djoser

djoser copied to clipboard

use only authenticate for create token

4

Closes https://github.com/sunscrapers/djoser/issues/795 rollback https://github.com/sunscrapers/djoser/commit/8f65bfff16577c7fb0f52bbabf5fb69f6809ba62 TBD drop Djoser LOGIN_FIELD in favor of Django's User USERNAME_FIELD

tomwojcik

todos: - update docs - update comments / docstrings, if needed - move tests to upstream so the diff is smaller and more reliable (unused mocks etc) - some tests...

tomwojcik

Separate LOGIN_FIELD logic into a auth backend to avoid giving tokens…

1

… to non authorized users. Corrects #795

hisie

DJOSER is giving tokens to users that don't pass the AUTHENTICATION_BACKENDS.authenticate

6

https://github.com/sunscrapers/djoser/blob/4452009f628b59f02704373d5e7f991f1243397f/djoser/serializers.py#L127 When retrieving a token DJOSER check itself if the password match, or not. If password match, only active or not validation is done. Django authentication backends propose a set...

hisie

django-rest-knox has better token based auth protection, so is there any way to use this library with Djoser for token auth?

spinxi