In my previous projects, I have focused on using Django Core features such as MVT, middlewares, etc. However, my current project is a SAAS that requires me to interact with an API wich has two main endpoints: one for authentication and one for validating some JWS.
The authentication endpoint requires a username and a password, and it returns a JWT that expires every “x” hours. My plan, at very high level, is to implement the following steps to authenticate users and keep all credentials in a reasonable security layer:
- Keep the username and password that will be sent to the API in an encrypted text (in this case I cannot use a hash for this password, because I will send it to de API endpoint).
- Send a POST request to the authentication endpoint using the requests library.
- If the server responds with a JWT, store it in the database in an encrypted text.
- For all other requests to the API that require the JWT, I will send the token in the headers using the requests library. If the token fails because it has expired, ask for a new token as in step 1.
Does this approach seem clear and secure?
What could you suggest me?