16

I am writing a back-end in Django for a mobile app I am creating. I need to authenticate a user the first time they open the mobile app through SMS to verify it is a real person. What needs to happen is the following: user enters phone number in app, server then sends SMS message to user with authentication code, user then enters authentication code in app and server verifies that the code they entered in the app is the same one they received through SMS.

I need to use Twilio with my Django project. I just need to know what would be the best way to go about this? The front-end side of this (the mobile app) is not what I am asking about, I am asking about the code on the back-end that should be implemented. I am struggling to find up to date documentation for django-twilio integration that could do this.

jaredthecoder
  • 315
  • 2
  • 3
  • 8
  • 2
    I'm afraid this is likely too broad a question for Stackoverflow. That said, it shouldn't be too difficult to do this. You create a Model for the verification code. You generate a unique code every time you need to verify a user. This gets sent to the user via SMS and upon entering the code the app checks a URL/REST endpoint (myapp.com/verify//). If there is a verification code in the database, it hasn't been verified yet so consider the user real and delete the verification code. Otherwise, return an error message – Timmy O'Mahony Nov 03 '14 at 16:44

4 Answers4

25

Twilio evangelist and maintainer of django-twilio here.

What you're looking to build is something very easy to do, I can outline the steps for you here:

  • Create a Django model that stores a user's number and a generated passcode
  • When a new user is created, take their number and SMS them the code using the Twilio REST API
  • When they enter the passcode you sent them, cross reference it with the one stored in the database.
  • If the number is right: verify them, if not, tell them it is wrong and offer to send them an SMS again.
Jean-François Fabre
  • 137,073
  • 23
  • 153
  • 219
phalt
  • 1,244
  • 1
  • 10
  • 21
6

You can use django-passcode as an app in your project. It exposes APIs to "register" a mobile number and "verify" through SMS based passcode. It uses mobile number and device id pair as unique. It also generates and returns a token for future authorization requests from mobile app. You can use Twilio or any other SMS api to send sms.

https://github.com/sgurminder/django-passcode

I appreciate your feedback for django-passcode

s007
  • 728
  • 6
  • 12
  • It's good. Just forked it. :) I needed something which overrides the default user auth. This is pretty close to that. – iraycd May 17 '16 at 05:15
4

Disclaimer: I'm the maintainer of Django-phone-verify

What you're looking to accomplish is very easy with django-phone-verify app. It comes with Twilio & Nexmo already integrated and a few endpoints which you can extend as per your use case.

This package aims at verifying if a phone number requested by a particular client belongs to them. It also takes care of ensuring that the same device provides the verification of the passcode which initially requested a passcode to be sent, saving you a few hours of work.

This package also doesn't mess up with your current user model at all. You're free to use this package exactly for one thing: verifying phone numbers. Whether you do it for users, companies, etc. depends on your use case.

It follows the Unix philosophy of Do one thing; do it well

Installation

pip install django-phone-verify

Configuration

  • Add app to INSTALLED_APPS:
    # In settings.py:

    INSTALLED_APPS = [
        ...
        'phone_verify',
    ]
  • Add settings in your settings.py file:
    # Settings for phone_verify
    PHONE_VERIFICATION = {
        'BACKEND': 'phone_verify.backends.twilio.TwilioBackend',
        'TWILIO_SANDBOX_TOKEN':'123456',
        'OPTIONS': {
            'SID': 'fake',
            'SECRET': 'fake',
            'FROM': '+14755292729'
        },
        'TOKEN_LENGTH': 6,
        'MESSAGE': 'Welcome to {app}! Please use security code {otp} to proceed.',
        'APP_NAME': 'Phone Verify',
        'OTP_EXPIRATION_TIME': 3600  # In seconds only
    }
  • Migrate the database:
    python manage.py migrate

You get two endpoints (Check API docs), one for registration of phone number and the other to verify the passcode. You may override verify endpoint to also create a user as described in the usage docs: https://github.com/CuriousLearner/django-phone-verify/blob/master/docs/usage.rst

Sanyam Khurana
  • 1,336
  • 1
  • 14
  • 27
  • Thank you for mentioning your django-phone-verify. Many don't do and just market their packages here under guise of helping. Really appreciate it. – ABN Apr 15 '20 at 21:08
  • 2
    Hi @ABN Thanks! I just released another version of the package a few days ago and it now supports integration with Nexmo too. – Sanyam Khurana Apr 15 '20 at 22:01
  • How can I use this package directly with Django Forms? – sajeyks mwangi Nov 17 '22 at 20:46
1

Recently I was looking for any library or scheme to sign-in/sign-up users through sms (send sms code and then validate).

Short solution:

  1. Create sms model to generate code for phone number
  2. Send sms with code to client (for example, use twillio)
  3. User got code. And send phone_number + code
  4. Validate it. Response any useful information

Also:

  1. You must to use async code or celery to send sms
  2. Add sms lifetime (for example, 30 seconds)
  3. Clean phone number to valid format
  4. Get or create user by phone number

You may to use this library, for example: https://github.com/a1k89/django-rest-sms-auth

a1k89
  • 110
  • 1
  • 10