Document limitations of django.contrib.auth
|Reported by:||Aymeric Augustin||Owned by:||nobody|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
django.contrib.auth aims to be very generic and doesn't provide some features commonly found in web authentication systems:
- password strength checking: requirements depend very much on the context.
- throttling of login attempts: possible with a custom auth backend, for example https://github.com/brutasse/django-ratelimit-backend (I haven't audited that code)
- external auth providers: possible with a custom auth backend, there are several third-party apps providing this feature.
The documentation should point out that these features aren't implemented to raise awareness.