the signup page, signup, then are redirected to the login page and can immediately sign in. Id like to have it so that once the new user signs up they are sent an email confirmation. Once they confirm their email their account is flagged inactive so they cant login until a site administrator, who receives a notification email once they confirm, flags their account as active. Once the administrator flags their account as active the user gets another email saying their account is approved and they can login.

Is there a library out there that can help me build this so that I dont have to build everything myself ontop of the django auth? Thanks

[Eduardo Balbinot]

You probably need extra attributes in your User class, which means you could extend the User class like explained here: https://docs.djangoproject.com/en/1.11/topics/auth/customizing/#extending-the-existing-user-model
Don't forget you could also work with the is_active attribute to control whether the administrator has / hasn't flagged the account as active.

Hope my answer helps you.

[Alexander Joseph]

Thanks Eduardo, I actually extended the User model by making an AbstractBaseUser sub-class. I'm using is_active also but I guess I'm not sure how to implement my flow for registering new users. I suppose I need to extend the classes or models in django.contrib.auth.

I was also just looking at allauth which looks like its probably the way to go, and it looks like its got a lot of awesome functionality related to security too

[Eduardo Balbinot]

You could do like this: when the user signs in you create the user in the database and flags is_active as False, so the user won't be able to log in. In your extended User model you could have another flag like has_confirmed_email which you also set to False. When the user confirms the email you set has_confirmed_email to True so you can have a page that shows the admin which users are not active but have confirmed their email addresses. Finally, the admin confirms a user which means in the background you set is_active to True and then the user is able to log in to your system.

[Alexander Joseph]

Thanks Eduardo, I will try that!