We extend the JSONWebTokenSerializer class in order to allow users to log in using another unique field other than their username, namely their email stored in a related table. If a query against the database fails to retrieve a user we raise a serializers.ValidationError. I just noticed that our detail message ever so slightly differs from this package's detail message, opening up a possibilty for attackers to sniff existing usernames by checking error detail responses.
By making this error a separate, importable, class we can ensure that the error message between consumer applications and this package remains the same.
We extend the
JSONWebTokenSerializer
class in order to allow users to log in using another unique field other than theirusername
, namely theiremail
stored in a related table. If a query against the database fails to retrieve a user we raise aserializers.ValidationError
. I just noticed that ourdetail
message ever so slightly differs from this package's detail message, opening up a possibilty for attackers to sniff existing usernames by checking error detail responses.By making this error a separate, importable, class we can ensure that the error message between consumer applications and this package remains the same.
This might be quite corner-case though.