You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've noticed, while building an app using django-magiclink, that the behavior of the Login view differs between a valid and invalid email addresses.
Depending on the context of the application this could be bad, as it enables third parties to enumerate valid account addresses.
Testing possible remediations I've subclassed the Login view in my app and do something like this currently:
classCustomLogin(Login):
# ...defpost(self, request, *args, **kwargs):
logout(request)
context=self.get_context_data(**kwargs)
context['require_signup'] =settings.REQUIRE_SIGNUPform=LoginForm(request.POST)
ifnotform.is_valid():
ifform.errors.get("email", False) andsettings.NO_EMAIL_ENUMERATION: # This could be a good setting to disable by defaultiflen(form.errors) ==1:
sent_url=get_url_path(settings.LOGIN_SENT_REDIRECT)
returnHttpResponseRedirect(sent_url)
form.errors.pop("email")
context['login_form'] =formreturnself.render_to_response(context)
# ...
I'd be happy to contribute some improvements in that direction if this fits with whats best for the project, just let me know.
The text was updated successfully, but these errors were encountered:
I've noticed, while building an app using django-magiclink, that the behavior of the
Loginview differs between a valid and invalid email addresses.Depending on the context of the application this could be bad, as it enables third parties to enumerate valid account addresses.
Testing possible remediations I've subclassed the
Loginview in my app and do something like this currently:I'd be happy to contribute some improvements in that direction if this fits with whats best for the project, just let me know.
The text was updated successfully, but these errors were encountered: