I want to login with handler.
I have a code use session but i want to use handler:
I have visit :
https://docs.djangoproject.com/en/1.11/topics/auth/default/
But i don't understand complete.
I want to log user (with username or email and password)
Do you have a code for example or project in stackoverflow or github or . . . ???
login the user is easy if you are using default user model from django.contrib.auth.models
from django.contrib.auth import authenticate, login
def user_login(request):
# check here that request.method is POST or not.
user = authenticate(username=request.POST.get('username'), password=request.POST.get('password'))
if user is not None:
login(request, user)
# send some http response here that login successful or redirect to some other page
else:
# return an error page saying that username password not correct
authenticate function will check for username and password in User table in the database if it founds a user matching query then it returns the user object else it will return None. You might not want to manage sessions as django already sets a cookie for every user that successfully logs in so if user has logged in once then he will not be required to enter password again.
Related
I have a requirement, from login page jump to the admin page, you know the URL address should change to the admin page.
If I only use render to admin page, the URL address will not change, so in this post I get the OptimusCrime's good answer.
But if I redirect and then render template, I can not pass the request from login page to the admin page.
in the login page's views.py:
...
return redirect('/app_admin/index/')
in the admin page's views.py:
...
return render(request, 'app_admin/index.html') # there the request is None.
How can I pass the request to the admin page's views.py?
You should take a look at some basic Django tutorials, such as this one, which describes how to create a login handler.
The gist is this:
In the view where the user submit the form, you evaluate the username and/or password. If the submitted the correct information (username and password), then save this information in the session. Redirect the user to the logged in (restricted) area and check the session. If the session has the correct information, then allow the user to view the content, otherwise redirect the user out.
Simple login logic (illustrative):
def login(request):
m = Member.objects.get(username=request.POST['username'])
if m.password == request.POST['password']:
# Username and password is correct, save that the user is logged in in the session variable
request.session['logged_in'] = True
request.session['username'] = request.POST['password']
# Redirect the user to the admin page
return redirect('/app_admin/index/')
else:
# Username and/or password was incorrect
return HttpResponse("Your username and password didn't match.")
Simple admin page logic (illustrative):
def admin_index(request):
# Make sure that the user is logged in
if 'logged_in' in request.session and request.session['logged_in']:
# User is logged in, display the admin page
return render(
request,
'app_admin/index.html',
{'username': request.session['username']}
) # You can now use {{ username }} in your view
# User is not logged in and should not be here. Display error message or redirect the user to the login page
return HttpResponse("You are not logged in")
Note that these are two different views (and URLs), that you have to map up in your urlpatterns.
I am attempting to learn Django's authentication system by contriving a basic login scenario. My views are set up such that a view, logIn, either receives a user's credentials (and prints the success/failure of the login), or it renders a login form.
A second view, privatePage, is designed as a sanity check that the user is actually logged in. The code is as follows:
views.py:
#login_required(login_url='/logIn')
def privatePage(request):
return HttpResponse("You're viewing a private page")
#csrf_exempt
def logIn(request):
if request.method == "POST" and \
request.POST.get('email') and \
request.POST.get('password'):
user = authenticate(username=request.POST['email'],
password=request.POST['password'])
return HttpResponse('Valid login' if user is not None else 'Invalid login')
# render login form
return HttpResponse("<form>...</form>")
I'm finding that after succcessfully logging in via the logIn view, I am still redirected to the login view upon trying to visit privatePage. FYI, I'm attempting to visit the privatePage view directly by URL, as opposed to navigating through provided links (e.g. I'm not sure if I'm violating some CSRF rule).
Any idea what's going on?
You've not actually logged in. You need to login the user after verifying their identity with authenticate:
from django.contrib.auth import login
user = authenticate(email=email, password=password)
if user is not None:
login(request, user)
login should only be used on users that have been confirmed to exist.
What authenticate does:
verifies a user is who they claim to be
It does not perform the actual login.
To keep the user logged in a session must be provided to user with usage of login() method. Login is the process of providing user with a session and authenticate() verifies that the given credentials corresponds to an existing user model object in database . Import django's built in login and authenticate methods from django.contrib.auth import authenticate, login. And then your code looks like
user =authenticate(email, password)
If user:
login(user, request)
Hope it helps :)
I'm using Django 1.8.4 on Python 3, and attempting to create an auth backend which validates a cookie from a legacy ColdFusion web site and create / log the Django user in after checking the value in a database. In settings, I am including the backend:
AUTHENTICATION_BACKENDS = (
'site_classroom.cf_auth_backend.ColdFusionBackend',
)
And the code for the backend itself; SiteCFUser is a model against the SQL Server database user model which contains the active cookie token value:
from django.contrib.auth.backends import ModelBackend
from django.contrib.auth import get_user_model
from users.models import SiteCFUser
class ColdFusionBackend(ModelBackend):
"""
Authenticates and logs in a Django user if they have a valid ColdFusion created cookie.
ColdFusion sets a cookie called "site_web_auth"
Example cookie: authenticated#site+username+domain+8E375588B1AAA9A13BE03E401A02BC46
We verify this cookie in the MS SQL database 'site', table site_users, column user_last_cookie_token
"""
def authenticate(self, request):
User = get_user_model()
print('Hello!')
token=request.COOKIES.get('site_web_auth', None)
print('Token: ' + token)
cookie_bites = token.split('+')
if cookie_bites[0] != "authenticated#site":
# Reality check: not a valid site auth cookie
return None
username = cookie_bites[1]
cf_token = cookie_bites[3]
try:
site_user = SiteCFUser.objects.using('mssqlsite').filter(cf_username=username)
except:
# No user found; redirect to login page
return None
if site_user[0].cftoken == cf_token:
try:
# Does the user exist in Django?
user = User.objects.get(username=username)
except:
# User does not exist, has a valid cookie, create the User.
user = User(username=username)
user.first_name = site_user[0].cf_first_name
user.last_name = site_user[0].cf_last_name
user.email = site_user[0].cf_email
user.save()
else:
return None
def get_user(self, user_id):
User = get_user_model()
try:
return User.objects.get(pk=user_id)
except User.DoesNotExist:
return None
The problem is, the backend doesn't seem to be called when hitting a URL with a view with #login_required, or even trying to log in through a form with username and password. If I force an error by changing the name of the class in settings, or change the name of the class in cf_auth_backend.py, I do get an error. However, none of the print statements show up in the console. I'm clearly missing something here: any idea what I'm not doing right?
While the accepted answer might have helped the OP, it's not a general answer to the question's title.
Authentication back ends do work simply by listing them in AUTHENTICATION_BACKENDS. But they may appear to be ignored
for various reasons, e.g.:
urls.py needs to point to something like django.contrib.auth.views.login
url(r'^accounts/login/$', django.contrib.auth.views.login)
if it's pointing to some other authentication app. AUTHENTICATION_BACKENDS
may not work.
the authenticate() method must accept a password keyword, either through
password=None or **kwargs. Probably true for username too. It won't
be called if it doesn't accept that keyword argument.
Authentication backends doesn't work that way. They won't be called on each request or on requests where authentication is required.
If you want to log in user based on some cookie, you should call authentication in middleware.
I don't know what it is good time to use the param.
djangoproject it describes below:
Boolean. Designates whether this user account should be considered active. We recommend that you set this flag to False instead of deleting accounts; that way, if your applications have any foreign keys to users, the foreign keys won’t break.
This doesn’t necessarily control whether or not the user can log in. Authentication backends aren’t required to check for the is_active flag, and the default backends do not. If you want to reject a login based on is_active being False, it’s up to you to check that in your own login view or a custom authentication backend. However, the AuthenticationForm used by the login() view (which is the default) does perform this check, as do the permission-checking methods such as has_perm() and the authentication in the Django admin. All of those functions/methods will return False for inactive users.
readthedocs it describes below:
Authorization for inactive users
An inactive user is a one that is authenticated but has its attribute is_active set to False. However this does not mean they are not authorized to do anything. For example they are allowed to activate their account.
The support for anonymous users in the permission system allows for a scenario where anonymous users have permissions to do something while inactive authenticated users do not.
Do not forget to test for the is_active attribute of the user in your own backend permission methods.
Anyone can give some example that let me know the param needs to notice or how to use it.
from django.contrib.auth import authenticate
user = authenticate(username='john', password='secret')
if user is not None: #to check whether user is available or not?
# the password verified for the user
if user.is_active:
print("User is valid, active and authenticated")
else:
print("The password is valid, but the account has been disabled!")
else:
# the authentication system was unable to verify the username and password
print("The username and password were incorrect.")
This will be helpful for you to understand django authentication.
An inactive user is one that has its is_active field set to False.
As of django version 1.10: The ModelBackend (the default authentication backend) and RemoteUserBackend authentication backend prohibits these inactive users from authenticating. So, if you use those backends you won't need to use the following style:
#authentication has been successful now...
if user.is_active:
login(request,user)
#redirect to success page
else:
#return disabled account error message
If a custom user model doesn’t have an is_active field, all users will be allowed to authenticate.
Previous to version 1.10 ModelBackend allowed inactive users to authenticate- this was useful first where you allowed the user to authenticate and then you allowed a user to activate their account (only after they had successfully authenticated).
Please note that the #login_required decorator does not check for the is_active flag on the user. #login_required
check AUTHENTICATION_BACKENDS to see which ones you are using.
see https://docs.djangoproject.com/en/1.10/topics/auth/customizing/
def MyFormView(request):
if request.method == 'POST':
m_form = myform(request.POST)
a_form = AccountForm(request.POST)
if m_form.is_valid() and a_form.is_valid():
user = m_form.save()
user.is_active = True
a_form.instance.user = user
a_form.save()
messages.success(request,f'Your Account Has Been created')
return redirect('/')
else:
m_form = myform()
a_form = AccountForm()
return render(request, 'app/index.html', {'m_form':m_form, 'a_form':a_form})
Using django-socialregistration, got following error:
'AnonymousUser' object has no attribute 'backend'
How,
I click on facebook connect url.
That took me Facebook and ask me to login. So I did, asked permission, I granted.
After that it redirect me to my site. And ask to setup. I provide user and email address.
Once I submit, got error like above:
Trace point:
path/to_file/socialregistration/views.py in post
128. self.login(request, user)
Do anybody know, what's wrong?
Oh man i used to get this error all the time, basically you are calling
self.login(request, user)
without calling
authenticate(username=user, password=pwd)
first
when you call authenticate, django sets the backend attribute on the user, noting which backend to use, see here for more details
https://docs.djangoproject.com/en/dev/topics/auth/#django.contrib.auth.authenticate
I had the same error for a newly registering user.
def attempt_login(self, email, password):
user = authenticate(username=email, password=password)
login(self.request, user)
return user
I checked into database and the User has been created after registration, but this error was still there.
I figured out - user's login ( email ) was longer than 30 characters, and the form field had no validation. The username would get truncated in the database, and therefore authenticate was called for non-existent login.
254 - character is the advised length of email field.
Solution: emailfield-max_length-r11092.patch
I just got this error and found this post.. My solution was in the case was in the registration process. When the user was registering, my api and serializer wasn't hashing the password.. So in the api_view i had to manually hash the password like this..
from django.contrib.auth.hashers import make_password
# In the register api..
#ensure_csrf_cookie
#api_view(['POST'])
def register_api(request):
# Anywhere before the serializer
request.DATA['password'] = make_password(request.DATA['password'])
# Then the serializer
serializer = RegisterSerializer(data=request.DATA)
# ... etc.. Note that if you want to login after register you will have
# to store the initial password is some buffer because.. authentication
# the none hashed version.. then
authenticate(username=request.DATA['username'], password=someBuffer)
Hope that helps someone..