search

jazzband / django-two-factor-auth

Complete Two-Factor Authentication for Django providing the easiest integration into most Django projects.
MIT License
1.7k stars 447 forks source link

Login Form - when username doesn't exist - new user is created in database #613

Open Prasivec opened 1 year ago

Prasivec commented 1 year ago

I'm using django two-factor-auth in my project for login of users. It works fine when it comes to enter valid credentials, 2FA also works great. BUT - if i enter invalid credentials: 1) valid user name and invalid password = page reload without any error message 2) invalid user name and any password = page refresh and NEW user is created in database.

is this normal behavior or some issue? Is there any solution to disable this behavior and display according error message?

Prasivec commented 1 year ago

I'm using CustomUser model `class CustomUserModel(AbstractUser):

MAKING email field mandatory

email = models.EmailField(unique=True)
# KEEP TRACK OF USER'S PASSWORD CREATION DATE TO ENFORCE 3MONTH MAX VALIDITY
password_created_date = models.DateTimeField(default=timezone.now, null=False, blank=False)
# WHICH DEPARTMENT IS USER MEMBER OF
department = models.ForeignKey(Department, on_delete=models.PROTECT, default=1, null=False, blank=False)
# WHICH TEAM IS USER MEMBER OF
team = models.ForeignKey(Team, on_delete=models.PROTECT, default=1, null=False, blank=False)
# USER TYPE - DETERMINES SOME ATTRIBUTES FOR USER - I.E. MAX AMOUNT OF ACTIVITY
user_type = models.ForeignKey(UserType, on_delete=models.PROTECT, default=1, null=False,blank=False)
# FIRST NAME - REQUIRED FIELD
first_name = models.CharField(max_length=30, blank=False, null=False)
# LAST NAME - REQUIRED FIELD
last_name = models.CharField(max_length=30, blank=False, null=False)

# OVERRIDE DEFAULT SAVE METHOD FOR USER THAT EMAIL IS REQUIRED ELSE - ValueError
def save(self, *args, **kwargs):
    if not self.email:
        raise ValueError("Email field is required")

    super().save(*args, **kwargs)

#  OVERRIDE DEFAULT SAVE PASSWORD METHOD SO THAT DATE OF CREATION IS ALSO CREATED
def set_password(self, raw_password):
    super().set_password(raw_password)
    self.password_created_date = timezone.now()
    self.save()`

Result of using invalid credentials is:

ValueError at /account/login/

Email field is required
Request Method: | POST -- | -- http://127.0.0.1:8000/account/login/ 4.1.7 ValueError Email field is required
paxw-panevo commented 1 year ago

Not sure if the problem is within django-two-factor-auth as I cannot reproduce this. We are using django's contrib auth module.