Comments (5)
The pattern you are showing (user = form.save()
) logs a user in while bypassing all security features of Django. If you authenticated the user with authenticate(), the user would have a user.backend
attribute and you wouldn't need to specify the authentication backend explicitly. That contributes to the issue here.
Providing a custom authentication backend is the recommended way to authenticate against another source in Django: https://docs.djangoproject.com/en/stable/topics/auth/customizing/
It is also necessary for authenticate() to work as documented.
That being said, some use cases can work without the authentication backend. You can remove it from your configuration. If all API you need still work, I think you're good to go.
I'm going to take a deeper look at this. I'm keeping it open as a documentation issue.
from django-sesame.
Wait - get_user() calls authenticate() so nothing will work without the authentication backend.
from django-sesame.
Right, it's currently needed as is.
But really, the meat of the library is in parse_token
.
So just doing parse_token()
+ login()
in get_user
would work. No need to go through the backend system.
I guess I see custom backends as "authenticating against another source" where source is "active directory" or "SSO" or "something other than a local DB table".
Here's simplified pseudo code for get_user
:
from django.contrib.auth import login
def get_user(request_or_sesame, scope="", max_age=None, *, update_last_login=None):
# ... setup logic
if user := parse_token(...args):
login(
request,
user,
)
if update_last_login is None:
update_last_login = settings.ONE_TIME
if update_last_login:
user.last_login = timezone.now()
user.save(update_fields=["last_login"])
return user
Either way, library works great as is. Just looking to simplify the setup (since AUTHENTICATION_BACKENDS
isn't in the default settings file generated by startproject
). I'll close this.
from django-sesame.
I'm not sure I will do something but I'd like to think a bit more about it :-) I'm keeping it open for myself. Thanks for sharing that feedback!
from django-sesame.
Another thing to consider might be that by simply calling authenticate
with the sesame
token leads to signal user_login_failed
to just get the sesame
token in credentials
without any further context on the user or why the login failed (e.g. token expired)
from django-sesame.
Related Issues (20)
- struct.pack error creating token using custom User model with UUID as pk HOT 1
- Feature: Enforce same session link usage HOT 3
- Documentation: clarify dynamic max_age is ignored with SESAME_MAX_AGE = None (the default) HOT 2
- Non existent user ID returned / Security concerns HOT 3
- Authenticate a view without user HOT 2
- Django admin does not log in after adding Middleware HOT 10
- Rename master branch to main HOT 1
- sesame tokens seem to be missing a bunch of entropy on my Django installation (first characters are all 'AAAAAA' HOT 3
- Login view request HOT 11
- Is ModelBackend actually needed? HOT 2
- Expired Token: enhance user journey HOT 2
- Support changing signature length HOT 1
- Add support for SECRET_KEY_FALLBACKS
- Typo in tutorial for Login by email
- Deprecated dependencies HOT 2
- minimum ua parser version HOT 2
- SESAME_PRIMARY_KEY_FIELD=uuid does not allow login HOT 2
- Add an option to invalidate magic links on email change HOT 4
- override_settings doesn't update sesame settings HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-sesame.