Authentication Backends should be responsible for checking and setting passwords
|Reported by:||andornaut||Owned by:||nobody|
|Cc:||David Reynolds||Triage Stage:||Someday/Maybe|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Background & Reasoning
This feature request arose when trying to change the default hash algorithm from SHA1 to MD5. The
django.contrib.auth.models.User.set_password() method assumes sha1. This method is called in a number of places, such as
UserCreationForm.save(). User can be subclassed and set_password is overridden, but this change would be intrusive, because the new User Type would have to be substituted in several built-in views and in other places.
Instead, the scope of the authentication backend should be expanded to handle checking and setting passwords. Since multiple backends are supported, the first one in the list will take on these responsibilities.
Here is an example of some of the potential changes, for illustrative purposes:
# django.contrib.auth.backends.py def get_authoritative_backend(): # The first backend is responsible for checking and setting passwords return settings.AUTHENTICATION_BACKENDS # django.contrib.auth.models.User def set_password(self, raw_password): backend = django.contrib.auth.backends.get_authoritative_backend() backend.set_password(self, raw_password) def check_password(self, raw_password): backend = django.contrib.auth.backends.get_authoritative_backend() return backend.set_password(self, raw_password)
The advantage of this approach is that it allows for arbitrary hashing algorithms to be used, and it enables the rest of the system to be unaware and unaffected by these particulars.
Change History (9)
comment:3 Changed 6 years ago by
|Triage Stage:||Design decision needed → Someday/Maybe|