I'm trying to provide a user registration form without requiring a username to be manually entered. I setup an authentication backend so that users can authenticate with an email address and that works because I can login with the Django admin user. The idea is that my app would create a SHA1 hash of the email address to be stored as the Django username and the user would never see this.
I removed the username field from my registration html template, but I'm not sure how or where I should be generating the username programmatically. I think it should be in the clean_username method of the RegistrationForm, but that method doesn't get called when I use a template without the username field.
Any help would certainly be appreciated.
I got it to work. I don't feel good about having to modify the registration's view method and the default registration backend directly. I'd prefer to have those changes in my own code and am still working to make those changes, but this does indeed work.
Here's how I did it:
Created a custom registration backend called RegBackend that generates a sha1 hash based on the email address and then stores the hexdigest as the username, finally returning a User object.
Map register in urls.py to the new RegBackend that I created in step 1
Modified the django-registration's view register method to create a random username so that the form validates, but I never persist the random username. I copied the request.POST dictionary and set this random username to one of the copy's dictionary keys called data['username']. Then I use the data variable when creating an instance of the form_class. Calling is_valid() on the form would return false because I removed the username from the template, but Django requires a username for registration, so I needed to supply it something.
I didn't use the sha1 hash for the random username because the Django username can only be 30 characters in length while the sha1 hash is 40. Oddly, the custom registration backend didn't complain and can store the sha1 hash, but the form would generate errors because of the length when submitted.
_init_.py (I copied the existing DefaultBackend and modified with the SHA1 portion)
from django.conf import settings
from django.contrib.sites.models import RequestSite
from django.contrib.sites.models import Site
from registration import signals
from registration.forms import RegistrationForm
from registration.models import RegistrationProfile
import hashlib
class RegBackend(object):
def register(self, request, **kwargs):
hash_user = hashlib.sha1()
hash_user.update(kwargs['email'])
username, email, password = hash_user.hexdigest(), kwargs['email'], kwargs['password1']
if Site._meta.installed:
site = Site.objects.get_current()
else:
site = RequestSite(request)
new_user = RegistrationProfile.objects.create_inactive_user(username, email,
password, site)
signals.user_registered.send(sender=self.__class__,
user=new_user,
request=request)
return new_user
#omitted other code from DefaultBackend that I didn't modify
urls.py
url(r'^register/$', register, {'backend': 'registration.backends.default.RegBackend', 'form_class': UserRegistrationForm}, name='registration_register'),
registration/views.py
def register(request, backend, success_url=None, form_class=None,
disallowed_url='registration_disallowed',
template_name='registration/registration_form.html',
extra_context=None):
backend = get_backend(backend)
if not backend.registration_allowed(request):
return redirect(disallowed_url)
if form_class is None:
form_class = backend.get_form_class(request)
if request.method == 'POST':
# I added the next two lines
data = request.POST.copy()
data['username'] = ''.join([choice(letters) for i in xrange(30)])
form = form_class(data=data, files=request.FILES)
if form.is_valid():
new_user = backend.register(request, **form.cleaned_data)
if success_url is None:
to, args, kwargs = backend.post_registration_redirect(request, new_user)
return redirect(to, *args, **kwargs)
else:
return redirect(success_url)
else:
form = form_class()
if extra_context is None:
extra_context = {}
context = RequestContext(request)
for key, value in extra_context.items():
context[key] = callable(value) and value() or value
return render_to_response(template_name,
{'form': form},
context_instance=context)
You might be thinking of subclassing RegistrationForm and then overriding the clean method (I don't like that though, since the clean method has a clear purpose, see https://docs.djangoproject.com/en/dev/topics/forms/modelforms/#overriding-the-clean-method)
A simpler solution might be to prompt the user to enter their email address, then process that form to generate your username, and pass that value to the register view as an extra context . Then instead of removing the username field, assign the hashed value to it and hide it in your template. That way, you won't have to mess around with django-registration itself.
See https://bitbucket.org/ubernostrum/django-registration/src/fad7080fe769/registration/views.py for more info on the extra_context argument.
Related
I have a class-based view that subclasses LoginView.
from django.contrib.auth.views import LoginView
class CustomLoginView(LoginView):
def get_success_url(self):
url = self.get_redirect_url()
return url or reverse_lazy('knowledgebase:user_home', kwargs={
'username':self.request.user.username,
})
I want to override the error message if a user's email is not yet active because they have to click a link sent to their email address. The current default message looks like this:
Instead of saying:
Please enter a correct email address and password. Note that both
fields may be case-sensitive.
I want to say something to the effect of:
Please confirm your email so you can log in.
I tried:
accounts/forms.py
from django.contrib.auth.forms import AuthenticationForm
from django.utils.translation import gettext as _
class PickyAuthenticationForm(AuthenticationForm):
def confirm_login_allowed(self, user):
if not user.is_active:
raise forms.ValidationError(
_("Please confirm your email so you can log in."),
code='inactive',
)
accounts/views.py
class CustomLoginView(LoginView): # 1. <--- note: this is a class-based view
form_class = PickyAuthenticationForm # 2. <--- note: define form here?
def get_success_url(self):
url = self.get_redirect_url()
return url or reverse_lazy('knowledgebase:user_home', kwargs={
'username':self.request.user.username,
})
The result is absolutely no effect when I try to log in with a user that does exist, but hasn't verified their email address yet.
AuthenticationForm docs.
Method - 1
Django uses ModelBackend as default AUTHENTICATION_BACKENDS and which does not authenticate the inactive users.
This is also stated in Authorization for inactive users sections,
An inactive user is one that has its is_active field set to False. The
ModelBackend and RemoteUserBackend authentication backends prohibits
these users from authenticating. If a custom user model doesn’t have
an is_active field, all users will be allowed to authenticate.
So, set AllowAllUsersModelBackend as your AUTHENTICATION_BACKENDS in settings.py
# settings.py
AUTHENTICATION_BACKENDS = ['django.contrib.auth.backends.AllowAllUsersModelBackend']
How much does it affect my Django app?
It doesn't affect anything other than the authentication. If we look into the source code of AllowAllUsersModelBackend class we can see it just allowing the inactive users to authenticate.
Method - 2
Personally, I don't recommend this method since method-1 is the Django way of tackling this issue.
Override the clean(...) method of PickyAuthenticationForm class and call the AllowAllUsersModelBackend backend as,
from django.contrib.auth.backends import AllowAllUsersModelBackend
class PickyAuthenticationForm(AuthenticationForm):
def clean(self):
username = self.cleaned_data.get('username')
password = self.cleaned_data.get('password')
if username is not None and password:
backend = AllowAllUsersModelBackend()
self.user_cache = backend.authenticate(self.request, username=username, password=password)
if self.user_cache is None:
raise self.get_invalid_login_error()
else:
self.confirm_login_allowed(self.user_cache)
return self.cleaned_data
def confirm_login_allowed(self, user):
if not user.is_active:
raise forms.ValidationError(
"Please confirm your email so you can log in.",
code='inactive',
)
Result Screenshot
You need to use AllowAllUsersModelBackend
https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.backends.AllowAllUsersModelBackend
Here you will get instruction for setting custom backend
https://docs.djangoproject.com/en/3.0/topics/auth/customizing/#specifying-authentication-backends
Hope it helps.
I'm not convinced setting up a custom backend is the solution when I simply want to override a message. I did a temporary fix by defining form_invalid. Yes it's hacky but for now, it'll do the trick. Doubt this will help anyone but it was interesting to discover form.errors. Maybe someone can build off this to solve their specific problem.
def form_invalid(self, form):
"""If the form is invalid, render the invalid form."""
#TODO: This is EXTREMELY HACKY!
if form.errors:
email = form.cleaned_data.get('username')
if User.objects.filter(email=email, username=None).exists():
if len(form.errors['__all__']) == 1:
form.errors['__all__'][0] = 'Please confirm your email to log in.'
return self.render_to_response(self.get_context_data(form=form))
I am practicing django user registration using UserCreationForm() and User() class.
My froms.py code is.
from django.contrib.auth.forms import UserCreationForm
from django.contrib.auth.models import User
from django import forms
class user(UserCreationForm):
email = forms.EmailField()
class Meta:
model = User
fields = ('username', 'email', 'password1', 'password2')
My views.py code for this is.
def register(request):
if request.method == 'POST':
form = forms.user(request.POST)
if form.is_valid():
form.save(commit=False)
form.email = form.cleaned_data.get('email')
form.save()
#context = {'form':form, 'er':form.errors}
return redirect('register')
else:
form = forms.user()
context = {'form':form, 'er':form.errors}
return render(request, 'register/register.html', context)
I did not use authenticate() or login() in the registration system.
I have three questions. **In case of using same browser.
When I register does the user automatically log in and create a session number or does not?
If does log in and generate a session value, what happens if registers again with a new value from same browser? Does system delete previous session and generate new session or something else happens.
If I have used authenticate() and login(), what would happen if I try to register again?
It depends on your implementation. As long as you only save a user the user is only written to your DB. https://docs.djangoproject.com/en/2.2/topics/auth/default/#how-to-log-a-user-in
If you successfully created a user, you can't create a user with the same username again as the username is a unique identifier in the Django User Model.
To see if something is written to your session you can look into your DB.
Besides you might consider using an activation mail.
I'm currently trying to figure out how to customize the base Django user login functionality to add e.g. simple-captcha.
I have subclassed "AuthenticationForm" from django.contrib.auth.forms
which first looks great, but if I try to login I'm simply not able to.
I have already debugged the code and currently i only get:
response = wrapped_callback(request, *callback_args,
**callback_kwargs) TypeError: init() takes 1 positional argument but 2 were given
accounts/views.py:
...
login form of django.contrib.auth.forms subclassed (copied) to accounts/forms.py:
...
urls.py:
...
when I used vorujack's way made mistake,finally I found a solution
in url
from django.contrib.auth import views as auth_views
path('login/',auth_views.LoginView.as_view(form_class=forms.new_login_form,
template_name='login.html'), name='login'),
in forms
from django.contrib.auth.forms import AuthenticationForm
class new_login_form(AuthenticationForm):
captcha = CaptchaField(label='验证码', error_messages={"invalid": "验证码错误"})
class Meta:
model = User
fields = ('username', 'password',)
There are a few things wrong here.
The main one is that you've overridden the class init signature so that the first positional argument is request, but you pass the POST data in that position; therefore, the form will never be bound and never valid.
Secondly if the form is invalid you re-instantiate it for some reason, so the template will never show any validation errors. Unless you have a really good reason you should stick to the standard form handling structure shown in the docs.
Putting those together:
def login (request):
if request.method == 'POST':
form = LoginForm(request, data=request.POST)
if form.is_valid():
form.save()
messages.add_message(request, messages.INFO, "You are now logged-In, welcome")
return redirect(reverse('post_list'))
else:
form = LoginForm(request)
args = {'form': form}
return render(request, 'registration/login.html', args)
Note, you don't need the second else block; the single one here is aligned with the first if, and the final return is hit in both cases.
as Daniel said you update init method of form. so you must pass request as first argument.
second is when you validate user info you must authenticate user with authentication backend. but you saved form data.
if you only want to change authentication form you can use login view like this
see below:
urls.py
....
url(r'^accounts/login/$', auth.login, {'authentication_form': LoginForm}, name='login'),
....
if you use django2 and above you can change it like this. first of all create a class based view extended from django.contrib.auth.views.LoginView in this class set form_class to it like this.
from django.conrtib.auth.views import LoginView
...
class NewLoginView(LoginView):
form_class = LoginForm
then you must update your urls like this:
...
url(r'^accounts/login/$', NewLoginView.as_view, name='login'),
...
you must extend your form from django.contrib.auth.forms.AuthenticationForm or you must implement all needed function of this form class.
I finally found a solution, puuh :D
views.py:
...
from django.contrib.auth import update_session_auth_hash, authenticate, login as customlogin
...
def login(request):
if request.method == 'POST':
form = LoginForm(request.POST, request.POST)
if form.is_valid():
username = request.POST['username']
password = request.POST['password']
user = authenticate(request, username=username, password=password)
if user is not None:
customlogin(request, user)
# Redirect to a success page.
return redirect(reverse('post_list'))
return render(request, 'registration/login.html', {'form': form})
else:
return render(request, 'registration/login.html', {'form': LoginForm()})
simply extend the form (Thanks to vorujack)
...
from django.contrib.auth.forms import AuthenticationForm
...
class LoginForm (AuthenticationForm):
captcha = CaptchaField()
urls.py:
url(r'^accounts/login/$', views_accounts.login, name='login'),
the really stupid part is at the login function "form = LoginForm(request.POST, request.POST)"
You really need to pass this for the password and user and beside that and secondary request.POST for the captcha form... Oookay. Anyways, now it works.
Thanks anybody for your help, i really appreciate this community
Let's say i have a form that does something in database and requires user authentication that has been sent by POST, is it possible inside request someone evil to change the user in order to exploit the system?
The following example creates an item in database but requires a logged in user. Can someone send other user's data in request.user?
from django.shortcuts import render, redirect
from django.contrib.auth.decorators import login_required
from items_core.models import Item
from items.forms import CreateItemForm
from django.views.decorators.csrf import csrf_exempt
#csrf_exempt
#login_required
def create(request):
errors = None
if request.method == 'POST':
form = CreateItemForm(request.POST)
if form.is_valid():
try:
Item.objects.get(
name = form.cleaned_data['name'],
user = request.user
)
errors = 'Item already exist. Please provide other name.'
except Item.DoesNotExist:
Item.objects.create(
name = form.cleaned_data['name'],
user = request.user
)
return redirect('items:list')
form = CreateItemForm()
else:
form = CreateItemForm()
template = {
'form':form,
'items':Item.objects.filter(user=request.user),
'request':request,
'errors':errors
}
return render(request, 'items/item_create.html', template)
Thanks!
The request.user object is of type SimpleLazyObject which is added by the auth middleware to the requestobject.
SimpleLazyObject(LazyObject): is used to delay the instantiation of the wrapped class
At the time of requesting the actual logged in user, get_user method gets called.
def get_user(request):
if not hasattr(request, '_cached_user'):
request._cached_user = auth.get_user(request)
return request._cached_user
Here, auth.get_user() would inturn validate this way:
backend_path = request.session[BACKEND_SESSION_KEY]
backend = load_backend(backend_path)
user = backend.get_user(user_id) or AnonymousUser()
Hence if the request.user object is tampered with, this validation would fail as the session data validation would fail
user attribute on request i.e request.useris set by AuthenticationMiddleware. process_request for this middleware internally uses get_user() provided by django auth system which is defined in django.contrib.auth.__init__.py.
This get_user() uses django session and django session internally use cookies. Django session use a cookie with key as sessionid.
So, say a malicious user gets hold of the cookie of a legitimate user and sends this cookie to the server, server will think that the request has come from a legitimate user and will login as the legitimate user. But since the request was sent by the malicious user, he now has access to the resources of the legitimate user.
Update
I tried replacing everything in my custom manager with the following:
def create_user(self, username, email):
return self.model._default_manager.create(username=username)
And that throws an error. I then tried returning the User from my custom user manager and I get 'Cannot assign "": "UserSocialAuth.user" must be a "Barbuser" instance.' thrown from associate_user. It comes from the bowels of django.db.models.fields.related.py. Basically, I'm stuck with knowing how to correctly create users from my custom model mgr. I was going directly off of the docs which lead me to copying everything from django's built in ModelManager. Help?
Update
I'm having trouble configuring django-social-auth. I've been at this for 3-4 days and I'm getting ready to throw in the towel. I have a working existing user registration app installed and I then installed and followed along with the docs on django-social-auth github site. I added the following to my settings.py
INSTALLED_APPS = (
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
# Uncomment the next line to enable the admin:
'django.contrib.admin',
# Uncomment the next line to enable admin documentation:
# 'django.contrib.admindocs',
'polls',
'barbuser',
'social_auth',
)
AUTHENTICATION_BACKENDS = (
'social_auth.backends.facebook.FacebookBackend',
'django.contrib.auth.backends.ModelBackend',
)
FACEBOOK_APP_ID = os.environ.get('FACEBOOK_APP_ID')
FACEBOOK_API_SECRET = os.environ.get('FACEBOOK_SECRET')
TEMPLATE_CONTEXT_PROCESSORS = (
'django.contrib.auth.context_processors.auth',
'social_auth.context_processors.social_auth_by_type_backends',
)
#SOCIAL_AUTH_ENABLED_BACKENDS = ('facebook',)
SOCIAL_AUTH_DEFAULT_USERNAME = 'new_social_auth_user'
LOGIN_URL = '/login/'
LOGIN_REDIRECT_URL = '/profile/'
LOGIN_ERROR_URL = '/login-error/'
SOCIAL_AUTH_USER_MODEL = 'barbuser.Barbuser'
My models.py looks like:
from datetime import date
from django.db import models
from django.contrib.auth.models import User
from django.db.models import BooleanField
from django.db.models.fields import DateTimeField
from django.utils import timezone
from django.utils.crypto import get_random_string
class BarbuserManager(models.Manager):
#classmethod
def normalize_email(cls, email):
"""
Normalize the address by converting the domain part of the email address to lowercase.
"""
email = email or ''
try:
email_name, domain_part = email.strip().rsplit('#', 1)
except ValueError:
pass
else:
email = '#'.join([email_name, domain_part.lower()])
return email
def create_user(self, username, email=None, password=None):
"""
Creates and saves a User with the given username, email and password.
"""
email = 'you#email.com' if email.strip() == '' else email
now = timezone.now()
if not username:
raise ValueError('The given username must be set')
email = BarbuserManager.normalize_email(email)
user = User(username=username, email=email,
is_staff=False, is_active=True, is_superuser=False,
last_login=now, date_joined=now)
user.set_password(password)
user.save()
barbuser = Barbuser(user=user, birthday=date.today(), last_login=user.last_login, name=username)
barbuser.save()
return barbuser
def create_superuser(self, username, email, password):
u = self.create_user(username, email, password)
u.is_staff = True
u.is_active = True
u.is_superuser = True
u.save(using=self._db)
return u
def make_random_password(self, length=10,
allowed_chars='abcdefghjkmnpqrstuvwxyz'
'ABCDEFGHJKLMNPQRSTUVWXYZ'
'23456789'):
""" Generates a random password with the given length and given allowed_chars. Note that the default value of allowed_chars does not have "I" or "O" or letters and digits that look similar -- just to avoid confusion. """
return get_random_string(length, allowed_chars)
def get_by_natural_key(self, username):
return self.get(username=username)
class Barbuser(models.Model):
user = models.OneToOneField(User)
username = models.CharField(max_length=200)
last_login = DateTimeField(blank=True)
is_active = BooleanField(default=True)
birthday = models.DateField()
name = models.CharField(max_length=200)
objects = BarbuserManager()
def __init__(self, *args, **kwargs):
me = super(Barbuser, self).__init__(*args, **kwargs)
barbuser = me
return me
def __unicode__(self):
return self.name
def is_authenticated(self):
return self.user.is_authenticated()
I've updated my urls.py to include 'social_auth.urls' and after authentication the user is redirected to ViewProfile view from my views.py:
# Create your views here.
from barbuser.forms import RegistrationForm, LoginForm
from barbuser.models import Barbuser
from django.contrib.auth import authenticate, login, logout
from django.contrib.auth.models import User
from django.http import HttpResponseRedirect
from django.shortcuts import render_to_response
from django.template.context import RequestContext
def create_Barbuser(form):
user = User.objects.create_user(form.cleaned_data['username'], form.cleaned_data['email'], form.cleaned_data['password'])
user.save()
barbuser = Barbuser(user=user, name=form.cleaned_data['name'], birthday=form.cleaned_data['birthday'])
barbuser.save()
def process_form(form, request_context):
if form.is_valid():
create_Barbuser(form)
return HttpResponseRedirect('/profile/')
else:
return render_to_response('register.html', {'form': form}, context_instance=request_context)
def render_blank_registration_form(request):
'''When the user is not submitting the form, show them the blank registration form.'''
form = RegistrationForm()
context = {'form': form}
return render_to_response('register.html', context, context_instance=RequestContext(request))
def BarbuserRegistration(request):
"""
Handles the registration of new Barbwire users.
"""
if request.user.is_authenticated():
return HttpResponseRedirect('/profile/')
if request.method == "POST":
return process_form(RegistrationForm(request.POST), RequestContext(request))
else:
return render_blank_registration_form(request)
def LoginRequest(request):
'''
Handles Login requests.
'''
if request.user.is_authenticated():
return HttpResponseRedirect('/profile/')
if request.method == 'POST':
form = LoginForm(request.POST)
if form.is_valid():
username = form.cleaned_data['username']
password = form.cleaned_data['password']
barbuser = authenticate(username=username, password=password)
if barbuser is not None:
login(request, barbuser)
return HttpResponseRedirect('/profile/')
else:
return render_to_response('login.html', {'form' : form}, context_instance=RequestContext(request))
else:
return render_to_response('login.html', {'form' : form}, context_instance=RequestContext(request))
else:
form = LoginForm()
return render_to_response('login.html', {'form' : form}, context_instance=RequestContext(request))
def LoginError(request):
return render_to_response('login.html', {'form' : LoginForm()}, context_instance=RequestContext(request))
def LogoutRequest(request):
logout(request)
return HttpResponseRedirect('/')
def ViewProfile(request):
if not request.user.is_authenticated():
return HttpResponseRedirect('/login/')
else:
return render_to_response('profile.html',{'barbuser' : request.user.barbuser }, context_instance=RequestContext(request))
My problem is 2-fold. When I add this extra stuff in my models.py:
def facebook_extra_values(sender, user, response, details, **kwargs):
return False
from social_auth.signals import pre_update
from social_auth.backends.facebook import FacebookBackend
pre_update.connect(facebook_extra_values, sender=FacebookBackend)
I get errors on server startup: assert isinstance(to, basestring), "%s(%r) is invalid. First parameter to ForeignKey must be either a model, a model name, or the string %r" % (self.class._name_, to, RECURSIVE_RELATIONSHIP_CONSTANT)
AssertionError: ForeignKey(None) is invalid. First parameter to ForeignKey must be either a model, a model name, or the string 'self'
When I remove it I can go thru the login with facebook flow but I get: AttributeError at /complete/facebook/
'NoneType' object has no attribute 'extra_data'
I'm not sure what I'm missing or where I've gone wrong. could somebody help explain where I'm going wrong?
Update
I've traced the problem in debug and apparently I'm getting an IntegrityError in social_auth.backends.pipeline.social.py in the associate_user function when it tries "UserSocialAuth.objects.create". It then falls back into an Except block that calls social_auth_user() and this function returns None for the social_user. The IntegrityError I'm getting is:
insert or update on table "social_auth_usersocialauth" violates foreign key constraint "social_auth_usersocialauth_user_id_fkey"
DETAIL: Key (user_id)=(17) is not present in table "auth_user".
I'm not familiar enough to know how, where or why to associate a social_user with the user created in my CustomUserManager in my models.py. Also I've removed the facebook_extra_values, extra imports, and the preupdate.connect stuff from the bottom of my models.py since I really don't understand what it does or what it's for. I was merely copying things from the example app trying to fix my first problem with the missing association. Help?
Update
The first problem — the ForeignKey error — is caused by a circular import. The solution is easy and follows convention. Take that signal registering code block at the end of models.py and move it to a new file called barbuser/signals.py. Then in barbuser/__init__.py put the line, from .signals import *
I haven't run your code far enough to get your second error — 'NoneType' object has no attribute 'extra_data' — but I found a couple other issues.
Remove the SOCIAL_AUTH_ENABLED_BACKENDS setting from settings.py. I'm not sure where you got that from, but it's not in the documentation for the current social-auth 0.7.0. It's not in the social_auth code either. Probably an old setting.
You reference a non-existent context processor in settings.py (social_auth_login_redirect). Again, maybe an old function. Make sure you are running the newest social-auth (available through PyPi with pip install django-social-auth). Also, use only the context processors you need, never all of them. (Context processors add variables to the template context. If you aren't using the social_auth variable in your templates then you don't need any of the social-auth context processors.) This is important because two of the processors conflict with each other. From the documentation,
social_auth_backends and social_auth_by_type_backends don't play nice
together.
Make sure you've run ./manage.py syncdb to setup the database for the social-auth Model. If there is no database table for the model, that would cause "UserSocialAuth.objects.create()" to break.
Last thought, Django doesn't like the type of thing you are doing defining your own User Model. It's best to leave auth.User alone and make a UserProfile.
UPDATE
Check your database structure; I suspect the indexes are incorrect. Better yet, just delete the three social_auth_* tables and syncdb again. The UserSocialAuth table has a ForeignKey Constraint to the User Model. It should be mapping "user_id" to "Barbuser.id" but if the table was created before you set the settings.py/SOCIAL_AUTH_USER_MODEL value, then the table will be forever broken because SocialAuth defaulted to Django's Auth.User when the initial SQL was run. Make sense? Anyway, just recreate the tables now that you have Social Auth configured.
Note: Your recent experiment using self.model._default_manager.create() isn't accomplishing anything. "self" is a BarbuserManager; "model" is a Barbuser; "_default_manager" is back to a BarbuserManager. Why? "Barbuser.objects" is the default manager for the Model.
Oh, and you had it correct the first time. BarbuserManager.create_user() needs to return a Barbuser.