Opened 4 years ago

Closed 3 years ago

#18998 closed Bug (fixed)

Removing an authentication backend that's cached in a user's session causes exception

Reported by: Bradley Ayers <brad@…> Owned by: jorgebastida
Component: contrib.auth Version: 1.4
Severity: Normal Keywords:
Cc: sunny@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no


Here's the scenario:

  1. I add a new authentication backend to AUTHENTICATION_BACKENDS.
  2. I deploy the code and a user logs in using that backend, and then logs out.
  3. I decide I want to change the name of the backend, so I do, and update AUTHENTICATION_BACKENDS accordingly.
  4. I deploy the code, and the same user loads the login page again.

On loading the page, an exception will be raised:

Traceback (most recent call last):

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/core/handlers/", line 111, in get_response
 response = callback(request, *callback_args, **callback_kwargs)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/console/", line 105, in wrapped
 result = func(request, *args, **kwargs)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/", line 19, in _wrapped_view
 if test_func(request.user):

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/utils/", line 184, in inner

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/utils/", line 248, in _setup
 self._wrapped = self._setupfunc()

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/", line 16, in <lambda>
 request.user = SimpleLazyObject(lambda: get_user(request))

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/", line 8, in get_user
 request._cached_user = auth.get_user(request)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/", line 100, in get_user
 backend = load_backend(backend_path)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/", line 22, in load_backend
 raise ImproperlyConfigured('Module "%s" does not define a "%s" authentication backend' % (module, attr))

ImproperlyConfigured: Module "project.apps.core.backends" does not define a "EmailOrUsernameModelBackend" authentication backend

EmailOrUsernameModelBackend is the name of the old backend that has been renamed.

Change History (12)

comment:1 Changed 4 years ago by Claude Paroz

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Triage Stage: UnreviewedAccepted

I guess that catching ImproperlyConfigured in addition to KeyError in get_user is the way to go here.

comment:2 Changed 4 years ago by Bradley Ayers <brad@…>

I think the code that retrieves the auth backend from the session should ensure it's within AUTHENTICATION_BACKENDS. If it's not, treat it as invalid and ignore it.

comment:3 Changed 4 years ago by mhaligowski

Owner: changed from nobody to mhaligowski

comment:4 Changed 4 years ago by mhaligowski

Resolution: fixed
Status: newclosed
Triage Stage: AcceptedFixed on a branch

comment:5 Changed 4 years ago by Łukasz Rekucki

Has patch: set
Triage Stage: Fixed on a branchAccepted

The ticket isn't fixed until a core developer commits the code to the master. You should have just marked the "Has patch" flag. See for more info :)

comment:6 Changed 4 years ago by mhaligowski

Ah, I expected so:) Sorry for that and thanks for the info.

comment:7 Changed 4 years ago by Preston Holmes

Resolution: fixed
Status: closedreopened

We should probably remove the fixed on branch stage

comment:8 Changed 4 years ago by Aymeric Augustin

Status: reopenednew

comment:9 Changed 3 years ago by jorgebastida

Owner: changed from mhaligowski to jorgebastida
Status: newassigned

comment:10 Changed 3 years ago by jorgebastida

The patch submited by @mhaligowski did not fix this ticket's issue but another that I've just raise (

Following @claudep advice in the first comment I've submit a patch capturing ImproperlyConfigured and returning an AnonymousUser instead. Pull request here

Version 1, edited 3 years ago by jorgebastida (previous) (next) (diff)

comment:11 Changed 3 years ago by jorgebastida

Triage Stage: AcceptedReady for checkin

comment:12 Changed 3 years ago by Claude Paroz <claude@…>

Resolution: fixed
Status: assignedclosed

In dc43fbc2f21c12e34e309d0e8a121020391aa03a:

Fixed #18998 - Prevented session crash when auth backend removed

Removing a backend configured in AUTHENTICATION_BACKENDS should not
raise an exception for existing sessions, but should make already
logged-in users disconnect.
Thanks Bradley Ayers for the report.

Note: See TracTickets for help on using tickets.
Back to Top