rest_framework.authentication.BasicAuthentication Fails to Work Properly When User.is_active is False

[apachex692]

I'm building an API back-end with DRF. The user sign-up process is as follows:

1. Front-end sends the user details to the /api/auth/user endpoint with a POST request to create a user (default User model used) resource.
2. An email is sent to the user with a JWT to verify the email ID of the user.
3. Once the user clicks the link, the back-end verifies the token and sets the is_active attribute to True.

The back-end completely works on JWT authentication. BasicAuthentication is used only for the JWT creation process. Hence, while making a request to /api/auth/jwt/create, HTTP basic authentication must be performed by sending the base64 encoded string of <username>:<password> as Authorization header.

The front-end, after making a request to create a user, also makes another request with the same credentials to retrieve the JWT associated with the user. This is used for authentication for successive requests.

Now, the problem is that the rest_framework.authentication.BasicAuthentication class returns {"detail": "Invalid username/password."} as response while is_active is False (because the user hasn't verified his email ID with the link sent to the email account).

Looking at the class declaration, it seems to be implemented fine and the expected behavior is that the class should return {"detail": "User is not active."} when the account is inactive.

I couldn't figure out how to fix this issue and hence this discussion.

[MahmoudBayoumi19]

I faced same issue and fixed it by using custom authentication but I think it`s a bug
also I am using custom user model and using email instead of username I thing it is better use USERNAME_FIELD in exceptions.AuthenticationFailed Message Response instead of considering that user use username and password for authentication

[apachex692]

Looks like we should escalate this to an issue then. What do you say?

[MahmoudBayoumi19]

agree with you

[ulgens]

@sakthisanthosh010303 @MahmoudBayoumi19 Do you have a reference repo / implementation example that we can reproduce the issue? I have some questions about why JWT creation would require an authentication first, and the problem seems related to it; but without having something to debug it's lot harder to test that guess.

[apachex692]

To answer your doubt regarding why we need HTTP basic authentication for a JWT creation endpoint, there are two reasons:

1. Without authentication, JWT claims cannot be generated. A JWT claim is a part of JWT payload that that contains data relevant to the user which is used to verify the user later.
2. Anyone can access the endpoint to generate JWTs which is bad.

PS: I'll be sharing the code snippets after discussing with my enterprise's CTO soon.

[ulgens]

I think there is confusion about the purpose/function of sending credentials as a payload vs accessing an endpoint with basic auth. I can try to help better when we have something we can debug.

[MahmoudBayoumi19]

in my case i am accessing end point using basic auth:
1- when i set user.is_active to false expected to get response 'User inactive or deleted.' but got 'Invalid username/password.'.
2- i am using custom user model using email as username_field instead of using username when i set invalid credentials i got 'Invalid username/password.'. and expected to be 'Invalid email/password' i thing it`s better to use f'Invalid {get_user_model().USERNAME_FIELD}/password' instead of considering that user login with username and password .

class UserLoginView(APIView):
authentication_classes = [BasicAuthentication]
permission_classes = [AllowAny]

[apachex692]

@ulgens, we’re discussing only about RESTful APIs and the standard practices that comes with it in this discussion.

DRF (Django REST Framework) is meant to deal only with designing robust RESTful API back-ends. The link you provided is built to work with Django and not DRF.

[ulgens]

You are right, I misread a word and jumped to whole other thing. I'll try to share it with a DRF example.

[ulgens]

https://django-rest-framework-simplejwt.readthedocs.io/en/latest/getting_started.html#usage Something pretty similar here too. No secondary auth mechanism, just sending credentials to obtain the token.

[apachex692]

This is the endpoint method that handles requests to the /jwt/create endpoint.

@api_view(["GET"])
@authentication_classes([BasicAuthentication])
@permission_classes([])
def jwt_create_api_view(request):
    access_token, refresh_token = (
        JWT.encode(token_type="ACCESS", user=request.user),
        JWT.encode(token_type="REFRESH", user=request.user)
    )

    return Response(
        data={"access": access_token, "refresh": refresh_token},
        status=HTTP_201_CREATED
    )

As seen, it uses the rest_framework.authentication.BasicAuthentication. This should authenticate the user successfully upon authenticating with HTTP basic authentication. However, in the case when the user in inactive (is_active set to False in user table in database), the authentication fails with the message {"detail": "Invalid username/password."} instead of {"detail": "User is inactive."} Note that correct credentials are passed to the back-end.

This behavior is potentially a bug.

[ulgens]

@sakthisanthosh010303 Why don't you accept credentials in this endpoint?

[apachex692]

Why don't we accept credentials to this endpoint? You see, to understand that, you need to understand the following elementary/basic things about Python and DRF.

rest_framework.authentication.BasicAuthentication Reference: https://www.django-rest-framework.org/api-guide/authentication/#basicauthentication
Decorators in Python: https://peps.python.org/pep-0318/
Python: https://peps.python.org/pep-0318/
What is a Programming Langauge?: https://resources.github.com/software-development/what-is-a-programming-language/

[ulgens]

@sakthisanthosh010303 None of us need this condescending tone; please don't do that. I'm trying to help in my free time without anything in return except the fun of solving a problem. Instead of sending DRF or Python docs, if you want to explain your JWT auth setup and why and how it differs from the examples of the tool you use for it, I believe it will be much more helpful for both of us.

[apachex692]

Sure. I totally agree to what you say and I totally believe that we're all skilled programmers with a busy 9-5 job schedule. I believe that the code snippet mentioned above along with the description is informative enough to be understood by a back-end developer. Also, when there is a standard documentation that explain how things work under the hood and it is meant to be known by someone as a basic requirement who wants to answer these questions, why to waste our precious time in our busy schedule explaining them?

[Sushil-Sadhnani-17]

@sakthisanthosh010303 @MahmoudBayoumi19 I tried to reproduce the issue and you are right if user is inactive we should get "User inactive or deleted." but we get "Invalid username/password." instead. I found what the problem is actually DRF's BasicAuthentication uses Django's authenticate function which requires AUTHENTICATION_BACKENDS which by default is ['django.conrib.auth.backends.ModelBackend'] and you will find in ModelBackend there is authenticate function which before returning user instance checks if user is active. So, to solve your problem you just have to override this class.

Make a new file in user named backends.py

from django.contrib.auth.backends import ModelBackend

class CustomBackend(ModelBackend):
    def authenticate(self, request, username=None, password=None, **kwargs):
        UserModel = get_user_model()
        if username is None:
            username = kwargs.get(UserModel.USERNAME_FIELD)
        if username is None or password is None:
            return
        try:
            user = UserModel._default_manager.get_by_natural_key(username)
        except UserModel.DoesNotExist:
            # Run the default password hasher once to reduce the timing
            # difference between an existing and a nonexistent user (#20760).
            UserModel().set_password(password)
        else:
            if user.check_password(password):
                return user

and in settings.py add line
AUTHENTICATION_BACKENDS = ['user.backends.CustomBackend']

I think it will do the work. You will get "User inactive or deleted." in case of inactive user.

[MahmoudBayoumi19]

@Sushil-Sadhnani-17 thanks for your help

[apachex692]

Thank you for the answer. It helped a lot. As an update, I would like to suggest that the code can even be compressed further by using the AllowAllUserModelBackend. The implementation is as follows:

from django.contrib.auth.backends import AllowAllUsersModelBackend


class CustomAuthBackend(AllowAllUsersModelBackend):
    pass

PS: Note that this fixes the ModelBackend issue. However, BasicAuthentication still checks for is_active field and hence class' authentication method has to be overridden.

[apachex692]

Thank you community for all the support provided. I'll close this discussion now.