How to integrate JWT authentication with HttpOnly cookies in a Django project that already uses sessions, while keeping roles and permissions unified?

I currently have a monolithic Django project that uses Django’s session-based authentication system for traditional views (login_required, session middleware, etc.).

Recently, I’ve added a new application within the same project (also under the same templates directory) that communicates with the backend via REST APIs (Django REST Framework) and uses JWT authentication with HttpOnly cookies.

The goal is for both parts (the old and the new) to coexist:

The legacy sections should continue working with regular session-based authentication.

The new app should use JWT authentication to access protected APIs.

The problem I’m facing is how to properly handle permissions and roles across both authentication systems (sessions and JWT) without duplicating logic or breaking compatibility.

Here’s what I want to achieve:

Roles and permissions (e.g., X, Y, Z) should be defined centrally in the backend (either using Django Groups or a custom Role model).

On the backend, traditional views should use @login_required, while API views should use JWTAuthentication with custom permission classes.

On the frontend, I want to show or hide sections, submenus, or information depending on the authenticated user’s roles and permissions. (How can I properly integrate this?)

All of this must work within the same Django project and the same base.html template (i.e., the new app is not a separate project).

Additionally, I want to ensure proper security:

JWT tokens are stored only in HttpOnly, Secure, SameSite=Strict cookies.

Tokens should not be exposed in localStorage or sessionStorage.

Вернуться на верх