How can I secure my Django site?

I have a working django - up-and-live site working just fine. It uses Django's contrib.auth for authentication. He took part in Hereku. I would like to create a clone of this site for demo purposes, but would like to add an extra layer of security around the site, which would be very simple password protection. You don't need to be bulletproof or unauthorized - just enough not to use Muggles.

This level of authorization should not interfere with the site itself in any way. It's just an outer ring (check once, keep session permissions). Since the site is hosted on Heroku, this is not something I can do at the web server level - it has to be part of the application itself.

My core option is to create a django app (working header "perimeter") that will make it run, but if anyone knows another way to do this, I'd really appreciate it.

Main functions:

• Some mechanisms for generating short tokens (<8 characters)
• Some mechanism for registering tokens against an email address
• Prompt users for token / email combination the first time they access the site
• Unlimited site access after that (standard authorization model at this point)

Typical user journey:

• Bob asks the site owner (me) to access the demo site
• I generate a token for Bob and send it along with the site url
• Bob clicks on the link, redirects to the page to enter his email and token
• If the token is valid (expires in X hours / days), store it in the session, let Bob in.
• If the token is invalid, 403 (/ 401).

(You may be wondering why providing a copy of a website that is already public makes any sense. This is because the site is a members-only site, and in the demo it will "auto-register" so people can see that however, I would like to be able to track the users on the site.)

[UPDATE: alternative]

A dumb alternative is to add a token to the url that I send to Bob, ignore his email and just validate the token itself. This will work as long as Bob always uses the URL in the email.