authenticate() method should not continue on built-in or generic exceptions
|Reported by:||Ben Davis||Owned by:||nobody|
|Cc:||Triage Stage:||Design decision needed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
from django.contrib.auth, in authenticate():
for backend in get_backends(): try: user = backend.authenticate(**credentials) except TypeError: # This backend doesn't accept these credentials as arguments. Try the next one. continue if user is None: continue
The authenticate method makes an assumption about the meaning of a TypeError, being that "this backend doesn't accept these credentials as arguments". It should use a custom exception type where the meaning is more specific, such as AuthInvalidCredentials or something.
The reasoning behind this is that when creating your own authentication backend, it's possible to do some things that unexpectedly raise a more generic exception, such as TypeError. This can produce some very unexpected results, as this will cause your backend to be "skipped" when it shouldn't have been.
Granted, I could work around this by catching TypeError within the backend, but the backend developer shouldn't have to know that he/she needs to do that. Plus, the developer would have to go through some hoops to actually see the exception that was caught (eg, extracting traceback info from sys.exc_info())
Change History (7)
comment:1 Changed 8 years ago by
|Patch needs improvement:||unset|
|Triage Stage:||Unreviewed → Design decision needed|