Configuration
All RobustAuth settings live under a single ROBUST_AUTH dict in your Django settings.py. Every setting has a sensible default — you only need to override what you want to change.
ROBUST_AUTH = {
# your overrides here
}
Token Lifetimes
Setting |
Default |
Description |
|---|---|---|
|
|
Access token lifetime in seconds (15 min) |
|
|
Refresh token lifetime in seconds (7 days) |
|
|
Random bytes used to generate each token |
Session Policy
Setting |
Default |
Description |
|---|---|---|
|
|
|
|
|
Maximum concurrent sessions (used when |
|
|
When |
Token Security
Setting |
Default |
Description |
|---|---|---|
|
|
Store |
|
|
Issue a new refresh token on every use; old token is immediately invalidated |
|
|
If an already-used refresh token is presented again, revoke the entire token family and all sessions |
Password Change & Reset
Setting |
Default |
Description |
|---|---|---|
|
|
Revoke all other sessions when a user changes their password. Current session is kept alive |
|
|
Issue a fresh token pair to the current session after a password change, so the client stays logged in without interruption |
|
|
Revoke all sessions including current on password reset. Reset is a stronger security event — forces re-login everywhere |
|
|
Issue a new token pair immediately after reset so the user lands logged in. |
Behaviour matrix
Event |
|
|
Result |
|---|---|---|---|
Password change |
|
|
Other sessions killed, current session gets new tokens — user stays logged in |
Password change |
|
|
Other sessions killed, current session token unchanged |
Password change |
|
|
No revocation, current session gets new tokens |
Password reset |
|
|
All sessions killed — user must log in again |
Password reset |
|
|
All sessions killed, then new session + tokens issued — user lands logged in |
Password reset |
|
|
No sessions touched, no new tokens |
How to call from your views
from robustauth.session_manager import SessionManager
# After password change — pass current session to keep it alive
def change_password(request):
user.set_password(new_password)
user.save()
new_pair = SessionManager.on_password_change(
user,
current_session=request.auth.session,
)
if new_pair:
# Send new tokens back to the client
return Response({
"access_token": new_pair.access_token,
"refresh_token": new_pair.refresh_token,
})
return Response({"detail": "Password changed."})
# After password reset — no current session (user came via email link)
def reset_password(request):
user.set_password(new_password)
user.save()
new_pair = SessionManager.on_password_reset(user)
if new_pair:
# Log user in immediately after reset
return Response({
"access_token": new_pair.access_token,
"refresh_token": new_pair.refresh_token,
})
return Response({"detail": "Password reset. Please log in."})
Tracking
Setting |
Default |
Description |
|---|---|---|
|
|
Store the client IP address on each session |
|
|
Store the raw |
|
|
Parse OS, browser, and device type from the User-Agent (requires |
Audit History
Setting |
Default |
Description |
|---|---|---|
|
|
Log successful logins to |
|
|
Log logout events to |
|
|
Log failed login attempts to |
|
|
Maximum |
Brute-Force Protection
Setting |
Default |
Description |
|---|---|---|
|
|
Number of failed logins within |
|
|
Time window in seconds for counting failed logins |
Sliding Sessions
Setting |
Default |
Description |
|---|---|---|
|
|
When |
|
|
Token extension in seconds when sliding sessions are enabled. With inactivity > 30 min, tokens expire (30 min) |
Full Example
ROBUST_AUTH = {
# Tokens
"ACCESS_TOKEN_TTL": 900,
"REFRESH_TOKEN_TTL": 604800,
"TOKEN_BYTES": 32,
# Session policy
"SESSION_POLICY": "max_count",
"MAX_SESSIONS": 3,
"REVOKE_OLDEST_ON_LIMIT": True,
# Security
"HASH_TOKENS": True,
"ROTATE_REFRESH_TOKENS": True,
"REFRESH_TOKEN_REUSE_DETECTION": True,
"REVOKE_ON_PASSWORD_CHANGE": True,
# Tracking
"TRACK_IPS": True,
"TRACK_USER_AGENTS": True,
"TRACK_DEVICE_INFO": True,
# History
"STORE_LOGIN_HISTORY": True,
"STORE_LOGOUT_HISTORY": True,
"STORE_FAILED_LOGINS": True,
"MAX_HISTORY_ENTRIES": 100,
# Brute-force
"FAILED_LOGIN_THRESHOLD": 5,
"FAILED_LOGIN_WINDOW": 300,
# Sliding sessions
"SLIDING_SESSION": False,
"SLIDING_SESSION_TTL": 1800,
}