Search code examples
djangodjango-rest-frameworkdjango-authenticationdjango-rest-framework-simplejwt

Drf: authenticating without the USERNAME_FIELD

Extended from: Drf how to: simple-jwt authenticating without the USERNAME_FIELD

I was trying to figure out how to authenticate a user with a field that is not set as the USERNAME_FIELD and faced some issues, it lets me input in the correct data fields, but it never authenticates

I'm using this snippet from the previous questions answer:

class MyTokenStudentSerializer(TokenObtainPairSerializer):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['student_id'] = serializers.CharField(required=False)
        # self.fields['password'] = serializers.CharField(write_only=True, required=True)
        self.fields['password'] = PasswordField(trim_whitespace=False)

    username_field = 'student_id'
    auth_fields = ['student_id']


#login view extended from TokenObtainPairView
    class LoginStudentView(TokenObtainPairView):
        permission_classes = (AllowAny,)
        serializer_class = MyTokenStudentSerializer

produces

 {
        "detail": "No active account found with the given credentials"
 }

any modifications would be greatly appreciated.

Solution

  • If you are using default ModelBackend you should specify USERNAME_FIELD

    class User(AbstractUser):
    USERNAME_FIELD = 'student_id'
    student_id = models.TextField(default="", unique=True) # Should be unique

    Output

    ~ $ curl -X POST "http://127.0.0.1:8000/api/auth/login-student/" -d "password=admin&student_id=stdnt"
{"refresh":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTY0MzcxMTgzMCwiaWF0IjoxNjQxMTE5ODMwLCJqdGkiOiJkY2MyNTEwZGRiNWE0ZTJmODllMDI2OWRkYWI5ZGVjNSIsInVzZXJfaWQiOjF9.c0QTdBhiPUf4yvPP0l3a-XQ0iD6kycECAdb6MAROY8g","access":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNjQxMTIzNDMwLCJpYXQiOjE2NDExMTk4MzAsImp0aSI6ImM0NjA0ZTlhMDBhNjQ5YjdhMTkxOGQ3OTJmOTMyYTJiIiwidXNlcl9pZCI6MX0.XoZXTJICE_PyZFXIIvsm3bci-e-O67AsYvIvY1ijNAo"}

    Also, you can write your own auth backend and include it in settings.py.

    AUTHENTICATION_BACKENDS = [
    'django.contrib.auth.backends.ModelBackend',
    'project.apps.auth.backends.MyCustomModelBackend',
]

    Example of backend

    class MyCustomModelBackend(ModelBackend):
    def authenticate(self, request, username=None, password=None, **kwargs):
        student_id = kwargs.get("student_id")
        if student_id is None or password is None:
            return
        try:
            user = User.objects.get(student_id=student_id)
        except User.DoesNotExist:
            # Run the default password hasher once to reduce the timing
            # difference between an existing and a nonexistent user (#20760).
            User().set_password(password)
        else:
            if user.check_password(password) and self.user_can_authenticate(user):
                return user

    With this approach you can preserve login via username field. Also you shouldn't specify USERNAME_FIELD = 'student_id' in User model