Opened 6 years ago

Closed 6 years ago

#19337 closed Bug (duplicate)

Authentication backend iteration should not rely on TypeError for detection

Reported by: Ruy Asan Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


This line here is the problem area. Basically it means that if at any point during the authentication process a TypeError is raised (which is not exactly unlikely) django will simply eat that error, attempt to authenticate, mysteriously fail to to do so and then give the exasperated developer few clues as to why authentication didn't actually happen despite the lack of log messages or exceptions claiming otherwise.

Relying on such generic exceptions for what basically amounts to flow control (in essence all we're trying to do here is allow the backend to signal to django that it doesn't support these credentials) is, IMHO, asking for trouble.

Why can't we simply rely on returning None (as is already the case) or perhaps an explicit value or exception?

Yes this would be a backwards incompatible change but it can be stretched over several releases and warned against using deprecation messages as with other such changes.

Change History (1)

comment:1 Changed 6 years ago by Claude Paroz

Resolution: duplicate
Status: newclosed

Yes, this is a valid concern, but it is already reported in #18171.

Note: See TracTickets for help on using tickets.
Back to Top