Skip to content

use only authenticate for create token #819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tomwojcik merged 15 commits into from
Nov 9, 2024
Merged

use only authenticate for create token #819

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
d33c399
rollback 8f65bfff16577c7fb0f52bbabf5fb69f6809ba62, add support for Mo…
tomwojcik May 3, 2024
893e0dd
improve test names
tomwojcik May 3, 2024
ec6a328
Merge branch 'master' into feature/#795
tomwojcik Jun 7, 2024
8d92865
resolve conflicts
tomwojcik Jun 7, 2024
e92863f
merge decorators in tests for better readability
tomwojcik Jun 7, 2024
eda2cd9
add pytest-mock to test deps
tomwojcik Jun 7, 2024
7bed216
move tests from webauthn to test_webauthn to fix import collision (py…
tomwojcik Jun 7, 2024
95ae2a7
refactor login/username test cases into pytest TestUsernameLoginFields
tomwojcik Jun 7, 2024
ccd26cf
fix flaky webauthn test
tomwojcik Jun 7, 2024
8e0af13
Merge branch 'refs/heads/master' into feature/#795
tomwojcik Jun 7, 2024
fb084fc
add LoginFieldBackend that allows to log in by LOGIN_FIELD
tomwojcik Jun 7, 2024
f2d7dc4
rm commented out test case
tomwojcik Jun 7, 2024
bc21dcf
update docs for LOGIN_FIELD
tomwojcik Jun 7, 2024
81cd1e2
add test case for user does not exist in LoginFieldBackend
tomwojcik Jun 7, 2024
bd23a35
Update docs/source/settings.rst
tomwojcik Nov 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 3 additions & 7 deletions djoser/serializers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,17 +118,13 @@ def __init__(self, *args, **kwargs):

def validate(self, attrs):
password = attrs.get("password")
params = {settings.LOGIN_FIELD: attrs.get(settings.LOGIN_FIELD)}
params = {"username": attrs.get(settings.LOGIN_FIELD)}
self.user = authenticate(
request=self.context.get("request"), **params, password=password
)
if not self.user:
self.user = User.objects.filter(**params).first()
if self.user and not self.user.check_password(password):
self.fail("invalid_credentials")
if self.user and self.user.is_active:
return attrs
self.fail("invalid_credentials")
self.fail("invalid_credentials")
return attrs


class UserFunctionsMixin:
Expand Down
234 changes: 217 additions & 17 deletions testproject/testapp/tests/test_token_create.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
import django
from unittest import mock

from django.conf import settings as django_settings
from django.contrib.auth import user_logged_in, user_login_failed
from django.contrib.auth.backends import ModelBackend
from django.test import override_settings
from djet import assertions
from rest_framework import status
Expand Down Expand Up @@ -37,9 +40,221 @@ def test_post_should_login_user(self):
self.assertNotEqual(user.last_login, previous_last_login)
self.assertTrue(self.signal_sent)

@override_settings(
AUTHENTICATION_BACKENDS=[
"django.contrib.auth.backends.ModelBackend",
]
)
@override_settings(
DJOSER=dict(django_settings.DJOSER, **{"LOGIN_FIELD": "username"})
)
Copy link
Member

@haxoza haxoza May 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would merge decorators for better readability. It's easy to get confused or just skip one of the override_settings calls. The same applies to tests below this one.

Copy link
Contributor Author

@tomwojcik tomwojcik Jun 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

95ae2a7

def test_login__LOGIN_FIELD_username__USERNAME_FIELD_username(
self,
):
user = create_user()
user_logged_in.connect(self.signal_receiver)
previous_last_login = user.last_login

with mock.patch("djoser.serializers.User.USERNAME_FIELD", "username"):
with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=True
):
response = self.client.post(
self.base_url,
{"username": user.username, "password": user.raw_password},
)
self.assert_status_equal(response, status.HTTP_200_OK)

user.refresh_from_db()
self.assertEqual(response.data["auth_token"], user.auth_token.key)
self.assertNotEqual(user.last_login, previous_last_login)
self.assertTrue(self.signal_sent)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=False
):
response = self.client.post(
self.base_url,
{"username": user.username, "password": user.raw_password},
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=True
):
response = self.client.post(
self.base_url, {"email": user.email, "password": user.raw_password}
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=False
):
response = self.client.post(
self.base_url, {"email": user.email, "password": user.raw_password}
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

@override_settings(
AUTHENTICATION_BACKENDS=[
"django.contrib.auth.backends.ModelBackend",
]
)
@override_settings(DJOSER=dict(django_settings.DJOSER, **{"LOGIN_FIELD": "email"}))
def test_login__LOGIN_FIELD_email__USERNAME_FIELD_username(
self,
):
user = create_user()
user_logged_in.connect(self.signal_receiver)
previous_last_login = user.last_login

with mock.patch("djoser.serializers.User.USERNAME_FIELD", "username"):
with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=True
):
response = self.client.post(
self.base_url,
{"username": user.username, "password": user.raw_password},
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=False
):
response = self.client.post(
self.base_url,
{"username": user.username, "password": user.raw_password},
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=True
):
response = self.client.post(
self.base_url, {"email": user.email, "password": user.raw_password}
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=False
):
response = self.client.post(
self.base_url, {"email": user.email, "password": user.raw_password}
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

user.refresh_from_db()
self.assertEqual(user.last_login, previous_last_login)
self.assertFalse(self.signal_sent)

@override_settings(
AUTHENTICATION_BACKENDS=[
"django.contrib.auth.backends.ModelBackend",
]
)
@override_settings(
DJOSER=dict(django_settings.DJOSER, **{"LOGIN_FIELD": "username"})
)
def test_login__LOGIN_FIELD_username__USERNAME_FIELD_email(
self,
):
user = create_user()
user_logged_in.connect(self.signal_receiver)
previous_last_login = user.last_login

with mock.patch("djoser.serializers.User.USERNAME_FIELD", "email"):
with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=True
):
response = self.client.post(
self.base_url,
{"username": user.username, "password": user.raw_password},
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=False
):
response = self.client.post(
self.base_url,
{"username": user.username, "password": user.raw_password},
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=True
):
response = self.client.post(
self.base_url, {"email": user.email, "password": user.raw_password}
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=False
):
response = self.client.post(
self.base_url, {"email": user.email, "password": user.raw_password}
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

user.refresh_from_db()
self.assertEqual(user.last_login, previous_last_login)
self.assertFalse(self.signal_sent)

@override_settings(
AUTHENTICATION_BACKENDS=[
"django.contrib.auth.backends.ModelBackend",
]
)
@override_settings(DJOSER=dict(django_settings.DJOSER, **{"LOGIN_FIELD": "email"}))
def test_login__LOGIN_FIELD_email__USERNAME_FIELD_email(
self,
):
user = create_user()
user_logged_in.connect(self.signal_receiver)
previous_last_login = user.last_login

with mock.patch("djoser.serializers.User.USERNAME_FIELD", "email"):
with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=True
):
response = self.client.post(
self.base_url,
{"username": user.username, "password": user.raw_password},
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=False
):
response = self.client.post(
self.base_url,
{"username": user.username, "password": user.raw_password},
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=True
):
response = self.client.post(
self.base_url, {"email": user.email, "password": user.raw_password}
)
self.assert_status_equal(response, status.HTTP_200_OK)

user.refresh_from_db()
self.assertEqual(response.data["auth_token"], user.auth_token.key)
self.assertNotEqual(user.last_login, previous_last_login)
self.assertTrue(self.signal_sent)

with mock.patch.object(
ModelBackend, "user_can_authenticate", return_value=False
):
response = self.client.post(
self.base_url, {"email": user.email, "password": user.raw_password}
)
self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)

def test_post_should_not_login_if_user_is_not_active(self):
"""In Django >= 1.10 authenticate() returns None if user is inactive,
while in Django < 1.10 authenticate() succeeds if user is inactive."""
user = create_user()
data = {"username": user.username, "password": user.raw_password}
user.is_active = False
Expand Down Expand Up @@ -81,18 +296,3 @@ def test_post_should_not_login_if_empty_request(self):
response.data["non_field_errors"],
[settings.CONSTANTS.messages.INVALID_CREDENTIALS_ERROR],
)

@override_settings(DJOSER=dict(django_settings.DJOSER, **{"LOGIN_FIELD": "email"}))
def test_login_using_email(self):
user = create_user()
previous_last_login = user.last_login
data = {"email": user.email, "password": user.raw_password}
user_logged_in.connect(self.signal_receiver)

response = self.client.post(self.base_url, data)
user.refresh_from_db()

self.assert_status_equal(response, status.HTTP_200_OK)
self.assertEqual(response.data["auth_token"], user.auth_token.key)
self.assertNotEqual(user.last_login, previous_last_login)
self.assertTrue(self.signal_sent)