django-allauth icon indicating copy to clipboard operation
django-allauth copied to clipboard

Published 20 hours ago verified publisher icon pennersr

ACCOUNT_EMAIL_VERIFICATION = "mandatory" not preventing unverified email login

Open eakenbor opened this issue 2 years ago • 3 comments

I just found out that a registered email that is yet to be verified is allowed to log in even though ACCOUNT_EMAIL_VERIFICATION is set to "mandatory" in the settings. I don't know if this is a bug with the latest allauth, but I am certain this was working fine before.

Here are my codes.

#Settings.py

ACCOUNT_USER_MODEL_USERNAME_FIELD = None
ACCOUNT_EMAIL_REQUIRED = True
SOCIALACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_UNIQUE_EMAIL = True
ACCOUNT_USERNAME_REQUIRED = False
ACCOUNT_AUTHENTICATION_METHOD = "email"
ACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION = False
ACCOUNT_EMAIL_VERIFICATION = "mandatory"
ACCOUNT_CONFIRM_EMAIL_ON_GET = True
ACCOUNT_EMAIL_CONFIRMATION_AUTHENTICATED_REDIRECT_URL = None
ACCOUNT_EMAIL_CONFIRMATION_ANONYMOUS_REDIRECT_URL = None
ACCOUNT_EMAIL_CONFIRMATION_EXPIRE_DAYS = 3


REST_FRAMEWORK = {
    "EXCEPTION_HANDLER": "users.exceptions.custom_exception_handler",
    "DEFAULT_AUTHENTICATION_CLASSES": (
        "rest_framework.authentication.SessionAuthentication",
        "knox.auth.TokenAuthentication",
    ),
}

NB: I am using django rest-knox to log in to generate a token, which I don't think has anything to do with ACCOUNT_EMAIL_VERIFICATION in the settings, as other settings are working just fine.

from allauth.account.utils import perform_login
from knox.views import LoginView as KnoxLoginView
from knox.models import AuthToken

class LoginView(KnoxLoginView):
    permission_classes = (permissions.AllowAny,)
    authentication_classes = [SessionAuthentication]

    def post(self, request, format=None):
        standard_data = {**request.data,
                         "username": request.data["email"].lower()}

        serializer = AuthTokenSerializer(data=standard_data)
        serializer.is_valid(raise_exception=True)
        user = serializer.validated_data["user"]

        perform_login(request, user, "none")

        response = super(LoginView, self).post(request, format=None)
        return response

Please can someone help me with this?

eakenbor avatar Mar 07 '22 23:03 eakenbor

It prevents only when you use LoginView from allauth. (from allauth.account) You have to either use LoginView from allauth or ensure that your LoginView checks this.

This is not directly mentioned in docs (I think it should).

pktiuk avatar Mar 23 '22 14:03 pktiuk

@pktiuk thanks for the info! Do you have an idea how to make a custom view that checks the LoginView from allauth ? Thanks

hsouna avatar Apr 07 '22 16:04 hsouna

@hsouna
You could create your own class inheriting from allauth.account.LoginView or just copy some code from this class.

pktiuk avatar Apr 07 '22 19:04 pktiuk

Closing -- allauth definitely prevents logging in with an unverified email if email verification is set to mandatory. As the discussion shows, the issue you are having is caused outside of allauth.

pennersr avatar Jun 14 '23 20:06 pennersr