Implement User Authentication API Endpoints #11
Description
📝 Description
This ticket focuses on implementing the User Authentication API using Django REST Framework (DRF) with JWT-based authentication. The API will allow users to register, log in, log out, reset their passwords, and enable multi-factor authentication (MFA).
🎯 Expected Deliverables
1️⃣ Implement API Endpoints
The following authentication-related API endpoints must be created and fully functional:
| Endpoint | Method | Description |
|---|---|---|
/api/auth/register/ |
POST | Register a new user |
/api/auth/login/ |
POST | Authenticate a user and return a JWT token |
/api/auth/logout/ |
POST | Invalidate the user's token (logout) |
/api/auth/password-reset/ |
POST | Send password reset instructions via email |
/api/auth/password-reset-confirm/ |
POST | Confirm password reset and set a new password |
/api/auth/mfa/enable/ |
POST | Enable multi-factor authentication (MFA) |
/api/auth/mfa/verify/ |
POST | Verify MFA code during login |
2️⃣ Implement JWT Authentication
- Use Django REST Framework Simple JWT for issuing and managing authentication tokens.
- Ensure JWT tokens are correctly generated, validated, and refreshed.
- Implement secure storage of refresh tokens.
3️⃣ Implement Password Reset Flow
- Generate and send password reset emails securely.
- Implement token-based password reset confirmation.
4️⃣ Implement Multi-Factor Authentication (MFA)
- Use TOTP (Time-Based One-Time Password) for MFA (e.g., Google Authenticator).
- Store user-specific MFA secrets securely.
- Require MFA verification during login if enabled.
5️⃣ API Request Validation & Security Measures
- Validate incoming requests to prevent malformed data.
- Apply rate limiting on login and registration endpoints.
- Secure password handling using Argon2 hashing.
✅ Acceptance Criteria
- All authentication API endpoints are implemented and functional.
- JWT authentication is properly set up.
- Password reset flow works as expected.
- MFA is implemented and supports TOTP-based verification.
- API input validation and security measures are in place.
- Tests are written to validate authentication functionality.