This is my user authentication method:
def user_login(request):
if request.method == 'POST':
username = request.POST.get('username')
password = request.POST.get('password')
user = authenticate(username=username, password=password)
if user:
if user.is_active:
login(request, user)
return HttpResponseRedirect(reverse('index'))
else:
print('TEST')
messages.info(request, 'Inactive user')
return HttpResponseRedirect(reverse('index'))
else:
messages.error(request, 'Invalid username/password!')
return HttpResponseRedirect(reverse('index'))
else:
return render(request, 'mainapp/login.html', {})
If user exists and is not active wrong message appears:
messages.error(request, 'Invalid username/password!')
return HttpResponseRedirect(reverse('index'))
instead of:
print('TEST')
messages.info(request, 'Inactive user')
return HttpResponseRedirect(reverse('index'))
I don't have any idea what is wrong here... Any clues?
The default ModelBackend authentication backend started rejecting inactive users in Django 1.10. Therefore your authenticate() call returns None, and you get the Invalid username/password! message from the outer if/else statement.
As Daniel says, if you use the default ModelBackend, you no longer need to check user.is_active in your login view.
If you really want authenticate to return inactive users, then you can use AllowAllUsersModelBackend instead. If you do this, then it is your responsibility to check the is_active flag in your login view.
AUTHENTICATION_BACKENDS = ['django.contrib.auth.backends.AllowAllUsersModelBackend']
The call to authenticate already checks that the user has the is_active flag set, and returns None if not. There is no need to check it separately.
Related
I'm trying to create a login form for my website, but I cannot log into any existing account.
def loginPage(request):
if request.method == 'POST':
username = request.POST.get('username')
password = request.POST.get('password')
try:
user = User.objects.get(username=username)
except:
messages.error(request, 'User does not exist')
user = authenticate(request, username=username, password=password)
if user is not None:
login(request, user)
return redirect('home')
else:
messages.error(request, 'Invalid username/password')
context = {}
return render(request, 'base/login_register.html', context)
Even if I use the correct credentials, it will display:
User does not exist
Invalid username/password
I've also added this to my settings.py:
AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
)
I've created those accounts manually from the Django admin account, not with a registration form, could this be the issue?
I found the problem. In the html login file, I was missing name="username" and name="password" in the corresponding inputs.
Views.py
def Tourist_login(request):
if request.method == 'POST':
form = Tourist_login_form(request.POST)
if form.is_valid():
username = form.cleaned_data['username']
password = form.cleaned_data['password']
user = authenticate(username=username,password=password)
print(user)
if user is not None:
login(request,user)
messages.success(request,'logged in')
return redirect('home')
else:
messages.error(request,"Invalid login credentials!")
return redirect('touristlogin')
else:
return redirect('touirstlogin')
else:
form = Tourist_login_form()
return render(request,'accounts/tourist_login.html',{'form':form})
In the above code , authenticate function returns none value. But if I'm passing input in form through superuser credentials then it is working fine. I'm not able why is it not taking the username and password passed by the user and only taking superuser username and password.
Please try using this way:
from django.contrib.auth.models import auth
user = auth.authenticate(username=username, password=password)
if user is not None:
auth.login(request, user)
messages.success(request,'logged in')
return redirect('home')
I want the registered user to log in with the Email or PhoneNumber and the Password first. If the user forgot the Password then there should be the possibility to log in with OTP bypassing the Password which would be provided via SMS on the User Phone Number. So Is there any possibility to achieve that?
Here are official docs where the password field is always required.
https://docs.djangoproject.com/en/4.0/topics/auth/customizing/#a-full-example
I know we can change the username to the email or for a phone number if we want but how do we put the condition to login with Password/Random OTP. So how we can achieve that? a suggestion would be appreciated. Thanks
You can make your own CustomLoginBackend as
from django.contrib.auth import get_user_model
class CustomLoginBackend(object):
def authenticate(self, request, email, password, otp):
User = get_user_model()
try:
user = User.objects.using(db_name).get(email=email)
except User.DoesNotExist:
return None
else:
if password is not None:
if getattr(user, 'is_active', False) and user.check_password(password):
return user
else:
if getattr(user, 'is_active', False) and user.otp == otp: #<-- otp included in user table
return user
return None
Then in your login views.
from django.contrib.auth import authenticate, login
from django.contrib import messages
def login_view(request):
if request.method == 'POST':
email = request.POST.get('email', None)
password = request.POST.get('password', None)
otp = request.POST.get('otp', None)
user = authenticate(request, email=email, password=password, otp=otp)
if user is not None:
login(request, user)
# redirect to a success page
return redirect('dashboard')
else:
if password is not None:
# return either email or password incorrect
messages.error(request, "Invalid Email or Password")
return redirect('login')
else:
# return invalid otp
messages.error(request, "Invalid OTP")
return redirect('login')
return render(request, 'login.html')
And at last don't forgot to add AUTHENTICATION_BACKENDS in your settings.py as
AUTHENTICATION_BACKENDS = ['path_to_your.CustomLoginBackend ',]
Yes we can do that using forced login here is an example how i have did this please have a look i have a profile which is one to one relation with user
def login_otp(request):
mobile = request.session['mobile']
context = {'mobile':mobile}
if request.method == 'POST':
otp = request.POST.get('otp')
profile = Profile.objects.filter(mobile=mobile).first()
if otp == profile.otp:
user = User.objects.get(id = profile.user.id)
login(request , user)
return redirect('cart')
else:
context = {'message' : 'Wrong OTP' , 'class' : 'danger','mobile':mobile }
return render(request,'login_otp.html' , context)
return render(request,'login_otp.html' , context)
When I use AuthenticationForm in my login view, I find that when I check form.is_valid(), it returns False if the user creds are incorrect. I thought that is_valid() checks validity based on the form class's validation criteria and not by actually doing a database query. Am I incorrect?
For examples here's a simple login view:
def login_form(request):
if request.method == 'POST':
form = AuthenticationForm(request, data=request.POST)
if form.is_valid():
email = form.cleaned_data.get('username')
password = form.cleaned_data.get('password')
user = authenticate(request, username=email, password=password)
if user is not None:
login(request, user)
messages.info(request, f"Welcome back {request.user.first_name}.")
return redirect('home')
else:
messages.error(request, "Why is this not returned for invalid creds?")
else:
messages.error(request, "This is returned for invalid creds.")
else:
form = AuthenticationForm()
return render(request, 'login.html', {'form': form})
form.is_valid() returns False if I enter a proper email and password for a non-existent account. I would think that it would return True, and user would be None when we authenticate().
Is is_valid() authenticating the user credentials? Please provide a reference.
Yes, it does try to authenticate. Here is what it tests:
def clean(self):
username = self.cleaned_data.get('username')
password = self.cleaned_data.get('password')
if username and password:
self.user_cache = authenticate(username=username,
password=password)
if self.user_cache is None:
raise forms.ValidationError(
self.error_messages['invalid_login'],
code='invalid_login',
params={'username': self.username_field.verbose_name},
)
else:
self.confirm_login_allowed(self.user_cache)
return self.cleaned_data
I have a custom login authentication with mysql table, while logging in how can I compare a hashed password with a plain-password in backends.py (Working fine with plain password)?
class MyBackEnd(object):
def authenticate(self, request, email=None, password=None):
existing_user = RegAuth.objects.get(email=email,password=password)
if not existing_user:
# Checking the user Regauth Custom DB.
user_data = RegAuth.objects.get(email=email,password=password)
if email == user_data.email:
user = RegAuth.objects.create_user(email=email, password=password)
user.save()
return user
else:
return None
else:
return existing_user
def get_user(self, email):
try:
return RegAuth.objects.get(email=email)
except Exception as e:
return False
Login view
def logauth(request):
if request.method == "POST":
email = request.POST['username']
password = request.POST['password']
user = authenticate(request, email=email, password=password)
if user is not None:
messages.error(request, 'if part : user is not None')
login(request, user)
return redirect('emp')
else:
messages.error(request, 'else part : user is None')
return redirect('login_url')
else:
messages.error(request, 'Please provide valid credentials')
return render(request, 'registration/login.html')
Is there any particular reason to diverge from Django's default authentication backend? I see at least a few issues with your authenticate method;
class MyBackEnd(object):
def authenticate(self, request, email=None, password=None):
# 1. password should not be used to retrieve a user, a pk should suffice
existing_user = RegAuth.objects.get(email=email,password=password)
if not existing_user:
# Checking the user Regauth Custom DB.
# 2. if the query before didn't yield results, why would it atp?
user_data = RegAuth.objects.get(email=email,password=password)
if email == user_data.email:
# 3. I'm not sure what flow validates this path, could you explain?
user = RegAuth.objects.create_user(email=email, password=password)
user.save()
return user
else:
return None
else:
return existing_user
For reference here's Django's default authenticate backend method (notice the use of except/else syntax):
def authenticate(self, request, username=None, password=None, **kwargs):
if username is None:
username = kwargs.get(UserModel.USERNAME_FIELD)
try:
user = UserModel._default_manager.get_by_natural_key(username)
except UserModel.DoesNotExist:
# Run the default password hasher once to reduce the timing
# difference between an existing and a non-existing user (#20760).
UserModel().set_password(password)
else:
if user.check_password(password) and self.user_can_authenticate(user):
return user
It;
Tries to retrieve the user, then;
Checks the password, and;
Validates the user's state, then;
Returns the user object to the caller (successful authentication), or
Does NOT return a user to the caller. (failed authentication)
Alternately (no user found), it;
Instantiates a user object, and;
Sets the password using set_password (which hashes it), then;
Does NOT return a user to the caller. (failed authentication)
This alternate flow's usage of set_password is meant to mitigate some timing attacks see: https://code.djangoproject.com/ticket/20760
If you want to register new users, reset a user's password, or anything besides authentication, the authenticate method is not the right place.
I am aware this is not an answer to your question, but I hope it helps you and possibly others to understand the authentication flow and be critical about diverging from it.