django-allauth
django-allauth copied to clipboard
ACCOUNT_EMAIL_VERIFICATION = "mandatory" not preventing unverified email login
I just found out that a registered email that is yet to be verified is allowed to log in even though ACCOUNT_EMAIL_VERIFICATION is set to "mandatory" in the settings. I don't know if this is a bug with the latest allauth, but I am certain this was working fine before.
Here are my codes.
#Settings.py
ACCOUNT_USER_MODEL_USERNAME_FIELD = None
ACCOUNT_EMAIL_REQUIRED = True
SOCIALACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_UNIQUE_EMAIL = True
ACCOUNT_USERNAME_REQUIRED = False
ACCOUNT_AUTHENTICATION_METHOD = "email"
ACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION = False
ACCOUNT_EMAIL_VERIFICATION = "mandatory"
ACCOUNT_CONFIRM_EMAIL_ON_GET = True
ACCOUNT_EMAIL_CONFIRMATION_AUTHENTICATED_REDIRECT_URL = None
ACCOUNT_EMAIL_CONFIRMATION_ANONYMOUS_REDIRECT_URL = None
ACCOUNT_EMAIL_CONFIRMATION_EXPIRE_DAYS = 3
REST_FRAMEWORK = {
"EXCEPTION_HANDLER": "users.exceptions.custom_exception_handler",
"DEFAULT_AUTHENTICATION_CLASSES": (
"rest_framework.authentication.SessionAuthentication",
"knox.auth.TokenAuthentication",
),
}
NB: I am using django rest-knox to log in to generate a token, which I don't think has anything to do with ACCOUNT_EMAIL_VERIFICATION in the settings, as other settings are working just fine.
from allauth.account.utils import perform_login
from knox.views import LoginView as KnoxLoginView
from knox.models import AuthToken
class LoginView(KnoxLoginView):
permission_classes = (permissions.AllowAny,)
authentication_classes = [SessionAuthentication]
def post(self, request, format=None):
standard_data = {**request.data,
"username": request.data["email"].lower()}
serializer = AuthTokenSerializer(data=standard_data)
serializer.is_valid(raise_exception=True)
user = serializer.validated_data["user"]
perform_login(request, user, "none")
response = super(LoginView, self).post(request, format=None)
return response
Please can someone help me with this?
It prevents only when you use LoginView from allauth. (from allauth.account
)
You have to either use LoginView from allauth or ensure that your LoginView checks this.
This is not directly mentioned in docs (I think it should).
@pktiuk thanks for the info! Do you have an idea how to make a custom view that checks the LoginView from allauth ? Thanks
@hsouna
You could create your own class inheriting from allauth.account.LoginView
or just copy some code from this class.
Closing -- allauth definitely prevents logging in with an unverified email if email verification is set to mandatory. As the discussion shows, the issue you are having is caused outside of allauth.