Code

Opened 6 years ago

Closed 6 years ago

Last modified 6 months ago

#7591 closed Uncategorized (fixed)

Authenticate By Email Support

Reported by: Paul Kenjora <pkenjora@…> Owned by: anonymous
Component: contrib.auth Version: master
Severity: Normal Keywords: authenticate, email, login
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Sometimes authenticating by email/password is preferable to username/password. Many sites today (including Google) use the email/passwprd method. Django authentication should support email and username authentication simultaneously (by developers choice).

The developer of a site will be responsible for picking which authentication method works best, the framework should support both.

Again discussion and more information at:

http://blog.awarelabs.com/?p=59

Attachments (1)

email_auth.diff (922 bytes) - added by Paul Kenjora <pkenjora@…> 6 years ago.

Download all attachments as: .zip

Change History (15)

Changed 6 years ago by Paul Kenjora <pkenjora@…>

comment:1 Changed 6 years ago by Paul Kenjora <pkenjora@…>

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Owner set to anonymous
  • Patch needs improvement unset
  • Status changed from new to assigned
  • Triage Stage changed from Unreviewed to Design decision needed

comment:2 Changed 6 years ago by Paul Kenjora <pkenjora@…>

  • Owner changed from anonymous to pkenjora
  • Status changed from assigned to new

comment:3 Changed 6 years ago by Paul Kenjora <pkenjora@…>

  • Owner changed from pkenjora to anonymous
  • Status changed from new to assigned

comment:4 Changed 6 years ago by jacob

  • Resolution set to wontfix
  • Status changed from assigned to closed

This is why Django has pluggable authentication backends.

comment:5 Changed 6 years ago by anonymous

Couldn't you make your own view that takes in an e-mail address and password, and authenticates from there?

comment:6 Changed 6 years ago by Paul Kenjora <pkenjora@…>

Why was authentication by username chosen over email, and why is it so exclusive? Why not support both from the same point in the code?

Sorry, not sure what the benefit of creating a new backend is (enough to offset code bloat)? Or the drawback of the patch above?

Insight appreciated for the sake of getting a better understanding of the framework...

comment:7 follow-up: Changed 6 years ago by lukeplant

The patch does not support the case where 2 users have the same email address, and as is will actually produce a 500 internal server error. This case is completely possible in the Django Users table (there is no UNIQUE constraint on the email address), and I'm a strong -1 on changing that because of the following use cases:

  • Married couples often share an email address (I have multiple instances of this in one of my live sites)
  • Sometimes users might want different 'personas' for logging in to a site, but the same email address.

So, this patch needs work at the very least, but I'm not sure if it is even fixable. There is no way of knowing which of the usernames sharing an email address should be picked, so you would have pick none. But if the framework advertises that it can support logging in by (username, password) or (email, password) then it should do so without bugs out of the box. But for logging in by email to work reliably, you have to add a constraint to the users database table.

comment:8 in reply to: ↑ 7 ; follow-up: Changed 6 years ago by haavikko@…

Although it is not always possible to use e-mail account as the username, there are application domains where it is perfectly valid and helpful for the end users. It would be a good option to have, and the caveats should be clearly described in the documentation.

comment:9 in reply to: ↑ 8 Changed 6 years ago by anonymous

Replying to haavikko@gmail.com:

It is already an option -- you can roll your own view and do it there, very easily.

comment:10 follow-up: Changed 5 years ago by zbraniecki

Not sure if that's a material for separate bug, or just part of this one.
Why does django accept user name with '@' in the model, but refuses to allow to operate on such account from the panel later? Should a form be more restrictive than the model is?

We're currently rolling out an app for our project which uses double account system (local django authentication + LDAP based) and in such case, we'll have a lot of accounts with user name being an email.
Now, we can add/remove/use those accounts but editing them from django admin panel is unavailable.
Should I open a separate bug on this?

comment:11 in reply to: ↑ 10 Changed 5 years ago by lukeplant

Replying to zbraniecki:

Should I open a separate bug on this?

It's a separate bug, but really it is part of 'model validation', which is in the works, so I wouldn't bother opening a bug about it. It's well known that admin forms can impose extra validation that the model itself does not.

comment:12 Changed 3 years ago by aaugustin

  • Easy pickings unset
  • Severity set to Normal
  • Type set to Uncategorized
  • UI/UX unset

#16709 was a duplicate.

comment:13 Changed 3 years ago by jacob

  • milestone 1.0 beta deleted

Milestone 1.0 beta deleted

comment:14 Changed 6 months ago by pkenjora@…

  • Resolution changed from wontfix to fixed

Since this shows up in search and has been fixed, its best to document it here.

This has been fixed with the implementation of custom authentication:

https://docs.djangoproject.com/en/dev/topics/auth/customizing/

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.