Context Navigation

← Previous Ticket
Next Ticket →

#34565 closed New feature (fixed)

Add acheck_password() async method.

Reported by:	Dingning	Owned by:	Dingning
Component:	contrib.auth	Version:	4.2
Severity:	Normal	Keywords:	async auth check_password
Cc:	Carlton Gibson, Jon Janzen	Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description (last modified by Dingning)

When settings.PASSWORD_HASHERS is changed and user.check_password() is called in an async context, a SynchronousOnlyOperation exception may occur.

The reason is that the check_password function will call the synchronous setter function to update the password field of the user table when the settings.PASSWORD_HASHERS is changed.

To Reproduce The Process:

Start Django and create a user. Suppose the user's password is 123456.
Close the server, modify settings.PASSWORD_HASHERS, for example, exchange the order of the first two Hashers. You can refer to django.conf.global_settings.PASSWORD_HASHERS.
Start the server and call user.check_password('123456') in the asynchronous view.
SynchronousOnlyOperation is raiesd.

Reference Code:

from django.http import HttpResponse
from django.contrib.auth import get_user_model


async def test_check_password(request):
    user = await get_user_model().objects.aget(id=1)
    is_correct = user.check_password('123456')

    return HttpResponse(is_correct)

Significance:

When settings.PASSWORD_HASHERS changes, check_password and related functions can be called normally in an asynchronous environment.
Lay the foundation for the future django.contrib.auth module to support native async.

Solution:

Add acheck_password method, this method will call the async setter function to update the password field of the user table when the settings.PASSWORD_HASHERS is changed.

Demo:

I simply implemented the solution mentioned above and put it here for reference.
https://github.com/HappyDingning/django/tree/acheck_password

Related Discussions:

https://forum.djangoproject.com/t/add-async-support-for-abstractbaseuser-check-password/20364

Thanks to bigfootjon, carltongibson and UriahKingsley

Change History (8)

comment:1 by Dingning, 2 years ago

Description:	modified (diff)

comment:2 by Dingning, 2 years ago

Description:	modified (diff)

comment:3 by Dingning, 2 years ago

Description:	modified (diff)

comment:4 by Mariusz Felisiak, 2 years ago

Summary:	Exception will be raised when settings.PASSWORD_HASHERS changes and the check_password() method is called in an asynchronous context. → Add acheck_password() async method.
Triage Stage:	Unreviewed → Accepted
Type:	Bug → New feature

Tentatively accepted.

comment:5 by Dingning, 2 years ago

Has patch:	set
Owner:	changed from nobody to Dingning

comment:6 by Mariusz Felisiak, 2 years ago

Needs documentation:	set
Patch needs improvement:	set

comment:7 by Mariusz Felisiak, 2 years ago

Needs documentation:	unset
Patch needs improvement:	unset
Triage Stage:	Accepted → Ready for checkin

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 2 years ago

Resolution:	→ fixed
Status:	assigned → closed

In 674c2399:

Fixed #34565 -- Added support for async checking of user passwords.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues