Comments (13)
@arnuschky what would be the expected error?
from django-rest-framework-jwt.
@jpadilla, the e-mail address in the Django User model can be null. The change in stanhu@e493480 unnecessarily enforced non-null e-mail addresses. The user lookup should still happen if the user_id exists and a JWT token is valid.
from django-rest-framework-jwt.
Exactly. Getting an invalid token is just wrong, I think. Either token creation fails or the token must validate.
from django-rest-framework-jwt.
@stanhu @arnuschky yeah that's perfect. Should we then remove completely email from that authenticate_credentials method?
from django-rest-framework-jwt.
I would say so, yes. In the end it's model-based decision what identified a user uniquely and what fields are used, so the only safe choice is user.id I guess.
from django-rest-framework-jwt.
@stanhu could you update your PR to include the change stated above?
from django-rest-framework-jwt.
According to https://docs.djangoproject.com/en/dev/topics/auth/customizing/#auth-custom-user, the requirements for a custom user model include:
Django expects your custom User model to meet some minimum requirements.
Your model must have an integer primary key.
Your model must have a single unique field that can be used for identification purposes. This can be a username, an email address, or any other unique attribute.
Your model must provide a way to address the user in a “short” and “long” form. The most common interpretation of this would be to use the user’s given name as the “short” identifier, and the user’s full name as the “long” identifier. However, there are no constraints on what these two methods return - if you want, they can return exactly the same value.
Would it make sense to include the unique identifier (e.g. username) instead of the e-mail address?
Obviously id may be all that you need, but I do like being able to see human-readable data (as opposed to the database ID) when I decode the payload.
from django-rest-framework-jwt.
@stanhu you could still leave whatever other data you want on the payload, obviously id would be required in the authentication process. If we add the unique identifier authenticating would validate that user with that pk/id exists, it's active, and it still has the same unique identifier, which might be a case that might confuse people if they accidentally bump into it.
So, my general opinion would be to use authenticate with the primary key and is_active. You could still leave the email and username in the payload encoder.
Thoughts?
from django-rest-framework-jwt.
Agreed; I like the simplicity. Pull request has been updated.
from django-rest-framework-jwt.
Agree as well. Everything other than id is model/usecase-dependent and should go in the payload encoder.
from django-rest-framework-jwt.
To test this, should I clone or made this change already its way into the pip? Sorry for asking, I haven't fully understood the python packaging process yet.
from django-rest-framework-jwt.
@arnuschky If you'd like to run tests against the latest code in the master branch you could clone it and then run:
python setup.py install
I'll try and release this into PyPI sometime this week. I'll update this thread and close the issue when I do.
from django-rest-framework-jwt.
Tested and confirmed to be working as expected. Thanks!
from django-rest-framework-jwt.
Related Issues (20)
- Is there a way that we can avoid multiple token generations for a single user if he/she try to login on different browsers? HOT 2
- JSONWebTokenAuthentication object has no attribute 'media_type'
- external server
- Call an endpoint without Authorization header HOT 1
- Add support for ES256 signing algorithm
- [feature] permit to use custom header instead of `Authorization`
- registration
- how to refresh existing tokens??? HOT 6
- redis cache HOT 1
- WinError 123 after tutorial HOT 1
- How to use this library by only using Http Only Cookie? HOT 1
- Curious Whether JWT Still Works Given Libraries Requirements Mismatch? HOT 3
- Status HOT 12
- Documentation not found HOT 2
- Dead Link in readme.md HOT 1
- DeprecationWarning: The following fields will be removed in the future: `email` and `user_id`. HOT 1
- Hope to support the response format of custom authentication failure HOT 1
- Unreachable code when user is_active is False in. HOT 1
- Can we use allauth only for the things, where we can get involved with email verification, and jwt for others purposes like login/get api request/ post api requests....????
- Cookie not removed in request when response is 401
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-rest-framework-jwt.