Tag Archives: Security

IoT Course Week 6: Setting Up User Accounts

PastedGraphic-2

Welcome to Week 6 of the Case Western Reserve University IoT course. Over the next two weeks, we will be tackling a new kind of challenge: security. This week kicks off by setting up the web framework Django.

Last Week

Last week, students spent time setting up a static webpage on EC2 that communicates via MQTT to their hardware LAMPi’s. We kicked this week of with a demo and discussion about what everyone was able to accomplish.  See the previous week’s post here: WEEK 5 POST

Why Django?

Despite the multitude of web frameworks available, using Django was an easy choice for this project. It is a mature, modern, web framework with a highly active community. It is easy to configure to work with many different databases, and is shipped with a robust ORM at its core. It supports user account configuration out-of-the-box, as well as a powerful admin interface. The fact that Django is Python-based is just an added bonus, allowing the student’s Python experience on LAMPi to be transferred to the Web.

Linking user accounts

Step one was to get Django set up and configured to have user accounts through its default interface.  Details of how to do that can be found in the Django Documentation.  Students were provided with a sample login template which, when loaded through Django, looks just like this.

Screen Shot 2016-02-11 at 10.10.59 AM

Students changed their static hosted pages to be hosted through Django, and added the provided login template to web/lamp/templates/login.html. With a configuration of the routes, navigating unauthenticated to the root page will now redirect the user to this login screen.

urls.py 
urlpatterns = patterns('lamp.url',
    url(r'^$', login_required(views.index), name='index'),
    url(r'^logout/$', views.logout_user, name='logout_user')
)

From here, the static LAMPi control page is moved to the index template at  web/lamp/templates/index.html and the request is handled in the Django view logic through the addition of an index function in web/lamp/views.py.

def index(request):
   context={}
   user = request.user
   lamps = user.lamp_set.all()
   context['lamps'] = lamps
   return render(request, 'index.html', context)

Whats next

At this point, students have taken the first step into providing user access control to the LAMPi system. Our more security conscious readers will note, however, that virtually every point of integration within the LAMPi system at this point still remains completely insecure. Moving into Week 7, students will receive a crash course in common attack vectors and practical implementation of modern communications cryptography.