Rehberler Uzun Okuma Authentication

Django'da kimlik dogrulama nasil calisir?

Middleware sirasi, auth backend ve request.user atama mekanizmasi.

4 Şubat 2026 19 dk okuma
Paylaş
X in

Giris

Middleware, her HTTP isteginin view'a ulasmadan once ve response donmeden once calisan bir islem zinciridir. Django'nun session, CSRF ve authentication mekanizmalari buyuk olcude middleware uzerinden isler. Custom middleware ile rate limiting, tenant secimi veya request ID ekleme gibi capraz kesen ihtiyaclari merkezi olarak cozebilirsiniz.

Bu yazida middleware yasam dongusunu, custom authentication backend yazimini ve API projelerinde JWT bearer token dogrulamasini gercek kodla inceleyecegiz.

Middleware Yasam Dongusu

MiddlewareMixin (veya Django 5+ MiddlewareProtocol) __call__ metodunda request ve get_response alir. process_request view oncesi, process_response view sonrasi calisir. process_exception hata durumunda devreye girer.

  • SecurityMiddleware en basta olmali
  • SessionMiddleware AuthenticationMiddleware'den once
  • Custom middleware genelde auth sonrasi eklenir
class RequestIDMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        request.request_id = str(uuid.uuid4())
        response = self.get_response(request)
        response['X-Request-ID'] = request.request_id
        return response

AuthenticationMiddleware ve request.user

AuthenticationMiddleware request.user ve request.auth atar. Varsayilan ModelBackend, User modeli ve session tabanli girisi kullanir. authenticate() fonksiyonu AUTHENTICATION_BACKENDS listesini sirayla dener.

from django.contrib.auth import authenticate, login

user = authenticate(request, username='ali', password='sifre')
if user is not None:
    login(request, user)

Custom Authentication Backend

AbstractBaseUser veya mevcut User modeli ile ozel backend yazilabilir. get_user(user_id) session'dan geri yukleme icin, authenticate() kimlik bilgisi dogrulama icin implement edilir.

from django.contrib.auth.backends import BaseBackend

class EmailBackend(BaseBackend):
    def authenticate(self, request, email=None, password=None, **kwargs):
        User = get_user_model()
        try:
            user = User.objects.get(email=email)
        except User.DoesNotExist:
            return None
        if user.check_password(password):
            return user
        return None

    def get_user(self, user_id):
        User = get_user_model()
        try:
            return User.objects.get(pk=user_id)
        except User.DoesNotExist:
            return None
AUTHENTICATION_BACKENDS listesinde ilk eslesen backend kazanir; sirayi bilincli secin.

JWT Bearer Token Middleware

Stateless API'lerde session yerine JWT kullanilir. Authorization header parse edilir, token dogrulanir ve request.user atanir. PyJWT veya djangorestframework-simplejwt yaygin tercihlerdir.

import jwt
from django.contrib.auth import get_user_model

class JWTAuthenticationMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        auth = request.META.get('HTTP_AUTHORIZATION', '')
        if auth.startswith('Bearer '):
            token = auth[7:]
            try:
                payload = jwt.decode(token, settings.SECRET_KEY, algorithms=['HS256'])
                request.user = get_user_model().objects.get(pk=payload['sub'])
            except (jwt.InvalidTokenError, get_user_model().DoesNotExist):
                request.user = AnonymousUser()
        return self.get_response(request)

Guvenlik ve Hata Yonetimi

Middleware icinde hassas veri loglamayin. Token'i her istekte decode etmek maliyetlidir; kisa omurlu access token + refresh token modeli kullanin. Basarisiz auth durumunda view'a AnonymousUser ile devam etmek veya 401 donmek politika kararidir.

  • HTTPS zorunlu; token'lar query string'de tasimayin
  • Clock skew icin leeway parametresi
  • Token blacklist veya rotation stratejisi

Test ve Debug

RequestFactory ile middleware birim testi yazilir. Client uzerinde force_login veya Authorization header ile entegrasyon testi yapilir.

  1. Backend authenticate() unit test
  2. Middleware request/response test
  3. APIClient ile 401/403 senaryolari
from django.test import RequestFactory

def test_jwt_middleware_sets_user():
    factory = RequestFactory()
    request = factory.get('/', HTTP_AUTHORIZATION=f'Bearer {valid_token}')
    middleware = JWTAuthenticationMiddleware(lambda r: HttpResponse('ok'))
    middleware(request)
    assert request.user.is_authenticated

Sonuc

Middleware ve custom auth backend, Django'nun guvenlik modelini bozmadan genisletmenin dogru yoludur. Monolitik view icinde token parse etmek yerine merkezi middleware + backend yapisi bakimi ve testi kolaylastirir.

  • DRF icin REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES']
  • Session ve JWT'yi ayni projede ayri URL prefix ile ayirin
  • Middleware sirasini degistirmeden once staging'de test edin