I'm a bit confused with where do I put the codes for the user authentication stuff (views, templates, urls).
should I create another just for user management?
or should this be included in an app? if yes, do all apps need to have its own authentication codes?
or should this be included in the main project?
You can have one app for your authentication (register, login, forget password and etc).
After a login, there will be a session set on user cookies and you can simply check if the user is authentication with user_obj.is_authenticated function which is available for user objects. if they're not authenticated, simply redirect them to your login address or through an error.