I mean using the default django authentication backend and functions.
If two users have the same usernames but different passwords is django able to login that user and return the correct User object? Or is the authenticate function not able to handle that scenario? I looked in the github and I don't think the username field in the User model has to be unique
Short answer: no.
Long answer:
Django doesn't support having more than one user with the same username because, even with what you are proposing (password differentiation) there is still a chance two users will have the same password.
Even if it weren't like this, I find it very hard to find a reason to let users share their usernames. You can create an "alias" or something additional, and let it be "not unique"
Related
Say I had a setup that was similar to an office with a system admin. But instead of using email to reset passwords, the system admin did it himself, and then got the password to the user through some other fashion. Is this possible to do in Django? Can I use the hash of the previous password somehow? Is there possibly a way to overwrite the rest-auth in the serializer and view? Please let me know if you guys have any methods for this. I haven't really come across anything that isn't email or Django frontend stuff.
Yes it is possible indeed. The admin could use the admin interface.
Just implement a custom Django admin action for that.
https://docs.djangoproject.com/en/2.1/ref/contrib/admin/actions/
And use user.set_password so you won't have to deal the hash for the previuos password.
If you don't want to use the admin interface you still can use user.set_password from any view.
I am integrating Django authentication and login system with Facebook Login API. The problem is that once Facebook username will be the same as existing in my project's database so the only solution to the problem is to catch Facebook username and add numbers or something to the string to make it unique ? Is it correct ? How is it normally handled ?
You have several options, I'm sure I won't think of them all.
If you have an unique constraint on the field for 'username', you can add numbers to remain unique.
Remove the unique constraint on the 'username' field. Add a boolean to the user table, to identify users logging in with facebook. You are probably able to determine when a user logins with a facebook account. After logging in you can crossmatch the information with the user you have in the database. Facebook probably has some kind of 'unique' data about a specific user which you can place in your database to differentiate between unique users with the same name.
I'd like users to be able to register without using a 3rd party if they so choose. Few sites require a username to login anymore, so I'd like to use emails instead of usernames.
django-rest-framework-social-oauth2 combines python-social-auth and django-oauth-toolkit.
python-social-auth includes an EmailAuth backend that should let users register with an email and password. However, I don't understand the implications around using this instead of a Django-specific auth backend, and the docs label it as 'legacy', which sounds a little scary.
In fact, I have no idea how creating accounts, including from 3rd parties, works regarding the Django User Model as it requires a username.
What will I lose using EmailAuth? Is that the ideal way to go here, or is there an alternative?
For reasons I don't understand, Django still doesn't support emails instead of usernames without a custom user model, so regardless I need to use something bespoke or open-source for email-based accounts.
EDIT: python-social-auth just fills the username field with username = email.split('#', 1)[0] as shown here. I think I may need to make a custom Django User model and point python-social-auth to it, but I'm not sure how, and I'm not sure if this should still be used via EmailAuth or independantly of python-social-auth.
On the client side I use the iOS SDK for Facebook to login and I get the Facebook ID and the access token.
Now on the Django side of things I would like to create a user with Facebook ID as the primary identifier and other fields like access token, first name, last name etc (the last two of which I will retrieve from the Graph API on the server side).
I know that I have to create a custom user model.
If you wish to store information related to User, you can use a one-to-one relationship to a model containing the fields for additional information. This one-to-one model is often called a profile model, as it might store non-auth related information about a site user.
This will not be enough as I will be using the Facebook ID and the access token for authentication.
This leaves me with two options: I can substitute a custom user model like so:
AUTH_USER_MODEL = 'myapp.MyUser'
Or I can subclass AbstractUser:
If you’re entirely happy with Django’s User model and you just want to
add some additional profile information, you can simply subclass
django.contrib.auth.models.AbstractUser and add your custom profile
fields.
But that doesn't sound quite right either. Also this design tip has confused me a little more.
Model design considerations
Think carefully before handling information not directly related to authentication in your custom User Model.It may be better to store app-specific user information in a model that has a relation with the User model.
What is the best way to implement what I am trying to do?
Just a side note: The problem of a custom user is that it is often the case that other apps (and yes, you will use them) don't interact correctly with it due to the assumptions they make on the base model for auth.
This will not be enough as I will be using the Facebook ID and the access token for authentication.
I'm not sure you really need a custom user. For instance, I'm using open id for authentication and there is no problem in using the default user: there is just another model with a OneToOne relationship to the default user.
The main concern you should have for a Facebook ID for authentication (and authentication in general) is to have a custom authentication Backend with its own specific facebook authentication.
Internally, authenticate() runs through all installed backends (settings.AUTHENTICATION_BACKENDS) and tries to authenticate the user with one of those.
You can search some of the existing implementations e.g. in Django packages for facebook authentication.
If your users should be enabled to login/register with username, mail and password -> use a OneToOne relationship to django's usermodel to store facebook credentials.
If your usermodel entirely depends on facebook data and you don't want your users to login with username/pass -> substitute the usermodel with AUTH_USER_MODEL = 'myapp.MyUser'.
You might also want to take a look at django-allauth which solves much of your problems in a sweet little package.
How can I extend Auth to allow for multiple users with the same username. In SAAS this is a need because two accounts might have a user called "owner" or something like that.
You could probably subclass the User model and write a custom authentication backend for your new model.
But first I would ask myself "do I REALLY need this?". Having multiple users with the same username sounds like a mess.
The problem with "user names" is that on a site with any decent size population Spencer's Lament (Henry Spencer # U Toronto, Dept. of Zoology) comes into play: all of the good ones are taken. (He was referring to host names in the pre-DNS days, but it still applies.) The only "name" that is pretty much guaranteed to be unique is ... the email address. If you use that as Django's login identifier, then you can allow the user.username to be non-unique and used as a screen name. You still have to allow for people to change their email addresses, but they should still be unique across all users of a site.
We had to do this for a long-established site, as mentioned in this thread.
You can't. Prefix the user name with the account name instead.