Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable auth validate passwords #5696

Merged
merged 2 commits into from May 15, 2019
Merged

Enable auth validate passwords #5696

merged 2 commits into from May 15, 2019

Conversation

@humitos
Copy link
Member

@humitos humitos commented May 14, 2019

Define some simple validators to use when creating a new user or
changing the password.

https://docs.djangoproject.com/en/1.11/topics/auth/passwords/#module-django.contrib.auth.password_validation

Closes #5551

@humitos humitos requested review from davidfischer and May 14, 2019
Copy link
Member

@ericholscher ericholscher left a comment

I'm not convinced we should turn these on for dev. I have to type these passwords all the time, and really don't want them to be real passwords.

'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
Copy link
Member

@ericholscher ericholscher May 14, 2019

I really dislike these defaults in dev. I think these should likely only be prod settings, or disabled explicitly in dev settings.

@davidfischer
Copy link
Contributor

@davidfischer davidfischer commented May 14, 2019

I'm in favor of these settings being present in the base settings file as they are in this PR. This helps others who take our code to do the right thing as well as ensuring that all the different instances we control (community site, corporate site, etc.) have sound security defaults.

I can understand @ericholscher's position and we could also set AUTH_PASSWORD_VALIDATOR=[] in dev.py to ease the development settings.

@humitos
Copy link
Member Author

@humitos humitos commented May 14, 2019

I can understand @ericholscher's position and we could also set AUTH_PASSWORD_VALIDATOR=[] in dev.py to ease the development settings.

I like this. I will update the PR for this.

Copy link
Contributor

@davidfischer davidfischer left a comment

I also verified that django-allauth will use this setting.

@humitos humitos merged commit 2fa1989 into master May 15, 2019
1 check passed
@delete-merged-branch delete-merged-branch bot deleted the humitos/auth-password-validators branch May 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

3 participants