I have found a bug that passing username "0" and password "0" successfully receives a token

[ghost]

Even though there is no user with username "0" in the system.

[ghost]

I am using the /api-token-auth/ endpoint as follows:

    var data = {};
    data['username'] = username;
    data['password'] = password;

    session.set('error', '');

    /* Sign in */
    $.post(session.url_signin, data, null, 'json').then(
        function(response){

...

[jpadilla]

Hey @bbalban thanks for reporting this. It would help if you could write a test that shows this behaviour.

[jpadilla]

@bbalban added a test to try and reproduce, but got all tests passing. Check it out to see if I'm correctly reproducing it.

[ghost]

Hi @jpadilla also tried: curl -X POST -H "Content-Type: application/json" -d '{"username":"0","password":"0"}' http://127.0.0.1:8000/api-token-auth/ to make sure it is not my javascript and still getting a token. I'll try your test next. It could be something wrong with my setup but will see.

[ghost]

Sorry for the false alarm. It seemed to be wrong since I had no user with ID 0 reported by DRF, though it turns out I had a user with username 0.