Skip to content
This repository has been archived by the owner on May 26, 2020. It is now read-only.

For inactive user, JSONWebTokenSerializer.validate() raises Unable to login with provided credentials. #303

Open
ibrahim12 opened this issue Jan 29, 2017 · 5 comments
Open

For inactive user, JSONWebTokenSerializer.validate() raises Unable to login with provided credentials. #303

ibrahim12 opened this issue Jan 29, 2017 · 5 comments

Comments

@ibrahim12
Copy link

For inactive user, JSONWebTokenSerializer.validate() raises Unable to login with provided credentials.

Django Version 1.10.5

Django Model Backend's authenticate method checks as follows,

if user.check_password(password) and self.user_can_authenticate(user):
    return user

And user_can_authenticate method is

 def user_can_authenticate(self, user):
        """
        Reject users with is_active=False. Custom user models that don't have
        that attribute are allowed.
        """
       is_active = getattr(user, 'is_active', None)
       return is_active or is_active is None

So, If user is inactive then, in JSONWebTokenSerializers.validate method returns wrong response as it don't goes to that block of code as user is None.

  if user: <- This is None, for inactive user.
        if not user.is_active:
               msg = _('User account is disabled.')
               raise serializers.ValidationError(msg)

         payload = jwt_payload_handler(user)

         return {
               'token': jwt_encode_handler(payload),
               'user': user
         }
   else:
          msg = _('Unable to login with provided credentials.')
          raise serializers.ValidationError(msg)
@RubenSchmidt
Copy link

Is this not related to the Django 1.10 change for the ModelBackend? Inactive users are not allowed to authenticate by default any more. You have to use AllowAllUsersModelBackend (https://docs.djangoproject.com/en/1.10/ref/contrib/auth/#django.contrib.auth.backends.AllowAllUsersModelBackend) To allow inactive users to authenticate.

@igsm
Copy link

igsm commented Oct 22, 2017

I face the same issue. I still do NOT want to authenticate inactive user, however, I'd like to differentiate the error response. It always throws 'wrong credentials' error. How can I solve this problem?

@iliasgal iliasgal mentioned this issue Oct 25, 2017
Open
@manan
Copy link

manan commented Nov 25, 2017

this would help me a lot too

@mrtysn
Copy link

mrtysn commented Dec 18, 2017

I am also looking for a workaround for this problem. Is overriding the VerifyJSONWebTokenSerializer a good idea?

@jeanmw
Copy link

jeanmw commented Jan 31, 2019

Also waiting for a resolution to this issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ibrahim12 @mrtysn @jeanmw @RubenSchmidt @igsm @manan