Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Separate LOGIN_FIELD logic into a auth backend to avoid giving tokens… #810

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

hisie
Copy link

@hisie hisie commented Apr 5, 2024

… to non authorized users.

Corrects #795

Copy link
Member

@haxoza haxoza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like overall approach and idea how to fix that. Thank you for implementing that!

I would only slightly improve the way how is_active flag is checked and use ModelBackend.user_can_authenticate method for that.

@tomwojcik thoughts?

Also, this change is not fully backend compatible so it would be good to bump at least minor version but may be we should also consider adding that to next major version.

user = User.objects.filter(**kwargs).first()
if user and not user.check_password(password):
return
if user and user.is_active:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good to have so djoser is compatible with Django's default auth model backend. However to be fully covered in the future I would either try to call super().authenticate() or at least self.user_can_authenticate().

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your returns. This approach is a simple copy-paste of the current behaviour of djoser, but exported to a custom Auth backend.

The origin of this piece of code is the availability of using a LOGIN_FIELD without a CustomUserModel( #389 and 8f65bff).

My idea is to keep current djoser behavior for people using this way of declaring user model in djoser config and expecting working like today by using a custom auth backend.
All other people expecting standard django behaviour will have nothing to do. Remember that this custom backend will be in a list with other auth backends, so, if the dev includes the django default backend, both login behaviours (default django one, and custom djoser) will be taken in account.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for explaining your point of view! From that perspective it makes some sense it keep it more compatible with current behaviour.

However with any next major release it would be good to use the default Django's auth backend behaviour and implementation.

@tomwojcik would you merge this PR to the upcoming 2.x version or would you wait until version 3? I think I would go for upcoming 2.x with proper documentation in the changelog.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd definitely release the fix in 2.3 as it's a minor security issue, but at the same time I'm not sure if these particular changes are actually needed.

IMO the changes from 8f65bff are incorrect. If the user didn't pass authenticate, then they shouldn't be able to login.

If you need a custom behavior, it's up to the ModelBackend and user manager implementation (like @hisie did). Handling it by Djoser is a shortcut.

Copy link
Author

@hisie hisie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @haxoza. I have leave a comment of why I have chose to not use "standard django methods".

I know this change is incompatible with current djoser, but i have not found a way of recovering standard django auth backend chain check without adding a new django backend.

user = User.objects.filter(**kwargs).first()
if user and not user.check_password(password):
return
if user and user.is_active:
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your returns. This approach is a simple copy-paste of the current behaviour of djoser, but exported to a custom Auth backend.

The origin of this piece of code is the availability of using a LOGIN_FIELD without a CustomUserModel( #389 and 8f65bff).

My idea is to keep current djoser behavior for people using this way of declaring user model in djoser config and expecting working like today by using a custom auth backend.
All other people expecting standard django behaviour will have nothing to do. Remember that this custom backend will be in a list with other auth backends, so, if the dev includes the django default backend, both login behaviours (default django one, and custom djoser) will be taken in account.

Copy link

codecov bot commented Jun 7, 2024

Codecov Report

Attention: Patch coverage is 88.23529% with 2 lines in your changes missing coverage. Please review.

Project coverage is 98.81%. Comparing base (566984a) to head (7cb7cb8).
Report is 43 commits behind head on master.

Files with missing lines Patch % Lines
djoser/backends.py 88.23% 2 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master     #810      +/-   ##
==========================================
- Coverage   99.03%   98.81%   -0.23%     
==========================================
  Files          26       27       +1     
  Lines         833      846      +13     
==========================================
+ Hits          825      836      +11     
- Misses          8       10       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants